C2 Collection

C2 Collection

The Corelight C2 Collection helps you find command and control activity with over 50 unique insights and detections. Battle-tested by some of the world’s most sophisticated organizations, this collection covers both known C2 toolkits and MITRE ATT&CK C2 techniques to find novel attacks.

Read the blog post

C2 Collection

Detections

HTTP C2

Detect known families of malware that conduct C2 communications over HTTP, such as Powershell Empire and Cobalt Strike

DNS tunneling

Detect DNS tunneling behavior as well as the presence of specific tunneling tools such as iodine

ICMP tunneling

Detect ICMP tunneling behavior as well as the presence of specific tunneling tools such as ICMP Shell

Domain generation algorithms

Detect C2 traffic based on DNS activity from malware using Domain Generation Algorithms

Meterpreter

Detect C2 activity from Metasploit’s Meterpreter shell across HTTP and generic TCP/UDP traffic

And more...

Over 50 additional insights and detections

For more detailed information about the Corelight C2 Collection, please contact us.

See a short demo:

How to spot C2 traffic on your network

Sans