Get Started

          C2 Collection

          C2 Collection

          The Corelight C2 Collection helps you find command and control activity with over 50 unique insights and detections. Battle-tested by some of the world’s most sophisticated organizations, this collection covers both known C2 toolkits and MITRE ATT&CK C2 techniques to find novel attacks.

          Read the blog post

          C2 Collection

          Detections

          HTTP C2

          Detect known families of malware that conduct C2 communications over HTTP, such as Powershell Empire and Cobalt Strike

          DNS tunneling

          Detect DNS tunneling behavior as well as the presence of specific tunneling tools such as iodine

          ICMP tunneling

          Detect ICMP tunneling behavior as well as the presence of specific tunneling tools such as ICMP Shell

          Domain generation algorithms

          Detect C2 traffic based on DNS activity from malware using Domain Generation Algorithms

          Meterpreter

          Detect C2 activity from Metasploit’s Meterpreter shell across HTTP and generic TCP/UDP traffic

          And more...

          Over 50 additional insights and detections

          For more detailed information about the Corelight C2 Collection, please contact us.

          See a short demo:

          How to catch C2 activity on your network SANS broadcast on May 25th

          Sans