CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

C2 COLLECTION

Find command and control activity on your network.

READ WHITE PAPER

 

Corelight C2 Collection icon

FIND DGA, DNS, AND ICMP TUNNELING 

Is an attacker remotely controlling assets on your network? Corelight’s C2 Collection has the answers with over 50 unique insights and detections that illuminate command and control activity. Battle-tested by some of the world’s most sophisticated organizations, this collection covers known C2 toolkits and MITRE ATT&CK® C2 techniques to find novel attacks. Read about how to detect the Manjusaka C2 framework.

Corelight Collections are detection sets included with your Corelight subscription and can be activated depending on your needs.

  • Catch attacker tunnels camouflaged as normal traffic
  • Find Cobalt Strike, Empire, Metasploit, and other common tools
  • 50+ unique C2 detections and insights that enhance MITRE ATT&CK coverage

DOWNLOAD DATA SHEET GET A DEMO

Detections

HTTP C2
Detect known families of malware that conduct C2 communications over HTTP, such as Empire, Metasploit, and Cobalt Strike.

DNS tunneling
Detect DNS tunneling behavior as well as the presence of specific tunneling tools such as Iodine.

ICMP tunneling
Detect ICMP tunneling behavior as well as the presence of specific tunneling tools such as ICMP Shell.

Domain generation algorithms (DGAs)
Detect C2 traffic based on DNS activity from malware using domain generation algorithms.

Meterpreter
Detect C2 activity from Metasploit’s Meterpreter shell across HTTP and generic TCP/UDP traffic.

And more...
Over 50 additional insights and detections.

How it works

The C2 Collection offers over 50 insights and detections into HTTP C2 communications including tunneling and domain generation algorithms. It employs Zeek® to analyze behavioral characteristics of network traffic, and integrates the results into Corelight’s comprehensive suite of evidence and analytics.

how-works-c2

ANALYTICS

Corelight Collections

Collections are targeted categories of detections, inferences, and data transformation that provide deeper visibility into adversary activity. They cover encrypted traffic, command and control activity, entity activity, ICS/OT visibility, and more. Detections are viewable through Corelight Investigator, or via a SIEM, XDR, or other analytics platform.

corelight-technology-diagram-1

 

Have questions?

Talk with one of our experts today.

CONTACT US