Corelight Introduces Command and Control Collection for Targeted Insights and Detections

Corelight, provider of the industry’s first open network detection and response (NDR) platform, launched the Corelight Command and Control Collection (C2) empowering threat hunters and security analysts with rich and actionable insights and detections for malware communication.

“Maintaining awareness of attackers and their communication channels is critical to effective network security,” said Vince Stoffer, Senior Director of Product Management for Corelight. “The ability to identify hidden command and control communication gives our customers the signals they need to disrupt the lifecycle of determined attackers. With Corelight’s data and detections, customers can quickly track down malware and attack tools in their networks, remediate them, and then verify that their systems are no longer compromised.”

Corelight’s C2 Collection builds on Corelight’s already extensive capabilities for analyzing malicious network traffic, including encrypted and hidden communication, by identifying C2 channels and techniques that indicate infection and malicious communication. The collection contains numerous packages developed by the Corelight Labs team focused on behavioral and statistical detection techniques. These packages deliver high-fidelity detections for known malware tools as well as highlight unknown C2 behaviors, allowing Corelight customers to uncover conventional and targeted malware communication.

Components of the collection include:

    • Detection of specific HTTP malware families (including Metasploit, Cobalt Strike, Powershell Empire and more)
    • Meterpreter Detection
    • DNS and ICMP tunneling
    • Domain Generated Algorithms (DGAs)
    • Encrypted DNS detection

In addition to the C2 content, the Corelight Encrypted Traffic Collection added a comprehensive set of new data and detections targeting the Remote Desktop Protocol (RDP). This new addition to Corelight’s encrypted traffic analysis provides specific insights into the authentication and behavior of RDP sessions, including alerts for brute forcing attacks and anomalous connections. The rich data allows security professionals to investigate incidents and do threat hunting based on session details of one of the most popular tools for initiating network attacks.

The C2 Collection is available in the Corelight version 21 update, which is now available to customers. This new version features a wide range of coverage across relevant MITRE ATT&CK C2 techniques including:

    • T1071 – Application Layer Protocol
    • T1572 – Protocol Tunneling
    • T1568 – Dynamic Resolution

“The Corelight C2 Collection originated through deep customer partnerships that have allowed us access to real world network environments,” said Dr. Vern Paxson, chief scientist and co-founder of Corelight and creator of Zeek. “With this data, we can now offer a collection of insights that will better inform our customers on the right steps to take in their threat hunting and in their security incident response.”

Corelight version 21 also integrates with Microsoft Sentinel, which was announced last week, and includes workbooks and dashboards, hunting queries, and analytic rules to help organizations drive efficient investigations and incident response.

In addition, the company launched the Corelight AP 5000, the industry’s first 100G Zeek® sensor for large NDR deployments at high-throughput data centers, large university network systems and other enterprises planning 100G interconnects. This 1U rack mountable appliance enables simultaneous creation of rich Zeek logs and Suricata alerts at ultra-high performance rates. Managed by Corelight Fleet Manager, the AP 5000 provides another option in the Corelight portfolio of sensors that enables customers to choose a sensor that best fits their needs.

Customers also now have the flexibility to purchase an ET Pro license from Corelight. The ET Pro license represents one of the most popular feeds for Suricata and delivers on a popular request from Corelight customers.


Corelight software version 21, the AP 5000 and the new ET Pro license are now available to customers. More information on today’s news can be found in the collections section and products section on the Corelight website.

Corelight has issued a blog post with more details on the technical benefits of the Corelight C2 Collection

Image licensed by

Related News:

WSJ Intelligence and Forcepoint Survey: CEOs and CISOs Doubling Down on Cybersecurity, Converged Approaches

Skybox Security Delivers Industry’s Most Advanced Exposure Analysis




About Author