Corelight C2 Collection is a detection set that identifies command and control activity on networks. The collection provides over 50 unique insights and detections designed to uncover C2 communications and techniques aligned with MITRE ATT&CK framework. The product detects known C2 toolkits including Cobalt Strike, Empire, Metasploit, and Meterpreter. It identifies HTTP-based C2 communications from various malware families. The collection detects DNS tunneling behavior and specific tunneling tools such as Iodine. It also identifies ICMP tunneling activity and tools like ICMP Shell. The product detects domain generation algorithms (DGAs) used by malware for C2 traffic through DNS activity analysis. It identifies Meterpreter C2 activity across HTTP and generic TCP/UDP traffic. The collection employs Zeek network analysis framework to examine behavioral characteristics of network traffic. It analyzes traffic patterns to detect attacker tunnels that may be camouflaged as normal network communications. Corelight C2 Collection is included with Corelight subscriptions and can be activated based on organizational needs. The detections integrate with Corelight's evidence and analytics suite.