Scan exported network logs for signs of known C2 frameworks before an incident escalates.
Add a CI step that fails a build if telemetry shows high severity C2 indicators.
Check TLS fingerprints and certificate quirks against a database of 20 known C2 tools.
Generate a SARIF or HTML report of findings to share with a security team.
| cognis-digital/c2detect | aaravkashyap12/advise-project-approach | abu-rayhan-alif/django-saas-kit | |
|---|---|---|---|
| Stars | 23 | 23 | 23 |
| Language | Python | Python | Python |
| Setup difficulty | easy | easy | moderate |
| Complexity | 2/5 | 2/5 | 3/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
C2detect is a command line tool that helps security defenders spot signs of command and control infrastructure, the kind of remote channel attackers use to control compromised machines. Instead of watching live network traffic, it reads telemetry or observation records you already have, such as exported logs, and checks them against a built in database of twenty known C2 tools including Cobalt Strike, Sliver, Mythic, Havoc, and Brute Ratel. It flags things like beaconing patterns, unusual TLS certificate fingerprints, and staging URLs that match known signatures. The tool is strictly defensive. It makes no network connections and has no offensive capability of its own. It reads files, a directory of logs, or piped input, then reports findings ranked by severity so the biggest risks show up first. Installation is done with pip, and the basic command scans a file or folder in seconds. Results can be printed as a table in the terminal or exported as JSON, SARIF, HTML, or a small status badge, which makes it easy to plug into automated workflows. A ready made GitHub Action can scan telemetry during continuous integration, post findings as comments on pull requests, and fail a build when results at or above a chosen severity are found. Detection relies on a mix of signals: TLS fingerprint types such as JA4 and JARM, timing patterns like beacon interval and jitter, default user agent strings, and quirks in certificate details that match known C2 frameworks. Each finding receives a confidence score, and the minimum threshold shown can be tuned. An optional AI assisted mode can be switched on for extra analysis, though the tool works fully without it using rule based checks alone. The project also ships ports of its core detection logic in JavaScript, Go, and Rust, so teams working in different languages can apply the same rules. It suits security and blue team engineers who want a lightweight, self hostable way to check for C2 activity without standing up heavy security infrastructure or an active scanning setup.
A defensive command line tool that scans logs and telemetry for signs of C2 malware infrastructure like Cobalt Strike or Sliver, no active scanning involved.
Mainly Python. The stack also includes Python, CLI, GitHub Actions.
Uses a custom license (COCL 1.0), check the repo's LICENSE file before commercial or redistribution use.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.