explaingit

cognis-digital/c2detect

Analysis updated 2026-05-18

23PythonAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

A defensive command line tool that scans logs and telemetry for signs of C2 malware infrastructure like Cobalt Strike or Sliver, no active scanning involved.

Mindmap

mindmap
  root((c2detect))
    What it does
      Scans telemetry
      Flags beaconing
      Matches signatures
    Tech stack
      Python
      CLI
      GitHub Action
    Use cases
      CI security gate
      Log triage
      SOC investigation
    Audience
      Blue team
      DevOps
      Security engineers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan exported network logs for signs of known C2 frameworks before an incident escalates.

USE CASE 2

Add a CI step that fails a build if telemetry shows high severity C2 indicators.

USE CASE 3

Check TLS fingerprints and certificate quirks against a database of 20 known C2 tools.

USE CASE 4

Generate a SARIF or HTML report of findings to share with a security team.

What is it built with?

PythonCLIGitHub ActionsSARIFJavaScriptGoRust

How does it compare?

cognis-digital/c2detectaaravkashyap12/advise-project-approachabu-rayhan-alif/django-saas-kit
Stars232323
LanguagePythonPythonPython
Setup difficultyeasyeasymoderate
Complexity2/52/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min
Uses a custom license (COCL 1.0), check the repo's LICENSE file before commercial or redistribution use.

In plain English

C2detect is a command line tool that helps security defenders spot signs of command and control infrastructure, the kind of remote channel attackers use to control compromised machines. Instead of watching live network traffic, it reads telemetry or observation records you already have, such as exported logs, and checks them against a built in database of twenty known C2 tools including Cobalt Strike, Sliver, Mythic, Havoc, and Brute Ratel. It flags things like beaconing patterns, unusual TLS certificate fingerprints, and staging URLs that match known signatures. The tool is strictly defensive. It makes no network connections and has no offensive capability of its own. It reads files, a directory of logs, or piped input, then reports findings ranked by severity so the biggest risks show up first. Installation is done with pip, and the basic command scans a file or folder in seconds. Results can be printed as a table in the terminal or exported as JSON, SARIF, HTML, or a small status badge, which makes it easy to plug into automated workflows. A ready made GitHub Action can scan telemetry during continuous integration, post findings as comments on pull requests, and fail a build when results at or above a chosen severity are found. Detection relies on a mix of signals: TLS fingerprint types such as JA4 and JARM, timing patterns like beacon interval and jitter, default user agent strings, and quirks in certificate details that match known C2 frameworks. Each finding receives a confidence score, and the minimum threshold shown can be tuned. An optional AI assisted mode can be switched on for extra analysis, though the tool works fully without it using rule based checks alone. The project also ships ports of its core detection logic in JavaScript, Go, and Rust, so teams working in different languages can apply the same rules. It suits security and blue team engineers who want a lightweight, self hostable way to check for C2 activity without standing up heavy security infrastructure or an active scanning setup.

Copy-paste prompts

Prompt 1
Show me how to install c2detect and scan a directory of log files for C2 indicators.
Prompt 2
Write a GitHub Actions workflow that runs c2detect on telemetry files and fails the build on high severity findings.
Prompt 3
Explain what JA4 and JARM TLS fingerprints are and how c2detect uses them.
Prompt 4
Help me interpret a c2detect JSON report and prioritize which findings to investigate first.

Frequently asked questions

What is c2detect?

A defensive command line tool that scans logs and telemetry for signs of C2 malware infrastructure like Cobalt Strike or Sliver, no active scanning involved.

What language is c2detect written in?

Mainly Python. The stack also includes Python, CLI, GitHub Actions.

What license does c2detect use?

Uses a custom license (COCL 1.0), check the repo's LICENSE file before commercial or redistribution use.

How hard is c2detect to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is c2detect for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.