╔════════════════════════════════════════════════════════════════╗
║ C2-Profiler — C2 Framework Fingerprinter ║
║ Beacon · URI · JA3 · Headers · DNS · Classification ║
║ Author: mazen91111 (parasite911) · Threat Intel ║
╚════════════════════════════════════════════════════════════════╝
Identifies C2 framework communications from network traffic (PCAP).
Detects Cobalt Strike, Metasploit, Sliver, Havoc, Covenant, and Brute Ratel C4
through beacon interval analysis, URI pattern matching, JA3 fingerprints, and HTTP header profiling.
| Technique | Weight | Description |
|---|---|---|
| Beacon Interval | 20pts | Detect periodic callback patterns + jitter analysis |
| URI Pattern | 15pts | Match known C2 URI structures (regex-based) |
| User-Agent | 10pts | Identify default/known C2 User-Agent strings |
| HTTP Headers | 8pts | Detect anomalous header combinations |
| JA3 Fingerprint | 25pts | TLS Client Hello fingerprint matching |
| Port Profile | 5pts | Match against known C2 default ports |
| Framework | Type | Default Ports |
|---|---|---|
| 🔴 Cobalt Strike | Commercial Red Team | 80, 443, 8080, 50050 |
| 🟠 Metasploit Meterpreter | Open-Source | 4444, 4443, 8080 |
| 🟢 Sliver C2 | Open-Source (BishopFox) | 443, 8888, 31337 |
| 🟣 Havoc C2 | Modern Post-Exploitation | 443, 8443, 40056 |
| 🔵 Covenant / Grunt | .NET-based C2 | 80, 443, 7443 |
| ⚫ Brute Ratel C4 | Advanced Red Team | 443, 8443 |
git clone https://github.com/mazen91111/C2-Profiler.git
cd C2-Profiler
pip install -r requirements.txt# Analyze a PCAP file for C2 traffic
python c2_profiler.py -f capture.pcap
# List all known C2 signatures in database
python c2_profiler.py -f dummy --list-c2
# Show top 3 results
python c2_profiler.py -f suspicious_traffic.pcap --top-n 3══════════════════════════════════════════════════════════════════════════
📡 C2-Profiler — Command & Control Detection Report
══════════════════════════════════════════════════════════════════════════
PCAP File : suspicious_traffic.pcap
Total Packets : 12,847
HTTP Requests : 342
Destinations : 8
[ BEACON ANALYSIS ]
──────────────────────────────────────────────────────────────────────
→ 192.168.1.50:443 interval=60.0s jitter=12% callbacks=47
→ 10.0.0.15:8080 interval=30.2s jitter=5% callbacks=23
[ C2 FRAMEWORK IDENTIFICATION ]
──────────────────────────────────────────────────────────────────────
83% [███████████████████████████░░░░░░] Cobalt Strike
Commercial adversary simulation framework (Team Server + Beacon)
MITRE: T1071.001 | Target: 192.168.1.50:443
✓ URI:/submit.php?id= ← /submit\.php\?id=
✓ UA:Mozilla/5.0 (compatible; MSIE 9.0)
✓ BEACON:median=60.0s
✓ JITTER:12%
✓ PORT:443
45% [███████████████░░░░░░░░░░░░░░░░░░] Sliver C2
Open-source C2 by BishopFox
✓ URI:/abcdefghij.woff
✓ PORT:443
- Load PCAP → Parse all packets with Scapy
- Extract HTTP → Pull method, URI, headers from Raw TCP payloads
- Beacon Detection → Calculate inter-request intervals per destination, measure jitter
- JA3 Fingerprinting → Hash TLS Client Hello parameters
- Pattern Matching → Score traffic against 6 C2 signature profiles
- Confidence Scoring → Weighted multi-indicator scoring (0-100%)
Mazen — @mazen91111
Threat Intelligence | Network Forensics | Red Team Detection
For authorized threat hunting and security research ONLY.
Analyze only traffic you have authorization to inspect.
MIT License