C2Detector: DFIR tool that extracts C2 traffic from PCAP files
C2Detector parses offline .pcap/.pcapng captures, pulls HTTP/TLS metadata and looks for known C2 patterns from Havoc and Nimplant frameworks. It can automatically recover AES keys, decrypt traffic, and output a Markdown report plus CSV indexes of suspicious flows and carved artifacts. The tool is aimed at incident responders and DFIR analysts who need quick triage of compromised network captures. Compared to generic packet analyzers, it offers ready‑made decryption for specific C2 families, saving manual key‑hunt work.
View on GitHub →hhoangsonnw/C2Detector