About C2_10a (T1071.001) Detected on the server

Thank you for reaching out to the community forum.

Regarding this detection, you may refer to those documents regarding this and to how the naming convention has been given to those detections. 

Thanks for your reply. I read the content of the article and it shows that it is based on behavior analysis detection, but isn't c&c detection done by ips?

Will behavioral analysis detect network traffic?

The behavioral C2 detections are made by our behavioral engine. The behavioral engine draws signals from multiple product components, including file analysis, process activity, script activity, online lookups, and other sources. In this case, the reputation of the URL being looked up would have been a factor in the detection.

The last section of this knowledgebase article can help you identify more info about the specific detection.

hello, as mentioned in the article, the detection of C2 will not prevent, but will trigger a memory scan, and if the memory scan is determined to be malicious, it will be cleaned. I am curious, why did c2 not immediately block the connection and prompt? Or, why is c2 not detected? If the memory scan is secure, isn't it a successful hack? If you indicate at the c2 connection stage, we can make up the payment even if the memory scan miss

hello, as mentioned in the article, the detection of C2 will not prevent, but will trigger a memory scan, and if the memory scan is determined to be malicious, it will be cleaned. I am curious, why did c2 not immediately block the connection and prompt? Or, why is c2 not detected? If the memory scan is secure, isn't it a successful hack? If you indicate at the c2 connection stage, we can make up the payment even if the memory scan miss

I could be wrong, but I believe this is true only for the C2/Generic detections. For "Malicious behavior detected C2_," I think the process is stopped automatically.