Command and Control (C2)

What is Command and Control?

Command and Control (C2, C&C) is the infrastructure and communication protocols through which an attacker maintains remote control over compromised systems (implants, backdoors, bots). The C2 channel enables issuing commands, downloading additional tools, exfiltrating data and updating malicious software.

Modern C2 infrastructure is designed to be difficult to detect and block. Attackers employ encrypted communications (HTTPS, DNS over HTTPS), hiding C2 traffic in legitimate protocols (DNS tunnelling, HTTP/S using legitimate domains), domain fronting (using CDNs to hide the true communication target), communication via legitimate services (Slack, Discord, OneDrive, GitHub) and rapid domain rotation (DGA - Domain Generation Algorithm).

C2 tools used by red teams and penetration testers (Cobalt Strike, Sliver, Mythic, Havoc) replicate the capabilities of real attackers and enable testing an organisation’s ability to detect C2 communication. Unfortunately, many of these tools are also used by actual criminals.

Why does it matter?

Blocking or detecting C2 communication is one of the most effective ways to neutralise an attack - without a connection to the C2 infrastructure, the attacker loses control over compromised systems. C2 detection requires network traffic analysis (NDR), correlation with threat intelligence feeds, DNS analysis and monitoring for unusual communication patterns.

Related topics

• APT
• Lateral Movement
• MITRE ATT&CK