Command & Control (C2)
1 Global Definition
Command & Control (C2) is the stage in a cyberattack where an attacker establishes a communication channel between the compromised system and their own infrastructure. This channel allows attackers to send commands, receive data, deploy malware, or maintain persistence. C2 is a critical part of the post-exploitation stage in the cyber kill chain.
1.1 Key Concepts
- C2 Server: The remote infrastructure controlled by attackers to manage infected hosts.
- C2 Channel: The medium used for communication (e.g., HTTP, DNS, HTTPS, ICMP).
- Beaconing: Compromised hosts periodically contacting the C2 server to receive instructions.
- Callback: A one-time communication attempt made by malware to reach its C2.
- Persistence: Ensuring the compromised system continues to communicate even after reboot or cleanup attempts.
1.2 Communication Methods
- HTTP/HTTPS Tunneling: Hiding malicious traffic inside normal web traffic.
- DNS Tunneling: Using DNS requests/responses to transmit commands and data covertly.
- Peer-to-Peer (P2P): Bots communicate directly with each other, reducing reliance on a single server.
- Social Media / Cloud C2: Using platforms like Twitter, Slack, or GitHub as covert control channels.
- Custom Protocols: Attackers create unique, encrypted channels to avoid detection.
1.3 Tools & Frameworks
- Cobalt Strike: Commercial Red Teaming tool with advanced C2 capabilities.
- Metasploit: Open-source exploitation framework with built-in payloads for C2.
- Empire: Post-exploitation framework for PowerShell & Python agents.
- Covenant: C#-based C2 framework for modern Red Team operations.
- Custom Malware: Attackers often design proprietary backdoors to avoid detection.
1.4 Defense & Detection
- Deploy IDS/IPS to identify unusual traffic patterns.
- Use SIEM to correlate beaconing activity across hosts.
- Block outbound traffic to known malicious IPs/domains using threat intelligence feeds.
- Inspect encrypted traffic (SSL inspection) for hidden C2 channels.
- Apply network segmentation to limit attacker movement after compromise.
1.5 Why It Matters
C2 is the attackerβs lifeline: without it, malware is often useless. By disrupting C2 channels, defenders can cut off adversaries from their compromised hosts, preventing data theft, ransomware deployment, or further exploitation. For Red Teams, building realistic and stealthy C2 channels helps organizations test their detection and response capabilities.