Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Command and Control (C2)

Overview

Command and Control (C2) is the communication channel that attackers use to remotely control compromised systems, send instructions, and receive data back. In plain terms: C2 is the “remote control and headquarters” that lets an attacker manage infected devices over time.

What Command and Control Involves

When an attack uses C2, the adversary typically:

  • Installs malware or an agent on victim systems that can reach out to attacker-controlled infrastructure.

  • Establishes a persistent communication path so those systems periodically check in for tasks or configuration updates.

  • Uses that channel to issue commands, move laterally, exfiltrate data, and update tools during the lifecycle of the intrusion.

Common C2 Channels and Techniques

Attackers can build C2 in many ways, for example:

  • Direct IP or domain-based C2

    • Infected hosts connect to hard-coded IPs or domains over protocols like HTTP(S), TCP, or custom binary protocols.

  • Web and cloud services abuse

    • Using legitimate platforms (for example, paste sites, cloud storage, chat APIs, or SaaS apps) as C2 relays so traffic blends with normal internet use.

  • DNS-based C2

    • Encoding commands or data inside DNS queries and responses, which often bypass strict outbound filtering.

  • Peer-to-peer (P2P) C2

    • Bots communicate with each other instead of a single central server, improving resilience if some nodes are taken down.

  • Encrypted and covert channels

    • Wrapping C2 traffic in TLS or hiding it inside other protocols and formats to evade detection and inspection.

Why C2 Is Critical for Attackers

C2 is important because it:

  • Turns a one-time exploit into an ongoing operation

    • Once C2 is in place, attackers can revisit the environment, adjust tactics, and react to defender actions.

  • Enables coordination and scaling

    • A single operator can manage many compromised hosts (for example, a botnet or multiple footholds in one network).

  • Supports all later stages of attack

    • C2 underpins reconnaissance, lateral movement, data collection, exfiltration, and sometimes deployment of ransomware or wipers.

Business Impact

If C2 channels are active in an environment:

  • Attackers can continue to issue commands, steal data, and deploy new malware even after some indicators are removed.

  • Sensitive information may be exfiltrated over time, not just in a single large transfer.

  • Ransomware or destructive payloads can be triggered on demand, increasing pressure and potential damage.

  • Incident response becomes more complex because defenders must identify and cut off all C2 paths, not just remove endpoints’ malware.

Key Protections (Plain-Language)

To defend against C2:

  • Monitor outbound network traffic closely

    • Look for unusual destinations, patterns, or protocols, including rare domains, odd DNS activity, or atypical HTTPS usage.

  • Use layered detection on endpoints and network

    • Combine endpoint telemetry (suspicious processes, beaconing behavior) with network analytics and threat intelligence.

  • Restrict and segment egress

    • Limit which systems can reach the internet and what protocols/ports they can use; apply proxying and egress filtering.

  • Block known bad infrastructure

    • Regularly update blocklists of malicious domains, IPs, and certificates, while recognizing that advanced actors may rotate quickly.

  • Plan for containment of active C2

    • When C2 is detected, coordinate host isolation, credential resets, and network changes so attackers cannot simply reestablish control.