Modern C2 almost always rides on HTTPS, DNS or legitimate services (Slack, Discord, GitHub, Telegram). The traffic looks normal at first glance. Only timing patterns, encryption fingerprints (JA3/JA4), domain attributes (recently registered, DGA) or anomalous volume give it away.
What C2 is
C2 (Command and Control), also written C&C, is the infrastructure an attacker uses to send instructions to compromised systems inside a victim's network and receive data back. An implant or malware installed on an endpoint establishes a periodic outbound connection to an attacker-controlled C2 server, receives instructions (run commands, download tools, exfiltrate data) and returns results. It is one of the critical stages in any attack chain and appears as tactic TA0011 in MITRE ATT&CK, with associated techniques such as T1071 (Application Layer Protocol) and T1568 (Dynamic Resolution).
Why it matters
Detecting C2 is often the last opportunity to cut an attack before it causes significant damage. The malware is already inside: perimeter defenses didn't stop it and the endpoint didn't detect it at execution. But the attacker needs outbound communication to do anything useful — and that communication can be detected if you know what to look for. For a SOC, anti-C2 techniques are a key defensive layer. For a threat hunting team, hypotheses based on C2 patterns are among the most productive. Under NIS2 and DORA, demonstrating the ability to detect C2 traffic hidden in HTTPS or DNS is one of the things a modern auditor expects to see evidenced.
Key points
Two modes: pull (the implant queries the C2 periodically with beacons) and push (the C2 keeps a persistent connection). Beacons are most common because they survive NAT, firewalls and mobile networks.
Popular offensive frameworks like Cobalt Strike, Sliver, Mythic, Empire and Brute Ratel produce recognizable C2 patterns. JA3/JA4 fingerprints, self-signed certificates and User-Agents are classic indicators — though experienced operators tweak them.
Effective detection combines NDR (network patterns), EDR (processes opening unusual connections) and threat intelligence (IPs and domains from active campaigns).
Example: DNS-based C2 detection
An implant on a corporate endpoint uses DNS instead of HTTPS for C2. It encodes exfiltrated data into long subdomains queried against an attacker-controlled DNS server (e.g., "aGVsbG8K.exfil.attacker.com"). At first glance not suspicious — just DNS traffic that any endpoint generates. But a well-calibrated NDR spots the pattern: low-reputation second-level domain, anomalous query volume toward it, subdomains with high entropy (typical of encoded data). The SOC validates the suspicion, identifies the source endpoint, isolates it via EDR and triggers incident response. Without behavior-based detection on DNS, this C2 would have continued for months.
Common mistakes
- Relying on perimeter blocking of 'known malicious' domains. Attackers register new domains daily; blocklists only cover what someone has already reported.
- Not inspecting DNS and HTTPS traffic. The 'it's encrypted, can't see it' argument is false: content is encrypted, but metadata (domain, TLS fingerprint, timing, volume) is enough to detect most C2.
- Treating each C2 finding as an isolated incident. A beacon to one domain may be the first sign of a campaign that has already touched more endpoints. Response requires lateral movement hunts and checks for other implants in the environment.
- Not testing the detection capability. A red team exercise or simulation with known frameworks (Cobalt Strike, Sliver) is the only realistic way to know whether the SOC will detect the next real C2.
Related terms
Related services
This concept may relate to services such as:
Frequently asked questions
Why do attackers use C2 instead of acting autonomously?
Because it gives them operational flexibility. They can decide what to do on each compromised system based on its value: just gather information on one, exfiltrate data on another, deploy ransomware on a third. Without C2, everything the malware does must be hardcoded in advance, which limits operations and increases the detectable footprint.
Can all C2 traffic be blocked?
Not realistically. Attackers can hide C2 in legitimate services (GitHub, Discord, AWS, Cloudflare) that cannot be blocked without breaking the business. The current approach is behavior-based detection rather than blocking, combined with segmentation that limits impact when a connection is established.
How does C2 map to MITRE ATT&CK?
C2 is tactic TA0011 in the MITRE ATT&CK Enterprise matrix. The most relevant techniques are T1071 (Application Layer Protocol), T1568 (Dynamic Resolution), T1573 (Encrypted Channel) and T1090 (Proxy). Mapping defensive coverage against these techniques is one of the most useful exercises a SOC can do.