Once attackers infiltrate a network, they need a way to control compromised systems remotely — this is where Command and Control (C2) comes in. Through this channel, adversaries send commands, exfiltrate data, and pivot to other systems — all while staying under the radar.

⚙️ Types of Command & Control Techniques

1. Application Layer Protocol (T1071)

   • Attackers use common web protocols like HTTP, HTTPS, or DNS to disguise C2 traffic as normal web communication.

   • 💡 Example: Using HTTPS traffic to talk to a malicious C2 server hidden in cloud services.

2. Data Encoding / Obfuscation (T1132)

   • Encodes data (e.g., Base64) to bypass detection tools.

   • 💡 Example: Command strings sent in Base64 to appear harmless in logs.

3. Web Service (T1102)

   • Legitimate platforms (like Dropbox, Slack, or GitHub) are abused for communication.

   • 💡 Example: Attackers post commands to GitHub repositories or Slack channels.

4. Remote Access Tools (T1219)

   • Uses tools like AnyDesk, TeamViewer, or custom RATs for persistent control.

   • 💡 Example: Using AnyDesk to control endpoints after phishing compromise.

5. Protocol Tunneling (T1572)

   • C2 traffic is hidden within another protocol (like SSH or DNS).

   • 💡 Example: Tunneling C2 commands over DNS requests to bypass firewalls.

6. Multi-Stage Channels (T1104)

   • Attackers set up layered or redundant C2 servers for resilience.

   • 💡 Example: Secondary fallback C2 domain activated when the primary is blocked.
     

🚨 Real-World Example

🔹 Emotet Botnet: Used encrypted HTTPS communication with rotating domains for C2. Even after takedowns, the botnet revived using new servers and updated encryption — showcasing how adaptive C2 infrastructures can be.

🛡️ Recommendations & Defense Tips

✅ 1. Monitor Outbound Traffic: Set up network monitoring for unusual external connections and encrypted traffic patterns.

✅ 2. Use DNS Filtering & Proxy Logs: Inspect DNS requests for anomalies like random subdomains or uncommon patterns.

✅ 3. Implement Firewall Egress Controls: Restrict outbound communications to only known and necessary IPs/domains.

✅ 4. Use Behavioral Analytics: Detect beaconing or periodic callbacks typical of C2 channels.

✅ 5. Regular Threat Hunting: Search for encoded payloads, hidden tunnels, or unauthorized tools in logs.

💬 Final Thought: C2 activity is like a hacker’s lifeline inside your network. Cut it off — and you sever their control. Early detection and disciplined monitoring can make the difference between containment and catastrophe.