Command and Control (C2)
What is Command and Control (C2)?
Command and Control (C2)The infrastructure and channels attackers use to maintain communication with compromised systems and send them instructions.
Command and control (C2 or C&C) refers to the servers, protocols, and traffic patterns that let an attacker manage implanted malware after initial compromise. C2 channels deliver commands, retrieve stolen data, push new payloads, and coordinate multi-host operations. Operators use HTTP(S), DNS tunnelling, messaging apps, social-media accounts, cloud APIs and even legitimate SaaS platforms to blend in. To stay resilient they employ domain generation algorithms (DGAs), fast-flux DNS, redirectors and encrypted protocols. Defences include egress filtering, DNS analytics, TLS inspection where lawful, network detection and response (NDR), and disrupting C2 via takedowns or sinkholing.
● Examples
- 01
Cobalt Strike Beacon's HTTPS, DNS, and SMB-pipe C2 channels.
- 02
DGAs used by Conficker to generate hundreds of pseudo-random C2 domains daily.
● Frequently asked questions
What is Command and Control (C2)?
The infrastructure and channels attackers use to maintain communication with compromised systems and send them instructions. It belongs to the Malware category of cybersecurity.
What does Command and Control (C2) mean?
The infrastructure and channels attackers use to maintain communication with compromised systems and send them instructions.
How do you defend against Command and Control (C2)?
Defences for Command and Control (C2) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Command and Control (C2)?
Common alternative names include: C2, C&C, Command-and-control server.