In cybersecurity, Command-and-Control (C2) refers to the infrastructure and techniques attackers use to maintain communication with compromised systems within a target network. It is the “brain” of a cyberattack, allowing the threat actor to send commands to infected hosts and receive data back.
How C2 Works: The Lifecycle
-
Infection & Initial Callback: After a target is compromised (via phishing, exploit, etc.), the malware (the “implant” or “agent”) executes and “phones home” to the attacker’s server to establish a connection.
-
Beaconing: To avoid detection, the agent typically doesn’t stay connected 24/7. Instead, it “beacons” at specific intervals (e.g., every 5 minutes) to check for new tasks.
-
Tasking: The attacker assigns a task—such as taking a screenshot, stealing a password, or moving laterally to another machine—which the agent downloads and executes during its next beacon.
-
Exfiltration: The results of the task are encrypted and sent back to the C2 server, often disguised as legitimate web traffic.
Common C2 Frameworks
| Framework | Type | Key Focus |
|---|---|---|
| Cobalt Strike | Commercial | The industry standard for Red Teams; uses “Beacons” and is highly customizable. |
| Covenant | Open Source | Focuses on the .NET attack surface; uses “Grunts” as agents. |
| Sliver | Open Source | A Go-based framework that supports cross-platform implants (Windows, Linux, macOS). |
| Metasploit | Open Source | While primarily an exploitation framework, its “Meterpreter” shell functions as a powerful C2 agent. |
C2 Communication Channels
Attackers disguise C2 traffic to blend in with normal network activity:
-
HTTP/HTTPS: The most common method; traffic looks like standard web browsing.
-
DNS: Data is hidden inside DNS queries. This is slow but very hard to block because DNS is required for the network to function.
-
SMB: Used for “internal” C2; one compromised machine talks to another over port 445 to bypass internal firewalls.
Defensive Evasion: Redirectors
Sophisticated attackers don’t let agents connect directly to their main server. Instead, they use Redirectors—simple servers (often cheap VPS instances) that sit in the middle. If a defender spots a redirector and blocks it, the attacker just spins up a new one without losing their main backend server.
Command-and-Control (C2)
📝 Overview
What it is: The centralized infrastructure used by attackers to manage compromised hosts (zombies/bots) and direct their actions. Target Phase: Post-Exploitation / Persistence / Action on Objectives Operating System: Command servers are usually Linux; agents can be any OS.
⚙️ Core Concepts
- Agent/Implant: The piece of malware on the victim’s machine.
- Beaconing: The regular heartbeat an agent sends to check for tasks.
- Jitter: Adding random time variations to beacons to avoid detection by automated traffic analysis.
⚠️ Notes & Limitations
- Egress Filtering: Strong firewalls that restrict outbound traffic can break C2 connections.
- Traffic Analysis: Defenders look for unusual patterns, such as a laptop connecting to a strange IP address every 10 minutes on the dot.
🏷️ Tags
C2 CommandAndControl PostExploitation RedTeaming Botnet PenTestPlus CLItool (for C2 management consoles)