TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Attacks

What Is Command and Control (C2)? How C2 Works & Detection

Once attackers compromise a system, they need a way to control it. Command and control (C2) is that channel — and finding the secret conversation between an implant and its operator is one of detection's biggest wins.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Command and control — abbreviated C2 or C&C — refers to the infrastructure and techniques attackers use to communicate with and remotely control systems they've compromised. After malware lands on a machine, it needs a way to "phone home" to the attacker: to receive instructions, download additional payloads, and send back stolen data. The channel and infrastructure that make this possible are collectively called command and control, and they're the nerve center of most intrusions.

In short: C2 is the secret line of communication between an attacker and the systems they've taken over. Cut that line, and you cut the attacker off from their foothold — which is exactly why C2 is such a valuable detection target.

Where C2 fits in an attack

Command and control is its own stage in the cyber kill chain (stage six) and a dedicated tactic in the MITRE ATT&CK framework. It typically begins right after an attacker establishes persistence and continues throughout the intrusion, enabling later activity like lateral movement and data exfiltration. A botnet is essentially C2 at massive scale — thousands of compromised devices all reporting to the same control infrastructure.

How command and control works

  1. The implant checks in. Malware (often called an implant, beacon, or agent) on the compromised host reaches out to the attacker's C2 server at intervals.
  2. The server issues commands. The attacker sends instructions — run a command, download a tool, harvest credentials, move laterally, or exfiltrate data.
  3. Results flow back. The implant executes and returns output or stolen data over the same or a related channel.

This regular check-in pattern is called beaconing, and its rhythm is one of the most reliable ways to detect C2.

Common C2 channels

To stay hidden, attackers tunnel C2 through traffic that looks normal:

  • HTTP/HTTPS: the most common, because web traffic is ubiquitous and encryption hides the contents.
  • DNS tunneling: smuggling commands and data inside DNS queries and responses, which many networks don't inspect closely.
  • Legitimate services: abusing trusted platforms — cloud storage, social media, messaging apps, or collaboration tools — as a relay so traffic blends in.
  • Domain fronting and redirectors: routing traffic through trusted domains or intermediary servers to disguise the true C2 destination.

C2 infrastructure and frameworks

Attackers build resilient C2 infrastructure using servers, registered domains, and redirectors, often rotating them to evade blocking. Many use ready-made C2 frameworks — Cobalt Strike being the best known, alongside open-source options — which provide implants, communication profiles, and management consoles out of the box. These tools are legitimately used by red teams for authorized testing, but cracked and abused versions are pervasive in real attacks, which is why tracking C2 frameworks and their signatures is a major focus of defenders.

How to detect command and control

  • Beaconing analysis. Regular, automated connections to the same destination at consistent intervals — a strong indicator of compromise that stands out from human-driven traffic.
  • Blocking known infrastructure. Threat-intel feeds of known C2 servers, domains, and IPs let you block and alert on contact; enrichment adds the context to prioritize.
  • DNS monitoring. Detecting tunneling through unusually long, frequent, or high-entropy DNS queries.
  • Network and TLS fingerprinting to recognize the patterns of known C2 frameworks even within encrypted traffic.
  • Endpoint detection with EDR to spot the implant and its behavior on the host itself.

Because C2 sits relatively high on the Pyramid of Pain, disrupting an attacker's C2 infrastructure and tooling causes them far more trouble than blocking a single file hash.

How to defend against C2

  • Monitor and filter outbound traffic — many intrusions are caught not on the way in, but when the implant tries to call home.
  • Block known-malicious domains and IPs using current threat intelligence.
  • Inspect encrypted traffic where feasible and tightly control DNS.
  • Segment networks so a compromised host has limited outbound paths and reach.
  • Hunt proactively for beaconing and the signatures of common C2 frameworks.

How modern C2 evades detection

As defenders have gotten better at spotting C2, attackers have invested heavily in hiding it. Several evasion techniques are now standard. Encryption (HTTPS) conceals the contents of the communication so inspection sees only opaque traffic. Jitter deliberately randomizes the timing of beacons — instead of checking in exactly every 60 seconds, the implant varies the interval to defeat simple beaconing detection that looks for clockwork regularity. Domain fronting and the abuse of legitimate cloud and SaaS services let C2 traffic appear to go to trusted, reputable destinations that defenders are reluctant to block. Malleable profiles in frameworks like Cobalt Strike let attackers disguise their traffic to mimic ordinary web applications. And low-and-slow communication keeps data volumes small to stay under alerting thresholds. The defensive response is to focus less on any single indicator and more on the overall behavior: correlating subtle signals — destination reputation, timing patterns even with jitter, traffic that doesn't match the supposed application — and enriching them with threat intelligence to reveal the channel an attacker worked hard to hide. It's an arms race: as defenders adopt new detections, attackers adjust their profiles, which is why C2 detection leans so heavily on fresh, continuously updated intelligence rather than static rules.

Where threat intelligence fits

C2 is one of the most intelligence-driven areas of defense. Threat intelligence continuously tracks active C2 servers, domains, frameworks, and the communication patterns specific groups use. Feeds of known C2 infrastructure let defenders block and detect contact, while knowing an adversary's preferred C2 techniques turns a hidden channel into a detectable behavior — making C2 disruption one of the highest-impact ways to break an active intrusion.

The bottom line

Command and control (C2) is the infrastructure and channel attackers use to remotely control compromised systems — receiving commands, delivering payloads, and exfiltrating data. It hides in normal-looking traffic (HTTP/HTTPS, DNS, legitimate services), often powered by frameworks like Cobalt Strike, and reveals itself through beaconing patterns and known infrastructure. Outbound monitoring, blocking known C2, DNS inspection, fingerprinting, and proactive hunting are the core defenses — and cutting C2 cuts the attacker off. To track active C2 infrastructure and techniques, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is command and control (C2) in cybersecurity?

Command and control (C2 or C&C) is the infrastructure and techniques attackers use to communicate with and remotely control compromised systems. Malware 'phones home' to a C2 server to receive instructions, download payloads, and send back stolen data, making C2 the nerve center of an intrusion.

What is C2 beaconing?

Beaconing is the regular, automated pattern of a compromised host checking in with its C2 server at consistent intervals. Because this rhythm differs from human-driven traffic, detecting beaconing — connections to the same destination at steady intervals — is one of the most reliable ways to find C2 activity.

What channels do attackers use for C2?

Attackers tunnel C2 through traffic that looks normal: most commonly HTTP/HTTPS, but also DNS tunneling, and the abuse of legitimate services like cloud storage, social media, and messaging apps. They also use domain fronting and redirectors to disguise the true C2 destination.

How do you detect command and control?

Detect C2 through beaconing analysis, blocking and alerting on known C2 infrastructure from threat-intel feeds, DNS monitoring for tunneling, network and TLS fingerprinting of known C2 frameworks, and endpoint detection (EDR) that spots the implant and its behavior on the host.

What is a C2 framework like Cobalt Strike?

A C2 framework is ready-made software that provides implants, communication profiles, and a management console for controlling compromised systems. Cobalt Strike is the best-known example; it's a legitimate red-team tool, but cracked versions are widely abused in real attacks, so defenders track its signatures.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is a Botnet? How Botnets Work & How to Defend Against ThemAttacksWhat Is Lateral Movement? How Attackers Move Through a NetworkFrameworksThe Cyber Kill Chain: All 7 Stages ExplainedDetectionIndicators of Compromise (IOCs): The Complete Guide