Command and Control (C2)

The infrastructure attackers use to send instructions to malware-infected hosts and collect stolen data.

Command and control (C2 or C&C) is the channel a botnet operator or APT uses to direct compromised systems and exfiltrate data. C2 traffic hides in plausible-looking protocols: DNS queries, HTTPS to legitimate-seeming domains, even posts to public APIs. Defenders detect C2 by looking for beaconing patterns, newly registered domains, DGA-generated hostnames, and connections to known-bad indicators. Disrupting C2 (via DNS sinkhole, takedown, or seizure) is one of the most effective ways to neutralise an active campaign.

Reference

MITRE ATT&CK: Command and Control

Related terms

Botnet
DNS Sinkhole
Fast Flux
DNS Tunneling
Passive DNS

Referenced on

DNS Over HTTPS Abuse: How Encrypted DNS Creates Security Blind Spots
DNS Tunneling Attack: How Data Is Smuggled Through Port 53
Fast Flux DNS: How Botnets Hide Behind Rapidly Rotating IP Addresses
How to Report Network Security Incidents to a CERT Team: Templates for Vulnerability Exploitation and Intrusions

Back to the full glossary