Command and Control (C2)

Command and Control (C2 or C&C) in the context of cybersecurity refers to the means by which attackers maintain communication with compromised systems or networks within a target environment. This communication channel allows attackers to issue commands, control malware, and extract data from the infected system. Establishing a C2 channel is a common tactic in advanced persistent threats (APTs), botnets, and various other types of cyber attacks.

C2 allows attackers to remotely control malware or compromised systems. They can execute commands, deploy additional payloads, or exfiltrate data. C2 communication can be direct (such as through a TCP-IP|TCP/IP connection) or indirect (using intermediaries like social media, email, or legitimate web services). Effective C2 channels are designed to be stealthy and persistent, often using encryption or mimicking legitimate traffic to avoid detection by network security systems.

Some examples of C2 mechanisms:

  1. HTTP/HTTPS-Based C2: Utilizing web requests to communicate with a server controlled by the attacker. This method is common because HTTP Protocol|HTTP/HTTPS Protocol|HTTPS traffic is often allowed through Firewall|firewalls.
  2. DNS Tunneling: Using DNS queries and responses to pass commands and data. This is a stealthy method as DNS traffic is rarely inspected in detail.
  3. Social Media C2: Leveraging social media platforms for sending commands and receiving data. For example, a Twitter account controlled by the attacker might post encoded commands that the malware interprets and executes.
  4. Email-Based C2: Sending commands or receiving data through emails. The malware might check an email inbox for new commands.
  5. Peer-to-Peer (P2P) Networks: Using a decentralized P2P network for command and control, making it harder to disrupt the C2 channel by taking down a single server.
  6. Custom Protocols: Developing custom communication protocols that can be more difficult for security tools to identify and block.
  7. Websocket and MQTT: Using newer web technologies like Websockets or MQTT|MQTT (Message Queuing Telemetry Transport), which are designed for real-time communication in web applications and IoT devices.