Contents
🕹️ C2 Server
Category: Threat Intelligence
Tags: command and control, C2 server, malware, beaconing, attacker infrastructure, TTPs
🧠 What is a C2 Server?
A Command and Control (C2) server is a central system used by attackers to remotely control compromised machines (bots) within a victim’s network. Once malware establishes a foothold, it “calls home” to its C2 server to receive instructions, exfiltrate data, or download additional payloads.
⚙️ How C2 Servers Operate
C2 servers facilitate two-way communication between the attacker and infected endpoints:
- Initial Contact (Beaconing): Infected hosts reach out to the C2 server periodically.
- Command Reception: The attacker sends commands like data exfiltration, keylogging, lateral movement.
- Data Exfiltration: Harvested credentials, screenshots, or files are sent back to the C2.
🔐 C2 Communication Techniques
| Technique | Description |
|---|---|
| HTTP/HTTPS | Disguises traffic as normal web browsing to evade detection. |
| DNS Tunnelling | Encodes data into DNS queries, useful for covert exfiltration. |
| Custom Protocols | Purpose-built protocols to blend in or resist reverse engineering. |
| Social Media & Cloud Services | Uses platforms like Twitter, Slack, Dropbox to mask activity. |
| Tor/I2P Networks | Offers anonymity and is common in advanced persistent threats (APTs). |
🧬 C2 in the Cyber Kill Chain
C2 falls under the “Command and Control” phase in the MITRE ATT&CK framework, often used in post-exploitation stages of a cyberattack.
- MITRE Technique:
T1071– Application Layer Protocol - Example Sub-techniques:
T1071.001– Web ProtocolsT1071.003– Mail Protocols
⚠️ Detection and Mitigation
| Method | Purpose |
|---|---|
| Network Traffic Analysis | Identify beaconing patterns, strange intervals, or data exfil. |
| DNS Logging | Spot suspicious lookups or tunnelling behaviour. |
| Threat Intel Feeds | Use IOCs to detect known C2 IPs, domains, or certificates. |
| Endpoint Detection & Response (EDR) | Observe post-exploitation behaviours. |
| Firewall/Proxy Rules | Block outbound traffic to untrusted destinations. |
🔥 Notable Real-World C2 Frameworks
- Cobalt Strike – Often used in red teaming (and by threat actors).
- Metasploit – Penetration testing suite with built-in C2 modules.
- Sliver – Open-source adversary emulation framework.
- Empire – PowerShell-based post-exploitation agent.