Skip to main content
ThreatsFirewallSIEMXDR

What is Command and Control?

Command and Control (C2) refers to the infrastructure and communication channels adversaries use to remotely direct malware on compromised systems, issuing commands, receiving stolen data, and managing implants within the victim network.

Definition

Command and Control
Command and Control (C2) refers to the infrastructure and communication channels adversaries use to remotely direct malware on compromised systems, issuing commands, receiving stolen data, and managing implants within the victim network.

How Command and Control Works

After establishing persistence, malware needs a way to receive instructions and send back results. The C2 channel must be covert, evading network security controls.

Early C2 used IRC or raw TCP connections, easily blocked. Modern C2 frameworks (Cobalt Strike, Mythic, Sliver) default to HTTPS that blends with normal browsing. Domain fronting uses CDN infrastructure to hide the true C2 destination. DNS-based C2 encodes commands in DNS queries and responses, difficult to block because DNS is essential. DGAs continuously rotate C2 domains to evade blocklists.

C2 detection targets: unusual beacon timing patterns (malware checking in at regular intervals), connections to newly registered or low-reputation domains, high volumes of encrypted traffic to unusual destinations, DNS queries for algorithmically generated domains, and HTTPS connections with invalid or self-signed certificates.

Command and Control in SOC Operations

C2 detection is high-value. Identifying active C2 means the attacker has a live channel into the environment. Blocking C2 cuts off attacker access before they achieve their objectives. NDR and SIEM correlation are your primary detection tools: NDR identifies anomalous network patterns while SIEM correlates DNS, proxy, and firewall logs to surface suspicious external communications.

Free forever

Practice Command and Control in a Real SOC

SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating command and control scenarios with zero consequences — free forever.

Start Free — No Credit CardTry Shift Mode

Related Terms

PersistenceThreats

Persistence refers to techniques adversaries use to maintain access across reboots, credential chang...

Lateral MovementThreats

Lateral movement is the attack phase where adversaries expand access from an initial foothold to add...

ExfiltrationThreats

Data exfiltration is the unauthorized transfer of sensitive data from a victim environment to attack...

NDRTools

Network Detection and Response (NDR) is a security platform that passively monitors network traffic ...

IOCConcepts

An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain ...

More Threats Terms

PhishingBrute Force AttackLateral MovementPrivilege EscalationPersistenceExfiltrationAll Threats

Related SOC Training Resources

Career Path

Threat Hunter Career Guide — Salary & Skills

Threat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…

Read more Career Path

Incident Responder Career Guide — Salary & Skills

Incident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…

Read more Career Path

SOC Analyst (Tier 2) Career Guide — Salary & Skills

Tier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…

Read more Comparison

SOCSimulator vs Hack The Box — Comparison

Different tools for different career paths. SOCSimulator trains defensive analysts. Hack The Box trains offensive securi…

Read more Comparison

SOCSimulator vs TryHackMe — Comparison

SOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…

Read more Tool

Firewall Training Console — SOCSimulator

The Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…

Read more Tool

SIEM Training Console — SOCSimulator

The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…

Read more Tool

XDR Training Console — SOCSimulator

The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…

Read more Technique

MITRE ATT&CK Techniques — Detection Training Library

Browse all MITRE ATT&CK techniques with detection strategies and example alerts.

Read more Career Path

Cybersecurity Career Paths — 2026 Guide

Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.

Read more Playbook

SOC Investigation Playbooks — Step-by-Step Guides

Practitioner investigation playbooks with decision trees and real SIEM queries.

Read more Feature

Shift Mode — Real-Time SOC Simulation

Practice alert triage under realistic time pressure with SLA timers and noise injection.

Read more

We use cookies to improve your experience and measure usage. Learn more