Command and Control Fundamentals

Command and control infrastructure enables attackers to communicate with compromised systems. Understanding C2 concepts helps red teams operate sophisticated campaigns and helps blue teams detect and disrupt adversary infrastructure.

C2 Architecture

Command and control establishes channels between attackers and their implants on compromised systems. Through these channels, attackers issue commands, receive results, and exfiltrate data.

Simple C2 might involve direct connections to attacker-controlled servers. More sophisticated setups use redirectors, CDNs, or compromised infrastructure to obscure the actual C2 server's location. Layered infrastructure protects operations when individual nodes are identified and blocked.

The protocol used for C2 communications affects detection likelihood. HTTP/HTTPS blends with normal web traffic. DNS tunneling hides within allowed DNS queries. Social media APIs exploit legitimate platform communication. Each choice trades capabilities against detection risk.

Beacon Patterns

Most modern C2 uses periodic check-ins rather than persistent connections. Implants "beacon" to the C2 server at defined intervals, receiving commands and sending results. This intermittent communication is harder to detect than constant connections.

Jitter adds randomness to beacon timing. Instead of checking in exactly every 60 seconds, an implant might check in anywhere from 45 to 75 seconds. This unpredictability makes pattern-based detection more difficult.

Sleep periods during inactive hours reduce detection likelihood. Beaconing at 3 AM when normal activity is minimal attracts more attention than beaconing during business hours when web traffic is constant.

Popular C2 Frameworks

Open-source frameworks like Cobalt Strike, Metasploit, Sliver, and Covenant provide ready-to-use C2 capabilities. Each has its own strengths—Cobalt Strike's mature feature set, Sliver's cross-platform support, Covenant's .NET focus.

These frameworks handle the complexity of agent generation, protocol implementation, and operator interface. Rather than building C2 from scratch, red teams leverage these platforms and focus on the challenges specific to their engagements.

Defenders increasingly recognize framework-specific patterns. Default Cobalt Strike configurations produce network signatures that detection tools specifically look for. Effective operations customize settings to avoid default-detection rules.

Operational Security

C2 infrastructure requires operational security attention. Domain categorization affects what network filters permit. Certificate choices influence both functionality and detection. IP reputation matters for connections crossing enterprise boundaries.

Infrastructure attribution connects your current operation to past activity if you reuse identifiable components. Unique domains, fresh infrastructure, and careful operational practices reduce this risk.

Understanding defender capabilities shapes infrastructure decisions. Organizations with sophisticated network monitoring require more careful communication design than those without such visibility.