# Command and Control Techniques
Command and Control (C2) is the tactic adversaries use to communicate with systems they have compromised inside a target environment. In MITRE ATT&CK, this is Tactic TA0011. After an attacker gains initial access and establishes a foothold, they need a persistent, covert communication channel back to their own infrastructure. That channel is the C2 channel, and maintaining it is the difference between a one-time intrusion event and an active, persistent threat actor operating inside your network.
C2 is not a single technique. It is a collection of methods for hiding attacker communications inside traffic that defenders treat as normal. The attacker's central challenge is evading detection while maintaining reliable, two-way communication with the compromised host. The defender's challenge mirrors that: identifying attacker traffic inside the enormous volume of legitimate outbound network traffic every organization generates daily.
The techniques in TA0011 range from crude to sophisticated. Older malware used hard-coded IP addresses over non-standard ports, which were trivially detected by firewall rules. Modern C2 frameworks blend with HTTPS, use legitimate cloud platforms, rotate domains through domain generation algorithms, and sleep for hours or days between check-ins to defeat beaconing-based detection. Understanding how these techniques work is prerequisite knowledge for anyone building detection programs, configuring network monitoring, or evaluating whether an organization's network controls would actually catch an active intrusion.
The Predictive Defense Intelligence (PDI) methodology within CDA's TID domain defines beacon detection and C2 infrastructure hunting as core operational competencies. This article maps those competencies to the specific ATT&CK techniques defenders encounter in the wild.
Web protocols are the most common C2 channel because HTTP and HTTPS traffic is universally permitted outbound, inspected least aggressively by many organizations, and generated at enormous volume. Blending malicious C2 traffic with legitimate web browsing is the attacker's primary camouflage strategy.
HTTP-based C2 works by having the implant (the malware on the compromised host) periodically reach out to an attacker-controlled server over port 80 or 443, send task results, and receive new commands in the response. From the network perimeter's perspective, this looks like a browser making web requests, which is why signature-based detection alone is insufficient.
Specific behaviors that characterize HTTP/HTTPS C2:
HTTPS C2 adds TLS encryption, which prevents payload inspection by inline security tools unless the organization performs TLS inspection. Even without payload inspection, the TLS handshake itself is observable and detectable. JA3 is a method for fingerprinting TLS client behavior based on the specific parameters included in the ClientHello message. JA3S fingerprints the server response. Known C2 frameworks have documented JA3 hashes because their TLS implementations use consistent parameters. Cobalt Strike's default JA3 hash is widely documented. Defenders who collect TLS handshake metadata and compare against JA3 blocklists can identify C2 traffic even when the payload is encrypted.
DNS tunneling encodes data inside DNS queries and responses, using the DNS protocol as a covert communication channel. DNS is selected because it is almost universally permitted outbound, including in highly restricted environments, because DNS resolution is required for basic network function.
The attacker controls a domain and runs a custom DNS server authoritative for that domain. The implant on the compromised host encodes commands or exfiltrated data as subdomains in DNS queries: encoded-data-chunk-1.attacker-controlled-domain.com. The attacker's DNS server decodes the query, responds with encoded data in the DNS response (often in TXT or NULL records), and the implant decodes the response. The exchange looks like DNS resolution to any device observing only whether DNS traffic is occurring.
Detection signatures for DNS tunneling are distinct from other C2 methods:
DNS Security (DNSSEC) does not prevent DNS tunneling. The appropriate defenses are DNS query logging to a SIEM, recursive DNS resolver filtering (Pi-hole, Cisco Umbrella, NextDNS), and anomaly detection on DNS query volume and entropy.
Beyond HTTPS, adversaries use dedicated encryption to protect C2 traffic from inspection. T1573 covers the use of symmetric encryption (T1573.001) and asymmetric encryption (T1573.002) to obscure communications.
Symmetric encryption in C2 typically involves a shared key embedded in the implant. Cobalt Strike uses AES-256 for session key exchange after initial RSA key negotiation. Asymmetric encryption is used for the initial key exchange, ensuring that even if traffic is captured, it cannot be decrypted without the private key held by the attacker's server.
Detection approaches for encrypted C2 shift from content inspection to metadata analysis:
Multi-hop proxy chains route C2 traffic through a series of intermediary systems before reaching the attacker's true infrastructure. Each hop in the chain knows only the previous and next hop, not the full path. This obscures attribution (it is difficult to trace traffic back to the true C2 server) and complicates takedown efforts.
T1090 sub-techniques cover internal proxy (T1090.001), external proxy (T1090.002), multi-hop proxy (T1090.003), and domain fronting (T1090.004).
Volt Typhoon's use of compromised SOHO routers as proxy nodes is the most significant recent example. The threat group, attributed to the People's Republic of China, built a botnet of compromised home and small office routers (Netgear, Cisco RV, ASUS) and used this infrastructure as the first hop in their C2 chain targeting US critical infrastructure. Traffic appeared to originate from domestic US IP addresses assigned to residential ISPs, making it indistinguishable from normal outbound traffic without deep analysis of the router firmware compromise.
Domain fronting (T1090.004) uses the infrastructure of major CDN providers (Cloudflare, Amazon CloudFront, Azure CDN) to mask C2 traffic. The TLS SNI header shows a legitimate, trusted CDN domain while the HTTP Host header routes traffic to the attacker's backend. Most major CDN providers have moved to block domain fronting, but the technique remains relevant against organizations that do not perform TLS inspection.
Using legitimate cloud platforms as C2 infrastructure turns organizational trust against defenders. If an organization permits outbound traffic to Microsoft Teams, Slack, Discord, GitHub, Google Drive, or Dropbox, it likely has weaker detection coverage on traffic to those platforms, because blocking them would disable legitimate business functions.
T1102 sub-techniques cover web services as a bidirectional communication channel (T1102.002) and for one-way data exfiltration (T1102.001). Attackers post commands to a Slack channel, a private GitHub repository, a Discord server, or a Google Doc, and the implant polls the service for new instructions. Responses are posted to the same or a companion service. The traffic is HTTPS to a well-categorized, trusted domain, passing through most proxy and firewall inspection without triggering alerts.
Specific examples in the threat record include: NOBELIUM (Cozy Bear) using Dropbox for C2 in the SolarWinds campaign; multiple threat actors using GitHub repositories as dead drops for C2 instructions; APT29 using Google Drive and OneDrive as C2 channels.
For networks that are air-gapped from the internet, physical media (USB drives, SD cards, external hard drives) can serve as the C2 channel. The implant writes data to a removable drive when inserted. An operator with physical access retrieves the drive, reads the data, places new commands on the drive, and reinserts it. This technique is associated primarily with nation-state operations targeting classified government or critical infrastructure environments.
Regardless of the protocol used, most C2 frameworks implement a beacon-and-sleep cycle. The implant wakes, checks in with the C2 server, receives and executes tasks, sends results, and sleeps until the next check-in. Detection programs that analyze the timing characteristics of outbound connections can identify this pattern.
Statistical approaches to beacon detection include: frequency domain analysis (consistent interval connections produce detectable spectral peaks), long-tail distribution analysis (legitimate web browsing has a right-skewed connection frequency distribution; beacons cluster at specific intervals), and autocorrelation analysis (beaconing connections correlate with themselves at the lag equal to the beacon interval).
Proxy and web gateway logs: Every HTTP/HTTPS request should route through a logging web proxy. Critical fields: source IP, destination IP, destination domain, user-agent, bytes sent, bytes received, session duration, response code. Long-lived sessions (duration above 10 minutes) to the same domain, combined with regular session establishment timing, are the primary beacon signature.
DNS query logs: Enable query logging on all recursive resolvers. Ship logs to the SIEM. Alert on: queries with subdomain labels exceeding 40 characters, more than 100 queries per hour to a single external domain from a single host, TXT or NULL record queries to external domains, queries to newly registered domains (less than 30 days old), and domains with no categorization in your proxy/firewall feed.
Firewall and NSG logs: Log all outbound connection attempts including denied connections. Connections to uncategorized IP addresses over ports 80/443 without a corresponding domain resolution event are suspicious. Direct IP connections over HTTPS bypass domain-based filtering.
NetFlow / IPFIX: Where full packet capture is not feasible, NetFlow provides connection metadata (source, destination, port, bytes, packets, duration) at scale. Beacon detection algorithms can run against NetFlow data to identify consistent-interval outbound connections.
Collect TLS handshake metadata (JA3 client fingerprint, JA3S server fingerprint, SNI, certificate issuer, certificate subject, certificate validity period) for all HTTPS connections. Alert on:
72a589da586844d7f0818ce684948eea)Windows Event Logs:
EDR behavioral indicators: C2 implants frequently exhibit process injection (spawning from unusual parent processes), hollow process creation, and reflective DLL loading. Modern EDR platforms (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) generate alerts on these behaviors independent of network-layer detection.
C2 is the operational center of every persistent intrusion. Without a working C2 channel, an attacker who successfully achieves initial access cannot issue commands, move laterally, collect credentials, or exfiltrate data. C2 is the nervous system of the attack. Cutting it, or even detecting it, gives defenders a decisive advantage.
Detection of C2 is fundamentally different from detection of initial access. Initial access events tend to be high-signal: a phishing email arrives, an exploit fires, a suspicious login occurs. C2 traffic, by design, is engineered to be low-signal. It hides in normal-looking traffic flows. Detecting it requires statistical analysis, behavioral baselines, and metadata-level inspection rather than signature matching.
The median attacker dwell time (the period between initial compromise and detection) has historically been measured in weeks to months. The Mandiant M-Trends 2024 report recorded a global median dwell time of 10 days, a significant improvement from prior years, but the attack surface remains. Every day that C2 traffic goes undetected is a day the attacker spends collecting credentials, mapping the environment, and staging for their ultimate objective.
The Volt Typhoon case demonstrates the highest-stakes version of this problem. CISA's 2023 advisory documented that the threat group maintained C2 access to US critical infrastructure networks for at least five years before discovery. The C2 traffic was routed through compromised SOHO routers and blended perfectly with normal network traffic. The dwell time was not 10 days. It was five years. The operational significance of undetected C2 inside power grid, water treatment, and transportation networks is not theoretical.
Organizations that invest in network visibility (full proxy logging, DNS logging, NetFlow collection, TLS metadata inspection) and apply statistical detection on top of that data are the organizations that discover C2 within days rather than years.
C2 detection is the operational core of TID. The PDI methodology, "See the threat before it sees you," is realized through detection programs specifically designed to identify attacker infrastructure and communication patterns before the attacker completes their mission. Beacon detection, JA3 fingerprinting, DNS anomaly analysis, and C2 infrastructure hunting are not optional components of a mature security program. They are the difference between reactive incident response and proactive threat detection.
TID-B01 (SIEM Deployment and Tuning) is the foundational mission for C2 detection. Network logs, DNS logs, and endpoint telemetry must be centralized and queried before any detection logic can operate. TID-B03 (Threat Intelligence Integration) adds the C2 infrastructure intelligence feeds (known malicious IPs, JA3 blocklists, DGA classifiers) that enable signature-based detection alongside behavioral analysis. TID-H01 (Detection Engineering Program) is where organizations build and maintain the specific detection rules described in this article. TID-H03 (Threat Hunting Program) is the proactive hunt for C2 traffic that detection rules have not yet caught.
Egress filtering is an SPH control delivered through the Autonomous Posture Command (APC) methodology: "Your posture adapts. Your hygiene never sleeps." Organizations that apply default-deny egress policies, allowing only explicitly permitted outbound traffic, eliminate entire categories of C2 technique. DNS-only outbound for workstations, HTTPS through an authenticated proxy with TLS inspection, and blocking outbound traffic to uncategorized domains reduces the C2 channel surface area dramatically. These are not one-time configurations. APC treats them as continuously enforced posture states that adapt as the threat landscape changes.
SPH-B02 (Endpoint Hardening Standards) and SPH-H01 (Automated Compliance Monitoring) operationalize the egress filtering controls and ensure they remain enforced as infrastructure changes.
Network surface reduction directly limits available C2 protocols. The CSR methodology, "Every surface you expose is a surface we eliminate," applies to inbound attack surfaces. Applied to C2, the principle extends to outbound permitted protocols: every protocol you permit outbound is a protocol an attacker can use as a C2 channel. Organizations that permit arbitrary outbound DNS, unrestricted HTTPS to any destination, and direct connections to cloud APIs from every endpoint have a wide C2 surface. VSD-B03 (Attack Surface Reduction) and VSD-C01 (Continuous Surface Monitoring) are the missions that address this.