Command and Control Techniques

# Command and Control Techniques

Definition

Command and Control (C2) is the tactic adversaries use to communicate with systems they have compromised inside a target environment. In MITRE ATT&CK, this is Tactic TA0011. After an attacker gains initial access and establishes a foothold, they need a persistent, covert communication channel back to their own infrastructure. That channel is the C2 channel, and maintaining it is the difference between a one-time intrusion event and an active, persistent threat actor operating inside your network.

C2 is not a single technique. It is a collection of methods for hiding attacker communications inside traffic that defenders treat as normal. The attacker's central challenge is evading detection while maintaining reliable, two-way communication with the compromised host. The defender's challenge mirrors that: identifying attacker traffic inside the enormous volume of legitimate outbound network traffic every organization generates daily.

The techniques in TA0011 range from crude to sophisticated. Older malware used hard-coded IP addresses over non-standard ports, which were trivially detected by firewall rules. Modern C2 frameworks blend with HTTPS, use legitimate cloud platforms, rotate domains through domain generation algorithms, and sleep for hours or days between check-ins to defeat beaconing-based detection. Understanding how these techniques work is prerequisite knowledge for anyone building detection programs, configuring network monitoring, or evaluating whether an organization's network controls would actually catch an active intrusion.

The Predictive Defense Intelligence (PDI) methodology within CDA's TID domain defines beacon detection and C2 infrastructure hunting as core operational competencies. This article maps those competencies to the specific ATT&CK techniques defenders encounter in the wild.

How It Works

C2 over HTTP/HTTPS (T1071.001)

Web protocols are the most common C2 channel because HTTP and HTTPS traffic is universally permitted outbound, inspected least aggressively by many organizations, and generated at enormous volume. Blending malicious C2 traffic with legitimate web browsing is the attacker's primary camouflage strategy.

HTTP-based C2 works by having the implant (the malware on the compromised host) periodically reach out to an attacker-controlled server over port 80 or 443, send task results, and receive new commands in the response. From the network perimeter's perspective, this looks like a browser making web requests, which is why signature-based detection alone is insufficient.

Specific behaviors that characterize HTTP/HTTPS C2:

• User-agent mimicry: implants set their HTTP User-Agent header to match common browsers or known software (Chrome, Firefox, Windows Update, curl). Cobalt Strike's default malleable C2 profiles include pre-configured legitimate-looking user-agent strings. Sliver and Metasploit's Meterpreter do the same.
• Long-lived sessions and keep-alive connections: legitimate browsing involves many short-lived connections. C2 channels often maintain persistent connections to reduce connection establishment frequency.
• Beaconing: the implant connects to the C2 server at regular intervals (the beacon interval) to check for new commands. Beaconing is the behavioral signature that separates C2 from legitimate web traffic. An endpoint making HTTP requests to the same domain every 60 seconds, every hour, or every morning at 0800 is exhibiting beaconing behavior.
• Jitter: sophisticated C2 frameworks add randomization (jitter) to the beacon interval to defeat timing-based detection. A beacon interval of 60 seconds with 30% jitter fires between 42 and 78 seconds, making the pattern less obvious in logs.

HTTPS C2 adds TLS encryption, which prevents payload inspection by inline security tools unless the organization performs TLS inspection. Even without payload inspection, the TLS handshake itself is observable and detectable. JA3 is a method for fingerprinting TLS client behavior based on the specific parameters included in the ClientHello message. JA3S fingerprints the server response. Known C2 frameworks have documented JA3 hashes because their TLS implementations use consistent parameters. Cobalt Strike's default JA3 hash is widely documented. Defenders who collect TLS handshake metadata and compare against JA3 blocklists can identify C2 traffic even when the payload is encrypted.

DNS Tunneling (T1071.004)

DNS tunneling encodes data inside DNS queries and responses, using the DNS protocol as a covert communication channel. DNS is selected because it is almost universally permitted outbound, including in highly restricted environments, because DNS resolution is required for basic network function.

The attacker controls a domain and runs a custom DNS server authoritative for that domain. The implant on the compromised host encodes commands or exfiltrated data as subdomains in DNS queries: encoded-data-chunk-1.attacker-controlled-domain.com. The attacker's DNS server decodes the query, responds with encoded data in the DNS response (often in TXT or NULL records), and the implant decodes the response. The exchange looks like DNS resolution to any device observing only whether DNS traffic is occurring.

Detection signatures for DNS tunneling are distinct from other C2 methods:

• High query volume to a single domain or small set of domains: legitimate DNS queries to a domain are infrequent relative to tunneling traffic, which requires many queries to transfer meaningful amounts of data
• Unusually long query names: standard DNS hostnames are short. Tunneled queries encode data in the subdomain label, producing query names that approach or exceed 253 characters
• High entropy subdomains: legitimate subdomains are human-readable words. Base64 or hex-encoded data in subdomains produces high-entropy strings that stand out in statistical analysis
• Rare record types: TXT and NULL record queries are uncommon in normal enterprise DNS traffic. A workstation repeatedly requesting TXT records from an external domain is anomalous
• Queries to newly registered domains or domains with no web presence

DNS Security (DNSSEC) does not prevent DNS tunneling. The appropriate defenses are DNS query logging to a SIEM, recursive DNS resolver filtering (Pi-hole, Cisco Umbrella, NextDNS), and anomaly detection on DNS query volume and entropy.

Encrypted Channels (T1573)

Beyond HTTPS, adversaries use dedicated encryption to protect C2 traffic from inspection. T1573 covers the use of symmetric encryption (T1573.001) and asymmetric encryption (T1573.002) to obscure communications.

Symmetric encryption in C2 typically involves a shared key embedded in the implant. Cobalt Strike uses AES-256 for session key exchange after initial RSA key negotiation. Asymmetric encryption is used for the initial key exchange, ensuring that even if traffic is captured, it cannot be decrypted without the private key held by the attacker's server.

Detection approaches for encrypted C2 shift from content inspection to metadata analysis:

• Certificate analysis: self-signed certificates, certificates with generic fields (issuer CN: "Major Inconvenience," a documented Cobalt Strike artifact), certificates issued for IP addresses rather than domain names, and certificates with very short validity periods are all indicators
• Certificate Transparency log monitoring: legitimate HTTPS services use CA-issued certificates that appear in CT logs. Attacker infrastructure sometimes uses certificates that do not appear in CT logs or appear with unusual characteristics
• Traffic to uncategorized or newly registered domains: legitimate enterprise traffic goes to well-categorized domains. C2 traffic frequently targets domains with no categorization history
• Traffic volume and timing patterns: encrypted C2 channels still exhibit the beacon timing behavior described above

Proxy Chains (T1090)

Multi-hop proxy chains route C2 traffic through a series of intermediary systems before reaching the attacker's true infrastructure. Each hop in the chain knows only the previous and next hop, not the full path. This obscures attribution (it is difficult to trace traffic back to the true C2 server) and complicates takedown efforts.

T1090 sub-techniques cover internal proxy (T1090.001), external proxy (T1090.002), multi-hop proxy (T1090.003), and domain fronting (T1090.004).

Volt Typhoon's use of compromised SOHO routers as proxy nodes is the most significant recent example. The threat group, attributed to the People's Republic of China, built a botnet of compromised home and small office routers (Netgear, Cisco RV, ASUS) and used this infrastructure as the first hop in their C2 chain targeting US critical infrastructure. Traffic appeared to originate from domestic US IP addresses assigned to residential ISPs, making it indistinguishable from normal outbound traffic without deep analysis of the router firmware compromise.

Domain fronting (T1090.004) uses the infrastructure of major CDN providers (Cloudflare, Amazon CloudFront, Azure CDN) to mask C2 traffic. The TLS SNI header shows a legitimate, trusted CDN domain while the HTTP Host header routes traffic to the attacker's backend. Most major CDN providers have moved to block domain fronting, but the technique remains relevant against organizations that do not perform TLS inspection.

C2 Through Legitimate Cloud Services (T1102)

Using legitimate cloud platforms as C2 infrastructure turns organizational trust against defenders. If an organization permits outbound traffic to Microsoft Teams, Slack, Discord, GitHub, Google Drive, or Dropbox, it likely has weaker detection coverage on traffic to those platforms, because blocking them would disable legitimate business functions.

T1102 sub-techniques cover web services as a bidirectional communication channel (T1102.002) and for one-way data exfiltration (T1102.001). Attackers post commands to a Slack channel, a private GitHub repository, a Discord server, or a Google Doc, and the implant polls the service for new instructions. Responses are posted to the same or a companion service. The traffic is HTTPS to a well-categorized, trusted domain, passing through most proxy and firewall inspection without triggering alerts.

Specific examples in the threat record include: NOBELIUM (Cozy Bear) using Dropbox for C2 in the SolarWinds campaign; multiple threat actors using GitHub repositories as dead drops for C2 instructions; APT29 using Google Drive and OneDrive as C2 channels.

C2 via Removable Media (T1092)

For networks that are air-gapped from the internet, physical media (USB drives, SD cards, external hard drives) can serve as the C2 channel. The implant writes data to a removable drive when inserted. An operator with physical access retrieves the drive, reads the data, places new commands on the drive, and reinserts it. This technique is associated primarily with nation-state operations targeting classified government or critical infrastructure environments.

Beaconing Patterns and Timing

Regardless of the protocol used, most C2 frameworks implement a beacon-and-sleep cycle. The implant wakes, checks in with the C2 server, receives and executes tasks, sends results, and sleeps until the next check-in. Detection programs that analyze the timing characteristics of outbound connections can identify this pattern.

Statistical approaches to beacon detection include: frequency domain analysis (consistent interval connections produce detectable spectral peaks), long-tail distribution analysis (legitimate web browsing has a right-skewed connection frequency distribution; beacons cluster at specific intervals), and autocorrelation analysis (beaconing connections correlate with themselves at the lag equal to the beacon interval).

Detection

Network Log Sources

Proxy and web gateway logs: Every HTTP/HTTPS request should route through a logging web proxy. Critical fields: source IP, destination IP, destination domain, user-agent, bytes sent, bytes received, session duration, response code. Long-lived sessions (duration above 10 minutes) to the same domain, combined with regular session establishment timing, are the primary beacon signature.

DNS query logs: Enable query logging on all recursive resolvers. Ship logs to the SIEM. Alert on: queries with subdomain labels exceeding 40 characters, more than 100 queries per hour to a single external domain from a single host, TXT or NULL record queries to external domains, queries to newly registered domains (less than 30 days old), and domains with no categorization in your proxy/firewall feed.

Firewall and NSG logs: Log all outbound connection attempts including denied connections. Connections to uncategorized IP addresses over ports 80/443 without a corresponding domain resolution event are suspicious. Direct IP connections over HTTPS bypass domain-based filtering.

NetFlow / IPFIX: Where full packet capture is not feasible, NetFlow provides connection metadata (source, destination, port, bytes, packets, duration) at scale. Beacon detection algorithms can run against NetFlow data to identify consistent-interval outbound connections.

TLS/Certificate Inspection

Collect TLS handshake metadata (JA3 client fingerprint, JA3S server fingerprint, SNI, certificate issuer, certificate subject, certificate validity period) for all HTTPS connections. Alert on:

• JA3 hashes matching documented C2 framework fingerprints (Cobalt Strike default: 72a589da586844d7f0818ce684948eea)
• Self-signed certificates on external hosts
• Certificate CN values that do not match the domain being accessed
• Certificates issued to IP addresses
• Certificate validity periods under 30 days (Let's Encrypt automation is common in attacker infrastructure)

Endpoint-Based Detection

Windows Event Logs:

• Event ID 3 (Sysmon Network Connection): logs outbound TCP/UDP connections with process name and parent process. Filter for network connections from unusual parent processes (lsass.exe, winlogon.exe, svchost.exe with unexpected parent chains).
• Event ID 22 (Sysmon DNS Query): logs DNS queries with the requesting process. Process names that do not typically make DNS queries (mshta.exe, regsvr32.exe, wscript.exe, powershell.exe) making queries to external domains are high-fidelity alerts.
• Event ID 7 (Sysmon Image Load): DLL loading by processes, useful for identifying injected C2 implants.

EDR behavioral indicators: C2 implants frequently exhibit process injection (spawning from unusual parent processes), hollow process creation, and reflective DLL loading. Modern EDR platforms (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) generate alerts on these behaviors independent of network-layer detection.

Behavioral Indicators

• Outbound connections originating from processes that should not make network connections (Word.exe, Excel.exe, Notepad.exe)
• PowerShell or cmd.exe spawned by Office applications, followed by network connections
• High-frequency connections to a single domain from a single endpoint over multi-hour periods
• Large outbound data transfers (above 10 MB) to a single external destination, particularly to cloud storage services
• Connections to Tor exit nodes or known VPN infrastructure (often used as proxy hops)
• HTTPS connections to domains with high domain generation algorithm (DGA) scores

Why It Matters

C2 is the operational center of every persistent intrusion. Without a working C2 channel, an attacker who successfully achieves initial access cannot issue commands, move laterally, collect credentials, or exfiltrate data. C2 is the nervous system of the attack. Cutting it, or even detecting it, gives defenders a decisive advantage.

Detection of C2 is fundamentally different from detection of initial access. Initial access events tend to be high-signal: a phishing email arrives, an exploit fires, a suspicious login occurs. C2 traffic, by design, is engineered to be low-signal. It hides in normal-looking traffic flows. Detecting it requires statistical analysis, behavioral baselines, and metadata-level inspection rather than signature matching.

The median attacker dwell time (the period between initial compromise and detection) has historically been measured in weeks to months. The Mandiant M-Trends 2024 report recorded a global median dwell time of 10 days, a significant improvement from prior years, but the attack surface remains. Every day that C2 traffic goes undetected is a day the attacker spends collecting credentials, mapping the environment, and staging for their ultimate objective.

The Volt Typhoon case demonstrates the highest-stakes version of this problem. CISA's 2023 advisory documented that the threat group maintained C2 access to US critical infrastructure networks for at least five years before discovery. The C2 traffic was routed through compromised SOHO routers and blended perfectly with normal network traffic. The dwell time was not 10 days. It was five years. The operational significance of undetected C2 inside power grid, water treatment, and transportation networks is not theoretical.

Organizations that invest in network visibility (full proxy logging, DNS logging, NetFlow collection, TLS metadata inspection) and apply statistical detection on top of that data are the organizations that discover C2 within days rather than years.

Sources

1. MITRE ATT&CK: Command and Control (TA0011). https://attack.mitre.org/tactics/TA0011/
2. CISA Advisory AA23-144A: Volt Typhoon Targeting US Critical Infrastructure. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
3. Palo Alto Unit 42: Cobalt Strike Threat Report 2023. https://unit42.paloaltonetworks.com/cobalt-strike-malicious-use/
4. Recorded Future: DNS Tunneling Survey. https://www.recordedfuture.com/blog/dns-tunneling
5. Mandiant: M-Trends 2024 Annual Threat Report. https://www.mandiant.com/m-trends
6. Salesforce Engineering: TLS Fingerprinting with JA3 and JA3S. https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
7. CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a