Command and Control (C2)
Infrastructure used by attackers to communicate with compromised systems (bots) in their network. C2 servers receive stolen data, send commands to infected machines, and download additional payloads. Modern C2 uses various communication channels including HTTP(S), DNS, social media, and peer-to-peer networks to evade detection. Popular frameworks include Cobalt Strike, Empire, and Metasploit. C2 detection involves monitoring unusual network traffic patterns, beaconing behavior, and domain reputation. Understanding C2 operations is essential for incident response and threat hunting certifications.
Why It Matters
In practice, C2 infrastructure is critical because it represents the lifeline between attackers and their compromised systems, making C2 detection and disruption a primary focus of incident response and threat hunting activities. Organizations that fail to monitor for C2 communications face ongoing data exfiltration, persistent access for attackers, and the risk of being used as staging grounds for attacks against other organizations. Modern C2 frameworks use domain fronting, DNS tunneling, and encrypted communications over legitimate protocols to blend in with normal traffic. Effective C2 detection requires understanding normal network baselines and identifying anomalous communication patterns rather than relying solely on signature-based detection.
Practice this topic
Test your knowledge of Command and Control (C2) concepts with exam-style practice questions.
Related Threats & Attacks terms
Malware
Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems, encompassing a broad category of threats including viruses, worms, trojans, ransomware, spyware, adware, and rootkits. Malware can be delivered through phishing emails, malicious downloads, drive-by downloads, USB drives, or supply chain attacks. Defense strategies include endpoint protection (antivirus/EDR), application whitelisting, user awareness training, and keeping software patched. Malware analysis (static and dynamic) is a specialized skill used in incident response and threat intelligence. Malware types and defenses are fundamental topics in Security+, CEH, and CySA+ certifications.
Ransomware
A type of malware that encrypts a victim's files or locks system access and demands a ransom payment (typically in cryptocurrency) for the decryption key. Modern ransomware attacks often involve double extortion — encrypting data and threatening to leak it publicly. Ransomware-as-a-Service (RaaS) has lowered the barrier for attackers, with groups like LockBit, BlackCat, and Cl0p operating affiliate programs. Prevention includes offline backups, network segmentation, email filtering, endpoint detection, and patch management. Ransomware incident response is a critical topic in CISSP, CySA+, and incident response certifications.
Phishing
A social engineering attack that uses fraudulent emails, text messages (smishing), or phone calls (vishing) to trick users into revealing sensitive information like credentials, financial data, or installing malware. Phishing is the most common initial attack vector, responsible for over 80% of reported security incidents. Variants include spear phishing (targeted), whaling (targeting executives), and business email compromise (BEC). Defenses include email authentication (SPF, DKIM, DMARC), security awareness training, URL filtering, and multi-factor authentication. Phishing recognition is tested in Security+, CEH, and every major cybersecurity certification.
SQL Injection
A code injection technique that exploits vulnerabilities in a web application's database layer by inserting malicious SQL statements into input fields or URL parameters. Successful attacks can extract, modify, or delete database contents, bypass authentication, or execute operating system commands. Types include in-band (UNION-based, error-based), blind (boolean-based, time-based), and out-of-band SQL injection. Prevention requires parameterized queries (prepared statements), input validation, stored procedures, and web application firewalls (WAFs). SQL injection is consistently ranked in the OWASP Top 10 and is heavily tested in CEH, OSCP, and web security certifications.
Cross-Site Scripting (XSS)
A web security vulnerability that allows attackers to inject malicious client-side scripts (usually JavaScript) into web pages viewed by other users, potentially stealing session cookies, credentials, or performing actions on behalf of victims. Three main types exist: Stored XSS (persisted in the database), Reflected XSS (included in the server response from user input), and DOM-based XSS (executed entirely in the browser). Prevention includes output encoding, Content Security Policy (CSP) headers, input validation, and using modern frameworks with built-in XSS protection. XSS is a persistent OWASP Top 10 vulnerability and a core topic in CEH, OSCP, and web application security exams.
DDoS (Distributed Denial of Service)
An attack that overwhelms a target system, service, or network with a flood of traffic from multiple distributed sources (often a botnet), making it unavailable to legitimate users. DDoS attacks operate at different layers: volumetric (bandwidth flooding), protocol (SYN floods, Ping of Death), and application layer (HTTP floods, Slowloris). Mitigation strategies include CDN-based protection (Cloudflare, AWS Shield), rate limiting, traffic scrubbing centers, and anycast routing. DDoS attacks can cause significant financial damage through downtime and are a common threat assessed in Security+, CEH, and CISSP certifications.