Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Tactics & Techniques
›
command-and-control
command-and-control
Tactics & Techniques
Definition
A **C2** (short for **Command and Control**) is the system attackers use to **remotely communicate with and control compromised machines** after they’ve gained access. Think of it as the attacker’s “mission control center.” Once malware is installed on a victim system, it will often “phone home” to a C2 server to: * Receive commands (e.g., “steal this file,” “move to another system,” “encrypt all documents”) * Download additional malicious payloads * Upload stolen data * Send back status updates about the infected host C2 infrastructure can take many forms: * **Dedicated servers** – Often hidden behind VPNs, proxies, or Tor * **Compromised websites** – Legitimate sites hijacked to act as relay points * **Cloud services & social media** – Using Dropbox, Google Drive, Twitter, or Slack to blend in with normal traffic * **Domain Generation Algorithms (DGAs)** – Malware dynamically creates domain names to reach the C2, making blocking harder Why it matters in investigations: * C2 traffic is a major detection opportunity — spotting unusual outbound connections can reveal an active intrusion. * Identifying the C2 can help **attribute the attack** (many threat groups reuse infrastructure). * Shutting down or blocking the C2 can break the attacker’s control over compromised systems.
Explore More Terms
Persistence Mechanisms
sysmon-event-codes-ids
website-defacement
take
Indicent Response
Examples & Use Cases
Real-world examples: * **Emotet** used a large network of C2 servers to receive commands and distribute other malware. * **Cobalt Strike beacons** (used by both red teams and threat actors) connect back to C2 servers to await operator instructions. * **APT28** has been observed using compromised WordPress sites as C2 relays to avoid suspicion. Further reading: * MITRE ATT\&CK – Command and Control: [https://attack.mitre.org/tactics/TA0011/](https://attack.mitre.org/tactics/TA0011/) * CISA – Identifying and Disrupting C2: [https://www.cisa.gov/sites/default/files/publications/C2-Detection-and-Mitigation.pdf](https://www.cisa.gov/sites/default/files/publications/C2-Detection-and-Mitigation.pdf) * Palo Alto Unit 42 – C2 Techniques and Trends: [https://unit42.paloaltonetworks.com/command-and-control-techniques/](https://unit42.paloaltonetworks.com/command-and-control-techniques/)
$ Loading KC7 Investigation Interface...
.png)
