What is command and control in MITRE ATT&CK?

Command and Control (C2) is a tactic in the MITRE ATT&CK framework (TA0011) that describes how adversaries communicate with systems they have compromised within a victim's network. C2 channels serve as the attacker's remote control mechanism, every instruction to move laterally, collect data, escalate privileges, or deploy ransomware flows through the C2 channel. Without C2, an attacker loses the ability to direct their intrusion.

C2 detection is one of the most valuable detection categories for security operations teams because every active intrusion requires a C2 channel. While attackers can vary their initial access method, credential theft technique, or lateral movement approach, they always need a way to communicate with compromised systems. The CrowdStrike 2025 Global Threat Report found that 100% of interactive intrusions maintained at least one C2 channel, and the average intrusion used 2.4 distinct C2 methods for redundancy.

The challenge of C2 detection is that modern C2 frameworks are specifically designed to blend with legitimate traffic. Tools like Cobalt Strike, Sliver, Brute Ratel C4, and Havoc use encrypted HTTPS, domain fronting, legitimate cloud services, and traffic shaping to make C2 communications indistinguishable from normal web browsing. Despite this sophistication, C2 traffic leaves detectable patterns in network metadata - connection timing, certificate characteristics, domain reputation, and traffic volume ratios.

Key insight: Cutting the C2 channel immediately halts an active intrusion. Unlike detection of other tactics (where the attacker may have already achieved their objective), severing C2 prevents the attacker from issuing further commands, collecting additional data, or deploying ransomware. Every minute of C2 connectivity represents continued attacker control. Organizations that detect and block C2 within 24 hours of initial compromise reduce breach impact by 73% (Mandiant M-Trends 2025).

This guide covers the four C2 techniques that represent the highest detection priority - Encrypted Channel (T1573), Application Layer Protocol (T1071), Proxy (T1090), and Non-Standard Port (T1571) - and demonstrates how to build comprehensive detection using ManageEngine Log360 and its 85 prebuilt C2 detection rules.

Why C2 detection is critical

Command and Control is the attacker's lifeline throughout an intrusion. Without it, the attacker cannot:

  • Issue commands - Every lateral movement step, credential dump, and collection operation requires instructions from the operator. No C2 means no new attack activity.
  • Receive stolen data - Collected data must be exfiltrated through the C2 channel or a secondary channel coordinated through C2.
  • Deploy ransomware - Ransomware deployment requires real-time operator control to ensure simultaneous execution across all targets. C2 loss prevents coordinated deployment.
  • Maintain access - While persistence mechanisms provide a way back in, active operations require real-time C2. Blocking C2 forces the attacker to re-establish access from scratch.

The C2 lifecycle

Phase What happens Detection opportunity
Implant callback Compromised host initiates first connection to C2 server New outbound connection to uncategorized domain/IP
Beaconing Regular check-in at configured intervals (30s to 24h) Periodic connection patterns in firewall/proxy logs
Task retrieval Implant downloads commands and additional tools Payload size anomalies, unusual download patterns
Data return Stolen data uploaded to C2 or exfil channel Large outbound transfers, asymmetric traffic ratios
Sleep/dormancy Implant reduces activity to avoid detection Resumption of beaconing after long silence

The Mandiant M-Trends 2025 report found that average attacker dwell time is now 10 days. Throughout this entire period, C2 channels are active creating 10 days of detectable network patterns. Organizations with effective C2 detection reduce dwell time to under 48 hours on average.

C2 techniques in MITRE ATT&CK

MITRE ATT&CK catalogs 16 techniques under Command and Control. Four of these account for the vast majority of real-world C2 implementations and provide the strongest SIEM detection opportunities.

Technique ID Technique name How it works Log360 rules Prevalence
T1573 Encrypted Channel TLS/SSL encryption hides C2 content from inspection 18 Used in 95%+ of C2 implementations (SANS)
T1071 Application Layer Protocol C2 over HTTP/S, DNS, or mail protocols 22 HTTP/S C2 in 80%+ of malware families
T1090 Proxy Route C2 through intermediaries to hide true destination 14 Domain fronting and CDN abuse by APT groups
T1571 Non-Standard Port C2 on unexpected ports to avoid basic filtering 9 Common in commodity malware and initial implants

Understanding C2 architecture

Direct C2

The compromised host connects directly to attacker-controlled infrastructure. Simple to implement but easier to detect and attribute. Blocking the C2 IP immediately severs the connection.

Redirected C2

Traffic passes through redirector servers (cloud VMs, compromised hosts) before reaching the operator. Multiple redirectors provide redundancy - blocking one does not sever C2 if others remain active.

Domain fronting

C2 traffic appears to connect to a legitimate CDN domain but is routed to attacker infrastructure through CDN backend routing. Extremely difficult to detect at the network level without TLS inspection.

Protocol tunneling

C2 commands are embedded within legitimate protocol traffic (DNS queries, ICMP packets, HTTPS POST bodies). Detection requires deep protocol analysis and behavioral profiling.

ManageEngine Log360 for C2 detection

Log360 provides 85 prebuilt detection rules mapped to MITRE ATT&CK Command and Control (TA0011). Detect encrypted channels, DNS tunneling, beaconing patterns, proxy abuse, and non-standard port usage across firewall, proxy, and DNS logs with real-time alerts and behavioral analytics.

Explore ManageEngine Log360 Get a demo

How C2 attacks work: real-world scenarios

Scenario 1: Cobalt Strike HTTPS beaconing (T1573 + T1071)

An attacker deploys a Cobalt Strike beacon via phishing. The beacon connects to the C2 server over HTTPS port 443, blending with legitimate web traffic. The beacon checks in every 60 seconds with 20% jitter, making the interval appear random (48-72 seconds).

What Log360 detects

  • Beaconing pattern analysis - Log360 analyzes firewall connection logs for periodic outbound connections to the same destination, identifying the underlying beacon interval despite jitter.
  • Self-signed TLS certificate - The C2 server's TLS certificate is self-signed or issued by an uncommon CA. Log360 flags connections to servers with suspicious certificate properties.
  • Low-reputation domain - The C2 domain was recently registered and has no historical traffic. Log360 correlates with threat intelligence feeds to flag connections to newly observed domains.
  • JA3/JA3S fingerprint - The TLS client hello from the beacon has a known Cobalt Strike JA3 fingerprint, matched against Log360's threat intelligence.

Scenario 2: DNS tunneling for data exfiltration (T1071.004)

An attacker uses iodine or dnscat2 to tunnel C2 communications through DNS queries. Each DNS query encodes a small amount of C2 data in the subdomain label, and responses carry commands in TXT records. Because DNS is rarely blocked, this provides a reliable covert channel.

What Log360 detects

  • High DNS query volume to single domain - Normal hosts make few queries per minute; DNS tunneling generates hundreds to thousands of queries to the tunnel domain.
  • Long subdomain labels - Base64-encoded data in subdomain labels creates unusually long DNS queries (50+ characters vs. normal 10-20).
  • TXT record query anomaly - TXT queries to non-standard domains are uncommon in normal operations and strongly indicate DNS tunneling.
  • Entropy analysis - The subdomain labels have high Shannon entropy (appearing random), unlike normal human-readable domain names.

Building a C2 detection strategy with Log360

Critical log sources

  • Firewall connection logs - Source/destination IP, port, protocol, bytes sent/received, connection duration, and session count. Essential for beaconing detection and non-standard port identification.
  • DNS query logs - Full query string, response type, query frequency, and client IP. Critical for DNS tunneling and DGA detection.
  • Web proxy logs - Full URL, user agent, HTTP method, response code, TLS certificate details, and traffic volume. Enables detection of HTTP-based C2 and domain fronting.
  • TLS inspection logs - Certificate issuer, validity, subject alternative names (SANs), and JA3/JA3S fingerprints. Detects self-signed certificates and known C2 framework fingerprints.
  • NetFlow/IPFIX - Connection metadata at scale for beaconing analysis when full packet capture is not available.
Command and control attack technique in the MITRE ATT&CK framework

Detection approach by layer

Layer What it catches Log360 capability
Signature-based Known C2 framework fingerprints (JA3, user agents, URI patterns) Threat intelligence correlation with 85 prebuilt rules
Behavioral (beaconing) Periodic callback patterns regardless of C2 framework Statistical analysis of connection timing and frequency
Anomaly-based New destinations, unusual protocols, unexpected traffic patterns UEBA baselines per host and per network segment
Reputation-based Connections to known-bad IPs, newly registered domains, bulletproof hosting Real-time threat intelligence feed integration

Investigation and response

When a C2 alert fires

  • Validate the C2 indicator - Confirm the destination is not a legitimate service. Check domain registration, certificate details, historical traffic, and threat intelligence lookups.
  • Identify all affected hosts - Query for other hosts connecting to the same C2 destination. Multiple hosts indicate the attacker has already moved laterally.
  • Determine the C2 framework - Identify whether it is Cobalt Strike, Sliver, Brute Ratel, or commodity malware based on traffic patterns, JA3 fingerprints, and URI structures.
  • Assess what occurred over C2 - Review endpoint logs for the compromised host to determine what commands were executed, what data was collected, and whether lateral movement occurred.
  • Block and isolate - Add the C2 destination to firewall block lists, isolate the compromised endpoint from the network, and search for persistence mechanisms the attacker may have deployed.
  • Hunt for additional C2 - Attackers often deploy multiple C2 channels for redundancy. Search for other unusual outbound connections from the compromised host and from hosts it touched during lateral movement.

Prevention

  • Deploy TLS inspection - Inspect outbound HTTPS traffic at the proxy to analyze certificate properties, detect self-signed certificates, and identify known C2 framework patterns hidden within encrypted channels.
  • Restrict outbound DNS - Force all DNS queries through internal resolvers and block direct DNS to the internet. Monitor internal DNS for tunneling indicators.
  • Block uncategorized domains - Use web proxy policies to block access to newly registered or uncategorized domains. Most C2 infrastructure uses domains less than 30 days old.
  • Implement application-aware firewalling - Use next-gen firewall capabilities to identify protocol mismatches (e.g., non-HTTP traffic on port 443) that indicate C2 channel abuse.
  • Network segmentation - Segment internal networks so compromised workstations cannot reach sensitive servers directly. Force traffic through choke points where inspection rules apply.
  • Endpoint detection - Deploy EDR to detect C2 implant processes on endpoints, complementing network-based detection with host-level visibility.

Need to explore ManageEngine Log360? Schedule a personalized demo

FAQ

What is command and control in MITRE ATT&CK?

Command and control describes how adversaries communicate with compromised systems. C2 channels are used to issue commands, receive data, and maintain control. Every active intrusion requires at least one C2 channel.

How do I detect C2 beaconing?

Detect beaconing by analyzing firewall logs for periodic outbound connections to the same destination. Look for consistent intervals (even with jitter), connections to uncommon domains, unusual TLS certificates, and asymmetric traffic ratios. Log360 provides behavioral analytics for automated beaconing detection.

What is DNS tunneling and how do I detect it?

DNS tunneling encodes data in DNS queries to communicate covertly. Detect it by monitoring for high query volumes to single domains, unusually long subdomain labels, TXT record queries to uncommon domains, and high entropy in query strings.

How many C2 detection rules does Log360 have?

Log360 provides 85 prebuilt rules for TA0011, including 18 for Encrypted Channel (T1573), 22 for Application Layer Protocol (T1071), 14 for Proxy (T1090), and 9 for Non-Standard Port (T1571).

What log sources do I need for C2 detection?

Essential sources: firewall connection logs, DNS query logs, web proxy logs, TLS inspection output, and NetFlow/IPFIX data. Log360 correlates across all these to detect C2 patterns.

What should I do when C2 is detected?

Block the C2 destination at the firewall, isolate the compromised host, identify all other hosts communicating with the same C2, check for lateral movement and data collection, hunt for backup C2 channels, and deploy containment before the attacker can react.

Detect and block C2 channels in real time

Start your free 30-day trial of Log360 and activate 85 prebuilt Command and Control detection rules. Detect beaconing, DNS tunneling, and encrypted C2 across your network.

Start free trial Download free edition
On this page
 
  • What is command and control in MITRE ATT&CK?
  • Why C2 detection is critical
  • C2 techniques in MITRE ATT&CK
  • How C2 attacks work: real-world scenarios
  • Building a C2 detection strategy with Log360
  • Investigation and response
  • Prevention
  • FAQ