Threat hunting: C2 domain IoCs

  • Home
  • Threat hunting: C2 domain IoCs

What is a Command and Control (C2 or C&C) attack?

When an attacker compromises a system in your network, the attacker can communicate with the infected system (also called a botnet) through a command and control (C2) server.

How does a C2 attack take place?

Initially, an attacker compromises a system by sending a phishing email. The phishing email can contain malicious links or attachments that can install malware in your system when you click on the link or download the attachment. Malware codes, in recent times, are methodically crafted to override antivirus and antimalware software codes. So, there is a huge possibility that your system can be affected in spite of having antivirus or antimalware software in place.

Once compromised, the system will communicate with the C2 server for further instructions. The attackers can now issue commands to the infected system and move laterally in your network to infect other systems. C2 servers interlink all botnets and create a shadow network. This network of botnets can cause serious damage to your network by stealthily monitoring system activities and exfiltrating data from these systems.

Indicators of Compromise (IoCs) for a C2 attack

Here are a few IoCs to look out for if you suspect that your network is undergoing a C2 attack:

  • Huge volumes of HTTP traffic
  • Botnets can use self-signed SSL certificates to encrypt and masquerade the outbound traffic as web traffic when they contact the C2 servers. If there is a sudden spike in the volume of HTTP traffic in your network, ensure you check the systems generating the traffic.

  • Unnecessary applications in systems
  • In C2 attacks, malware can install applications in systems that can increase processor usage. Check your systems for such applications, kill all processes carried out by that application, and uninstall them.

  • Anomalous DNS requests
  • The botnets communicate with the C2 server by sending DNS requests or beacon queries to untrusted domains. Monitoring DNS activities of systems can help identify a C2 attack.

Monitoring your logs efficiently

Your network log data gives you details about malicious activities taking place in your network. Monitoring the logs with the help of threat intelligence feeds can help you identify blacklisted IPs, domains, URLs, and Indicators of Compromise (IoC). You can use a security information and event management (SIEM) solution to correlate activities occurring across your network to identify and block such malicious actors.

Log360 is a SIEM solution that incorporates threat intelligence feeds sourced from trusted platforms such as STIX, TAXII, and AleinVault OTX. It can generate reports for all network activities. It spots malicious actors and IoCs and allows you to configure real-time alerts for them. When there is a breach or an attack, you will be notified via SMS and email just in time to mitigate the threat and prevent an attack. Check out other features of Log360.

Products mentioned on this page:

Recently added chapters


Get the latest content delivered
right to your inbox!


Cyber Security - Knowledge Base


  Zoho Corporation Pvt. Ltd. All rights reserved.