Threats A Deep Dive Into Command and Control Operations

In almost every cyber campaign, Command and Control (C2) plays an important role. In this article, we examine the fundamentals of Command and Control (C2) operations, their role in the attack lifecycle, the tools and techniques attackers use to maintain covert access, and evade detection while remotely executing their objectives. However, while this article attempts to cover a wide breadth of C2 operations, it is hardly exhaustive. Developing new C2 techniques is a core priority for hackers. Also, due to their key role in advanced cyber attacks, it's important to simulate advanced C2 operations in your organization's security assessments. Being able to detect both well-known C2 techniques and novel emerging ones is critical for resilient defensive cyber operations. 

What is Command and Control (C2)?

Command and Control (C2) [TA0011] is the stage in the cyber attack lifecycle after initial access, when an attacker remotely communicates with the systems they have compromised. During this stage, attackers want to further their campaign by executing commands, exfiltrating data and scanning the victim's environment for other valuable targets. 

C2 is often conducted via covert protocols such as HTTP(S), DNS tunneling, other covert channels or custom protocols.  Attackers often try to blend their C2 network traffic in with legitimate activity to evade detection. To achieve C2, attackers typically deploy implants or backdoors that connect back to their own servers. Priorities for C2 systems include stealth, reliability, resilience against takedowns, and adaptability—ensuring uninterrupted control while executing objectives like lateral movement, data theft, or ransomware deployment.

C2 operations seek to:

• Maintain long-term, covert, unauthorized access to a victim's environment

• Issue commands to infected devices for execution

• Scan the victim's IT environment for additional targets

• Load additional malware or toolkits onto the victim's environment

• Exfiltrate sensitive data to attacker-controlled systems

• Orchestrate movement between systems within the victim's network

What is Command, Control, and Communications (C3)?

C3 is short for Command, Control, and Communications. C3 expands on the traditional C2 model by integrating multi-channel communications to coordinate operations more effectively. 

While C2 focuses on the two-way link between an attacker and a victim system—issuing commands and receiving results—C3 incorporates additional layers that can link multiple operators, coordinate dynamically and share intelligence. C3 frameworks are considered more resilient, redundant, and flexible than standard C2 setups.

How Attackers Avoid Detection with Covert C2

To remain effective, attackers ideally want their C2 infrastructure and malware to evade defensive monitoring, maintain persistence, even between system reboots. Sophisticated APT adversaries employ stealthy techniques to minimize exposure, prevent defenders from finding "Indicators of Compromise" (IoC), and frustrate takedown efforts. Common methods include:

• Using bulletproof hosting or other sophisticated techniques to avoid law enforcement control

• Encrypting C2 traffic to prevent deep packet inspection from revealing commands or data

• Storing malware payloads separately from their C2 server to further obscure links

• Routinely swapping DNS records (fast-flux) while using the same backend infrastructure

• Leveraging residential proxies to blend in with normal user traffic and avoid detection

• Minimizing C2 traffic volume to reduce anomalies

• Tunneling communications over DNS, HTTPS, or other commonly allowed protocols (even ICMP has been used) to bypass firewalls and Intrusion Detection Systems (IDS)

• Employing popular public cloud services such as Google Drive, Microsoft OneDrive, or Dropbox to mask malicious network communications

What Tools Do Attackers Use for C2?

Attackers rely on a wide range of tools to establish and maintain Command and Control, from simple built-in utilities to advanced commercial and custom frameworks. These tools allow them to remotely control systems, move laterally, and execute their objectives while staying under the radar.

Reverse Shells Applications

Reverse shells are one of the simplest C2 mechanisms. They work by having the compromised host initiate an outbound connection back to the attacker, bypassing inbound firewall restrictions. Tools like netcat (nc) or OpenSSH can quickly establish such shells.

Web Shells

A web shell is a malicious segment of code—often in native web languages such as PHP, ASP, or JSP—uploaded to a vulnerable web server, providing attackers with an interface for remote command execution, file management, and C2 operations. Web shells allow persistent access through normal HTTP/S traffic, blending in with legitimate requests.

Hacker Toolkits

Attackers may leverage pre-built legitimate C2 frameworks which are used for security testing to streamline their C2 needs:

• Cobalt Strike: A commercial red team platform widely repurposed by threat actors; features the Beacon payload with flexible communication channels, stealth profiles, and extensive post-exploitation capabilities.

• Shellter Elite: A lightweight, script-based toolkit designed for fast deployment and basic remote control.

• TinyShell: A minimal PHP-based webshell that provides file management, command execution, and upload capabilities through a browser interface.

• SharPyShell: A C# ASP.NET web shell that offers an interactive PowerShell interface directly from the browser, giving attackers powerful post-exploitation control over Windows-based web servers.

Well-Known Malware Strains

Many infamous and emerging malware families incorporate C2 capabilities to maintain control, deploy additional payloads, and coordinate malicious actions across infected systems. C2 functionality is integral to almost all types of cyber attacks including ransomware campaigns. Some well-known malware strains with C2 capabilities include TrickBot, LockBit, BlackCat/ALPHV, QakBot (Qbot), among numerous other strains.

Living Off the Land (LOTL) and Custom Tools

Adversaries may develop custom scripts that leverage common built-in OS tools or pre-installed software—frequently in Python, PowerShell, or Bash—to manage implants, execute payloads, and automate communication with C2 infrastructure. These scripts can be scheduled to execute periodically for simple C2. Devices may even be sold en masse with custom C2 tools built into them at the time of sale.

Conclusion

Command and Control operations remain a cornerstone of modern cyberattacks, enabling persistence, data theft, and coordinated malicious activity. From simple reverse shells to advanced frameworks like Cobalt Strike, attackers employ diverse tools and stealth tactics to evade detection. Understanding C2 techniques—and testing defenses against them—is essential for organizations seeking to build resilient security postures.