Communication channels and infrastructure that let attackers direct compromised systems remotely.
Command and control, often shortened to C2 or C&C, refers to the communication path or infrastructure used to direct compromised systems remotely. In plain language, it is how a malicious operator maintains influence over infected devices, deployed malware, or other unauthorized activity after initial compromise.
Command-and-control activity matters because it is one of the clearest signs that a compromise may not be isolated or dormant. If a system is maintaining suspicious communication for external direction, the organization may be dealing with active malicious control rather than a one-time event.
It also matters because disrupting that communication can be an important part of Containment. Even when the full scope is not yet known, reducing the attacker’s ability to direct or update compromised systems can limit harm.
Command and control appears in malware analysis, network detection, EDR investigations, egress monitoring, Botnet analysis, and threat hunting. Teams look for unusual outbound communication patterns, strange destinations, repeated beaconing, or other behaviors suggesting a system is receiving remote direction.
Security teams connect C2 detection to Log Correlation, Indicators of Compromise, and Indicators of Attack because suspicious communication patterns often need cross-system context to confirm.
A compromised endpoint appears to be making repeated outbound connections on a regular schedule to an external destination that is unusual for its role. Even before the full payload or actor is understood, defenders may treat the pattern as possible command-and-control behavior and prioritize containment.
| Signal | Why it matters |
|---|---|
| Regular beaconing intervals | Suggests automated check-ins for instructions |
| Unusual egress destinations | Indicates contact with unknown infrastructure |
| Encrypted traffic to rare domains | Makes payload inspection harder, elevates suspicion |
| Protocol misuse | Legitimate protocols used in unexpected ways |
Command and control is not the same as the initial compromise method. The first access might come from phishing, a vulnerability, or a deceptive file. Command and control describes the later communication channel used to maintain influence or coordination.
It is also different from a Botnet. A botnet is the network of compromised devices. Command and control is the mechanism or infrastructure that helps direct them.