Glossary
What is C2 (command and control) — the channel attackers use to control a device after a breach
C2 (Command and Control) is the channel a compromised device uses to 'call back' to an attacker's server for commands and data exfiltration — the stage after a breach. The beaconing and known-bad destinations that flag it, and defenses (egress control, DNS monitoring, IOC/IOA matching).
"After a breach, how does the attacker keep controlling the device?" That traffic is C2. Here's how it works and how to spot and stop it (no attack tooling or operation details).
Where it sits in the attack flow
C2 isn't the breach itself — it comes after it.
The important point: the outbound traffic in (2) is the chance to detect and cut. Preventing a breach 100% is hard, but there's room to notice and stop it at the exit.
How to spot it (clues)
| Clue | What to look at |
|---|---|
| Beaconing (periodic traffic) | Regular outbound traffic to the same destination at intervals |
| Unfamiliar destinations | Suspicious domains/IPs (match against known-bad = IOCs) |
| Odd DNS | Queries to unfamiliar domains; abnormally heavy DNS |
| Unexpected paths | Outbound traffic over unexpected ports/protocols |
How to defend
Don't get breached in the first place (foundation)
Constrain the exit (egress)
Monitor DNS and traffic logs
Match and block known-bad destinations
This site's view: defend the 'exit,' not just the entrance — and confirming 'no C2' is part of the investigation
The biggest lesson the C2 concept brings is that defense isn't only at the entrance (the breach). Even when perfect prevention is hard, there's room to constrain the exit (outbound traffic) and notice suspicious callbacks. On this site we keep "a design that doesn't get breached (patching, least privilege, MFA)" as the main goal, while also holding egress control and traffic monitoring as a last line. Note that when a breach is suspected, confirming there's no resident C2 (a backdoor or rogue periodic traffic) is a key step — to conclude "the impact was limited," you can't skip checking the exit side.
Read next
- Glossary: What is RCE · What is an IOC · What is an IOA · What is ransomware
FAQ
QWhat is C2 (command and control)?
It's the remote-control channel a compromised device (a PC/server infected with malware or taken over via a vulnerability) uses to 'call back' to an attacker's server — to receive commands and send out stolen data. In the flow of an attack, it's the stage after a breach (e.g. RCE) succeeds, used to keep controlling the device.
QHow can C2 be spotted?
The key is outbound traffic. An infected device often sends a periodic 'heartbeat' (a beacon) to the attacker's server at regular intervals. Regular periodic traffic to an unusual destination, DNS queries to unfamiliar domains, and outbound traffic over unexpected ports/protocols are clues. You can catch these via traces (IOCs) or behavior (IOAs).
QWhat are the basics of defending against C2?
(1) Don't get breached in the first place (patching, least privilege, MFA); (2) constrain the exit — 'egress filtering' that limits outbound traffic; (3) monitor DNS and traffic logs to notice suspicious periodic traffic or destinations; (4) match known-bad C2 destinations (IOCs) from threat feeds and block them. The key idea: a breach can be stopped not just at the entrance but at the exit.