OSF Offensive Security Fundamentals Cyber Kill Chain Learning Hub
Stage 06

Command and control allows compromised systems to receive instructions and return data.

This page explains how attacker-controlled infrastructure communicates with infected hosts and why outbound network visibility is essential for defenders.

Featured Module Start at Recon
Overview

Communication between compromised hosts and attacker infrastructure

Command and Control, often abbreviated as C2, refers to communication between a compromised system and an external attacker-controlled server. Once established, the attacker can send commands, receive data, and coordinate activity across multiple hosts.

Command and control traffic may use protocols such as HTTP, HTTPS, DNS, or other encrypted channels, often disguised to resemble normal network activity.

How C2 Works

Tasking, response, and coordination

C2 enables a compromised host to receive instructions, upload information, and remain coordinated with attacker objectives over time.

Diagram showing command and control architecture with an attacker server, redirector, encrypted channel, and multiple compromised hosts communicating outward.
Detection Opportunities

Analyze suspicious outbound traffic patterns

Security teams analyze network traffic to identify suspicious beaconing, unusual destinations, protocol misuse, or encrypted channels that do not match expected application behavior.

Dashboard-style graphic showing outbound traffic analysis with beacon timing, suspicious domain lookups, HTTPS anomalies, and DNS tunneling indicators.