One of the most important stages of a cyberattack occurs after an attacker successfully compromises a system. Rather than interacting directly with the victim’s computer, attackers typically establish communication with an external server that allows them to issue commands, download additional tools, or steal sensitive information. This communication is known as Command and Control (C2).

For Security Operations Center (SOC) analysts, detecting Command and Control activity is critical because it often confirms that a system has already been compromised. Fortunately, attackers must usually communicate with external infrastructure at some point during an intrusion, creating opportunities for detection. The MITRE ATT&CK framework documents common C2 techniques, while the NIST Cybersecurity Framework (CSF) recommends continuous monitoring and network visibility to identify suspicious outbound communication.

What Is Command and Control?

Command and Control refers to the communication channel between a compromised system and an attacker-controlled server.

Through this connection, attackers can:

  • Execute remote commands.
  • Download additional malware.
  • Upload stolen information.
  • Receive updated instructions.
  • Maintain long-term access to the compromised endpoint.

Attackers often attempt to make this traffic appear legitimate by using common protocols such as HTTPS or DNS. As a result, identifying C2 traffic requires careful analysis rather than simply blocking all outbound connections.

MITRE ATT&CK and Command and Control

The MITRE ATT&CK framework contains an entire tactic dedicated to Command and Control.

Attackers may use techniques such as T1071 – Application Layer Protocol to communicate over HTTP, HTTPS, or other commonly allowed protocols. Because these protocols are widely used for normal business operations, malicious traffic can easily blend into legitimate network activity.

Analysts should pay attention to unusual communication patterns, including:

  • Connections to previously unseen domains.
  • Regular outbound connections occurring at fixed intervals.
  • Communication immediately following suspicious process execution.
  • External connections initiated by unexpected applications.

Although none of these indicators confirm malicious activity on their own, they become much more significant when correlated with endpoint and authentication events.

NIST Recommendations

The NIST Cybersecurity Framework emphasizes continuous monitoring of network activity and centralized logging.

Organizations should collect firewall logs, DNS records, proxy logs, endpoint telemetry, and authentication events to provide analysts with a complete picture of network behavior.

Network segmentation also helps reduce risk by limiting which systems can communicate with external networks. Critical servers that do not require Internet access should be restricted whenever possible.

NIST further recommends maintaining incident response procedures so analysts can quickly isolate compromised systems if suspicious outbound communication is confirmed.

Investigation Tips

When investigating possible Command and Control activity, SOC analysts should ask questions such as:

  • Which process initiated the network connection?
  • Is the destination domain or IP address known and trusted?
  • Has this endpoint communicated with the destination previously?
  • Did suspicious authentication or PowerShell activity occur beforehand?
  • Are other endpoints communicating with the same destination?

Answering these questions helps analysts determine whether the communication represents normal application behavior or an active compromise.

Correlating network traffic with Windows Security Events, EDR telemetry, and DNS logs significantly improves investigation accuracy.

Conclusion

Command and Control is a critical stage of many cyberattacks because it allows attackers to maintain communication with compromised systems and continue their operations. While attackers frequently disguise C2 traffic as normal web communication, careful analysis of outbound connections, endpoint activity, and authentication events can reveal suspicious behavior.

By understanding the Command and Control tactics documented in the MITRE ATT&CK framework and applying the monitoring recommendations of the NIST Cybersecurity Framework, SOC analysts can improve their ability to detect compromised systems before attackers achieve their ultimate objectives. Effective cybersecurity depends not only on protecting systems from attack but also on recognizing when a compromised device begins communicating with an external adversary.