C2 Networks: The Invisible Threat in Your Infrastructure

Authors

  • Guram Donadze Department of Computer Science/Faculty of Exact and Natural Sciences/I. Javakhishvili Tbilisi State University, Tbilisi, Georgia Author
  • Viktor Zakaraia Department of Computer Science/Faculty of Exact and Natural Sciences/I. Javakhishvili Tbilisi State University, Tbilisi, Georgia Author

DOI:

https://doi.org/10.32628/CSEIT25111794

Abstract

C2 networks are a really important threat that often gets missed in today's companies. Attackers can use them to stick around, steal data, and plan other bad stuff without anyone noticing. This paper looks closely at C2 setups, how they've changed from simple central systems to trickier hidden channels that use encryption, DNS tunneling, and regular cloud services. We check out popular C2 tools like Cobalt Strike, Empire, Sliver, and Mythic, explaining how they work and avoid detection. We also explore ways to spot them, comparing old-school signature-based methods with newer anomaly-based and machine learning ways to find sneaky C2 communication. To back up what we talk about, we built a lab to copy real-world C2 situations, capturing and studying network traffic to find things that help in detection. The findings show that normal intrusion detection systems aren't great at catching encrypted C2 channels, which stresses using advanced behavioral and AI ways to detect them. This research helps to understand C2 network threats better and gives useful tips for cybersecurity folks to improve company defenses against these hidden but common threats.

📊 Article Downloads

References

Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015). Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. DIMVA. https://doi.org/10.1007/978-3-319-20550-2_4 DOI: https://doi.org/10.1007/978-3-319-20550-2_1

CISA. (2021). Ransomware Guidance and Resources. Cybersecurity & Infrastructure Security Agency. https://www.cisa.gov/stopransomware

MITRE. (2024). Command and Control - Enterprise. MITRE ATT&CK Framework. https://attack.mitre.org/tactics/TA0011/

Symantec. (2019). The Evolution of C2 Communications. Symantec Enterprise Blogs. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/evolution-c2-communications

National Institute of Standards and Technology (NIST). (2018). Guide to Malware Incident Prevention and Handling for Desktops and Laptops. SP 800-83 Rev.1. https://doi.org/10.6028/NIST.SP.800-83r1 DOI: https://doi.org/10.6028/NIST.SP.800-83r1

FireEye. (2013). Command and Control in the Fifth Domain. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/wp-command-and-control-in-the-fifth-domain.pdf

Palo Alto Networks Unit42. (2021). Ransomware Threat Report. https://unit42.paloaltonetworks.com/ransomware-threat-report-2021/

IBM X-Force. (2022). Cost of a Data Breach Report. https://www.ibm.com/reports/data-breach DOI: https://doi.org/10.12968/S1353-4858(22)70049-9

FBI IC3. (2024). Internet Crime Report 2023. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

Scarfone, K., & Mell, P. (2007). Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94. https://doi.org/10.6028/NIST.SP.800-94 DOI: https://doi.org/10.6028/NIST.SP.800-94

SANS Institute. (2017). Command and Control Overview. https://www.sans.org/white-papers/command-and-control-overview/

Shackleford, D. (2013). Advanced Malware: Detection, Analysis and Prevention. SANS Analyst Program. https://www.sans.org/reading-room/whitepapers/malicious/advanced-malware-detection-analysis-prevention-34262

Trend Micro. (2018). Command and Control (C&C) Server. https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-server

Verizon. (2024). Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/

Caltagirone, S., Pendergast, A., & Betz, C. (2013). The Diamond Model of Intrusion Analysis. https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

FireEye. (2020). APT41: Double Dragon. https://www.fireeye.com/current-threats/apt-groups.html

Cisco Talos. (2019). DNS as a Covert Channel Within Malware. https://blog.talosintelligence.com/2019/09/dns-tunneling.html

Proofpoint. (2021). Threat Actor Use of Cloud Services for C2. https://www.proofpoint.com/us/blog/threat-insight/threat-actors-leverage-cloud

Mandiant. (2022). M-Trends 2022: Cybersecurity Trends and Insights. https://www.mandiant.com/resources/m-trends

Stewart, J. (2010). Botnets: The Killer Web App. Syngress.

Bailey, M., Cooke, E., Jahanian, F., Watson, D., & Nazario, J. (2009). The Blended Threat of Bots and Botnets. Communications of the ACM, 50(11), 101-107. https://doi.org/10.1145/1409360.1409382 DOI: https://doi.org/10.1145/1409360.1409382

Symantec. (2019). The Evolution of C2 Communications. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/evolution-c2-communications

Porras, P. A., Saidi, H., & Yegneswaran, V. (2014). A Foray into Conficker’s Logic and Rendezvous Points. In USENIX LEET. https://www.usenix.org/legacy/event/leet09/tech/full_papers/porras/porras.pdf

Mandiant. (2022). M-Trends 2022: Cybersecurity Trends and Insights. https://www.mandiant.com/resources/m-trends

Cobalt Strike. (2022). Cobalt Strike Documentation. https://www.cobaltstrike.com/help-beacon

Skordas, I. (2016). DNSCat2: DNS Communication Tool. GitHub. https://github.com/iagox86/dnscat2

Farmer, D., & Venema, W. (1993). Improving the Security of Your Site by Breaking Into It. https://www.porcupine.org/forensics/forensic-discovery/chapter2.pdf

Cisco Talos. (2015). Janicab: Mac OS X Malware Using YouTube as C2. https://blog.talosintelligence.com/2015/07/janicab-mac-os-x-malware-uses-youtube.html

Bishop Fox. (2022). Sliver C2 Framework. https://github.com/BishopFox/sliver

Sommer, R., & Paxson, V. (2010). Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. IEEE Symposium on Security and Privacy. https://doi.org/10.1109/SP.2010.25 DOI: https://doi.org/10.1109/SP.2010.25

Lee, S., & Lee, H. (2013). Cyber Threat Detection based on Machine Learning. International Journal of Computer Applications, 76(22), 1-5.

Antonakakis, M. et al. (2012). Detecting Malware Domains at the Upper DNS Hierarchy. USENIX Security Symposium. https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf

Dagon, D., Gu, G., Lee, C., & Lee, W. (2007). A Taxonomy of Botnet Structures. In Computer Security Applications Conference. https://doi.org/10.1109/ACSAC.2007.44 DOI: https://doi.org/10.1109/ACSAC.2007.4413000

MISP Project. (2022). MISP: Open Source Threat Intelligence Platform. https://www.misp-project.org

MITRE ATT&CK. (2024). Command and Control Techniques. https://attack.mitre.org/tactics/TA0011/

CrowdStrike. (2023). How EDR Works to Stop Attacks. https://www.crowdstrike.com/cybersecurity-101/endpoint-security/what-is-edr/

Roesch, M. (1999). Snort – Lightweight Intrusion Detection for Networks. In LISA. https://doi.org/10.5555/1039834.1039864

Zeek Project. (2022). Zeek Documentation. https://docs.zeek.org/en/current/

Suricata IDS. (2022). Suricata User Guide. https://suricata-ids.org/docs/

Splunk. (2023). Security Information and Event Management. https://www.splunk.com/en_us/solutions/solution-areas/security.html

NIST. (2020). Zero Trust Architecture. NIST Special Publication 800-207. https://doi.org/10.6028/NIST.SP.800-207 DOI: https://doi.org/10.6028/NIST.SP.800-207

Cisco. (2018). Network Segmentation Design Guide. https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/sba-wan-cloud-qoe-design-guide.html

Palo Alto Networks. (2021). Blocking Command and Control Traffic. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLMdCAO

MISP Project. (2022). MISP: Open Source Threat Intelligence Platform. https://www.misp-project.org

Cisco Umbrella. (2021). DNS-Layer Security. https://umbrella.cisco.com/products/dns-layer-security

Pi-hole. (2022). Pi-hole Documentation. https://docs.pi-hole.net

Proofpoint. (2020). Email Fraud and Phishing Trends. https://www.proofpoint.com/us/resources/threat-reports/email-fraud-phishing

KnowBe4. (2021). Phishing Benchmarking Report. https://www.knowbe4.com/phishing-benchmarking-report

Kindervag, J. (2010). No More Chewy Centers: Introducing the Zero Trust Model of Information Security. Forrester Research.

Microsoft. (2021). Zero Trust Deployment Guide. https://docs.microsoft.com/en-us/security/zero-trust/

NIST. (2012). Computer Security Incident Handling Guide. NIST Special Publication 800-61 Revision 2. https://doi.org/10.6028/NIST.SP.800-61r2

SANS Institute. (2018). Incident Handler's Handbook. https://www.sans.org/white-papers/incident-handlers-handbook/

Mandia, K., Prosise, C., & Pepe, M. (2014). Incident Response & Computer Forensics (3rd ed.). McGraw-Hill Education.

MITRE ATT&CK. (2024). Mitigation Strategies for Command and Control. https://attack.mitre.org/mitigations/enterprise/

US-CERT. (2019). Technical Approaches to Uncovering and Remediating Malicious Activity. https://us-cert.cisa.gov/ncas/alerts/TA18-074A

FireEye Mandiant. (2020). Incident Response Playbook: Command and Control. https://www.fireeye.com/services.html

MITRE. (2020). Adversary Emulation Plans. https://attack.mitre.org/resources/adversary-emulation-plans/

SANS Institute. (2019). Purple Team Tactics: Bridging the Gap Between Red and Blue. https://www.sans.org/white-papers/purple-team-tactics/

Cobalt Strike. (2022). Cobalt Strike Documentation. https://www.cobaltstrike.com/help-beacon

Bishop Fox. (2022). Sliver C2 Framework. https://github.com/BishopFox/sliver

Mythic Project. (2023). Mythic Documentation. https://docs.mythic-c2.net/

Zeek Project. (2022). Zeek Documentation. https://docs.zeek.org/en/current/

Cisco. (2021). Detecting DNS Tunneling and Covert Channels. https://www.cisco.com/c/en/us/about/security-center/dns-tunneling.html

CrowdStrike. (2023). How EDR Works to Stop Attacks. https://www.crowdstrike.com/cybersecurity-101/endpoint-security/what-is-edr/

Microsoft. (2021). Red and Blue Team Collaboration for Cybersecurity. https://docs.microsoft.com/en-us/security/red-team-blue-team

FireEye Mandiant. (2020). Command and Control Fundamentals. https://www.fireeye.com

MITRE ATT&CK. (2024). Command and Control Techniques. https://attack.mitre.org/tactics/TA0011/

NIST. (2012). Computer Security Incident Handling Guide. NIST Special Publication 800-61 Revision 2. https://doi.org/10.6028/NIST.SP.800-61r2 DOI: https://doi.org/10.6028/NIST.SP.800-61r2

SANS Institute. (2018). Incident Handler's Handbook.

Downloads

Published

06-09-2025

Issue

Vol. 11 No. 5 (2025): September-October

Section

Research Articles

License

Copyright (c) 2025 International Journal of Scientific Research in Computer Science, Engineering and Information Technology

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

[1]
Guram Donadze and Viktor Zakaraia, “C2 Networks: The Invisible Threat in Your Infrastructure”, Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol, vol. 11, no. 5, pp. 15–27, Sep. 2025, doi: 10.32628/CSEIT25111794.