Command and Control (C2)
Command and Control (C2) refers to a server that's owned by the attacker that's used to communicate and remotely control the compromised systems. This step of the kill chain is continuous through the operation.
T1071 – Application layer protocol
As we've already discussed in this book, especially in Chapter 5, Red Team Infrastructure, attackers usually rely on C2 servers to manage their victims and industrialize exploitations. These servers can use existing protocol application layers such as HTTP, DNS, SMTP, and so on. It even goes deeper by injecting the C2 traffic inside what looks like standard activities. A good example of this approach is Malleable C2 (https://github.com/rsmudge/Malleable-C2-Profiles/tree/master/normal), a collection of add-ons for the Cobalt Strike C2 that allows the attacker to disguise C2 traffic in fake Amazon or Wikipedia traffic, fake certificates for OCSP verification, or simply inside DNS traffic,...
