The command and control phase of the cyber kill chain is a critical stage in which attackers establish communication with compromised systems to remotely control them. Once malware is installed during the previous phase, attackers use command and control (C2 or C&C) channels to issue commands, exfiltrate data, and coordinate actions across infected devices. This phase allows cybercriminals to manage their operations, pivot within the network, and sustain a long-term presence, making it a high-priority focus in cybersecurity defense strategies.

C2 infrastructure typically involves a server or network of servers operated by the attacker, which the compromised host contacts for further instructions. Communication between the victim machine and the C2 server is often encrypted or obfuscated to avoid detection by security systems. Threat actors may use various protocols and techniques to build resilient and stealthy C2 channels, including HTTP/S, DNS tunneling, custom TCP protocols, and even social media platforms or legitimate cloud services like Dropbox, Google Drive, and GitHub. These covert communication methods help attackers blend in with normal network traffic, making it harder for traditional security tools to detect the malicious activity.

Tools commonly used in the command and control phase include Cobalt Strike, Metasploit, Empire, and Sliver. Cobalt Strike’s Beacon payload is particularly popular for its advanced C2 capabilities. It supports encrypted communications, data staging, lateral movement, and even Mimikatz integration for credential harvesting. Empire, a post-exploitation framework based on PowerShell, provides stealthy C2 channels with support for obfuscation and in-memory execution. Sliver, a newer open-source C2 platform, has gained popularity among red teams and attackers alike for its flexibility and cross-platform support.

In many real-world cybersecurity incidents, the C2 phase plays a central role in sustaining the attack and executing the threat actor’s objectives. One of the most prominent examples is the 2015 Ukraine power grid attack, in which the BlackEnergy malware family was used to gain access to critical infrastructure. After installation, the malware communicated with C2 servers to receive instructions that ultimately led to the remote shutdown of substations, causing widespread blackouts. This attack highlighted how C2 channels can be used not only for espionage but also for physical disruption.

Another well-known case is the SolarWinds supply chain attack in 2020. After attackers compromised the Orion software and delivered a malicious update, they established C2 communications through HTTP-based channels designed to appear legitimate. The malware, known as SUNBURST, queried the attackers’ servers for additional instructions and payloads, enabling them to conduct reconnaissance and lateral movement across victim networks. The use of domain generation algorithms (DGA) and cloud-based infrastructure helped the attackers maintain persistence and evade detection for months.

Defending against the command and control phase requires a layered approach. Network monitoring and anomaly detection can help identify unusual traffic patterns associated with C2 communications. DNS and HTTP logs should be analyzed for suspicious queries or connections to known malicious domains. Endpoint detection and response (EDR) solutions can detect and block connections initiated by malware and identify behavioral indicators of compromise. Implementing network segmentation and strict egress controls limits an attacker’s ability to communicate with external C2 infrastructure.

In summary, the command and control phase of the kill chain is essential for adversaries to manage and expand their attacks. By establishing remote access and issuing commands, attackers maintain control over compromised systems and progress toward their final goals. Tools like Cobalt Strike, Empire, and Sliver are instrumental in building powerful and covert C2 channels. Real-world cyberattacks such as the Ukraine blackout and the SolarWinds breach demonstrate the importance of detecting and disrupting C2 communications to break the kill chain and protect critical systems.