Command and Control in Cyber Kill Chain – Get Familiar With The 6th Stage

Written By Sambita Panigrahy  
Anuraag Singh
Approved By Anuraag Singh 
Published On April 25th, 2023
Reading Time 4 Minutes Reading

This is the continuation of the cyber kill chain framework where we’ll discuss the 6th stage i.e. Command and Control in detail. 

In the earlier posts, we thoroughly talked about the other stages i.e. Reconnaissance, Weaponization, Delivery, Exploitation, & Installation. If adversaries successfully cross these phases and reach the command and control stage then defenders have the last best chance to block their (adversaries’) operation.

What is Command and Control in Cyber Kill Chain?

The command and control step is one of the last stages of the intrusion kill chain framework in which adversaries try to communicate with compromised systems to control them. This is also referred to as the C2 or C&C phase. Largely damaging attacks are executed through DNS & are accomplished through a C2 attack. Cybercriminals can compromise an entire network with a command and control attack. C2 consists of different techniques that adversaries use to interact with the systems under their control within the victim’s network. They usually try to mimic the normal, expected traffic to avoid detection.  As per MITRE ATT&CK framework, there are more than 16 different techniques and numerous sub-techniques adversaries use for cyber command and control attacks.

Command and Control in Cybersecurity – Understand How Attackers Work

To retaliate against the adverse effect at this very stage, it’s important to know how threat actors think and execute their plans. First of all, attackers will try to establish initial support to infect the targeted system. They will try to attain this by;

  • Sending phishing emails to trick users into clicking a link or opening an attachment. By this, they will be able to successfully lead them to a malicious website or execute malicious code.
  • Trying to breach through security loopholes in browser plugins or other malicious software.

Once they compromise the intended target’s system, they will start communication between the infected device and the malicious cyber command and control server. Plus, they will try to blend C2 traffic with other genuine traffic such as HTTP/HTTPS or DNS, to be in stealth mode. command and control in cyber kill chain

After that, they will send signals to the compromised system or server for delivering further commands to infect other devices. First, they’ll search for vulnerabilities in other related systems and through lateral movement start compromising the entire infrastructure. Then, create a botnet to execute coordinated attacks.

End Goal of Attacker in Command and Control Phase

Since the attacker bypassed all the security parameters to reach this stage, they might have some serious goals that they would want to fulfill. First of all, they would attempt to deliver malware through the compromised machine so that they can further trigger the downloading of other malware on related systems. Secondly, when they take control over the entire infrastructure, they would then exfiltrate sensitive data such as company details, financial information, etc of their target. In the cyber world, this activity is often referred to as data theft. Apart from that adversaries’ main aim could be to shut down one or several machines and/or seize the target company’s entire network. Or else, they would try to reboot the infected systems to disrupt the normal business operation. 

How to Take The Control Back to Your Hand?

As per cyber experts – Detection, Mitigation, and Containment are concerns that organizations should have at all stages of the incident response lifecycle. The command and Control in cyber kill chain is the last opportunity for the defender to combat a cyberattack in progress. Though it is one of the final stages, there are certain steps an organization can take to respond to such attacks. Before moving forward with the measures, it’s necessary to keep in mind that if a threat actor is already in your environment then proper containment is a must since insufficient containment could create a hassle.  So, be careful when planning and executing retaliation. Because when threat actors become aware of a company’s remediation efforts have often been observed shifting their strategies to hamper such efforts and maximize damage. Now, let’s come to the countermeasures.

  1. Companies can invest in both antivirus (AV) and end-point detection & response (EDR) tools to maintain the highest level of visibility of their IT environment.
  2. Hire Managed Cybersecurity Service Provider who can help improvise existing security infrastructure and will ensure that the organization is in the best position possible to combat cyberattacks.


Command and control in intrusion kill chain is the 2nd last stage of the framework. At this stage, it may seem it’s too late to stop attackers from doing further damage. But, companies can disrupt cyberattacks in progress and minimize the damage by staying resilient in the face of an active cyberattack and equipping themselves with the appropriate tooling.