How NDR Detects Command-and-Control Traffic

14 minutes read
Overview Icon

Why is DNS important for C2 traffic detection?

DNS is important because attackers often use it for domain resolution, tunneling, beaconing, domain generation algorithms, and low-volume communication. DNS behavior can provide early indicators of C2 activity. 

When the attack is at the command-and-control stage, the attacker may already be sending instructions, updating malware, pulling system information, preparing lateral movement, or getting ready to stage and exfiltrate data. Basically, the intrusion is not theoretical but in progress, and hence, timing matters.  

That is where network detection and response become important. NDR detects command-and-control traffic by observing cross-system communication across the network. It does not wait for a malware signature to fire, but uses network traffic analysis, behavioral analytics, threat intelligence, metadata, packet evidence, and investigation workflows to help analysts identify C2 activity that may otherwise blend into everyday DNS, HTTP, HTTPS, TLS, proxy, or cloud traffic. 

The need is real. Verizon’s 2026 Data Breach Investigations Report analyzed more than 31,000 incidents and more than 22,000 confirmed breaches, with ransomware present in 48% of breaches.  

For SOC teams, that means cyberattack detection cannot depend on slow manual review. C2 traffic detection needs to happen early enough to interrupt the attacker’s next move. 

 

What is Command-and-Control Traffic? 

Command-and-control, or C2, is the communication channel between an attacker and a compromised system. 

Once malware, a compromised account, or a remote access tool is active inside an environment, it often needs to “phone home.” That communication can be used to: 

  • receive commands, 
  • download additional tools, 
  • send host or environment details, 
  • maintain persistence, 
  • proxy traffic, 
  • move laterally, 
  • stage stolen data, 
  • coordinate ransomware activity, 
  • or keep access alive during a longer intrusion. 

MITRE ATT&CK describes command-and-control as techniques adversaries use to communicate with systems under their control inside a victim network. The important part is that attackers often try to mimic normal traffic so defenders do not notice the difference. 

That is why C2 traffic rarely announces itself clearly. It may look like a workstation browsing the web, a DNS query, an encrypted HTTPS connection, a periodic API call, or a remote support session. 

 

Why C2 Traffic is So Hard to Detect 

C2 is difficult because it is designed to hide in traffic that organizations already allow. 

Companies cannot simply block DNS, HTTPS, cloud services, browser traffic, or software update traffic because they are legitimate channels that normal business operations depend on. Attackers take advantage of that trust by hiding C2 communication inside traffic that would be risky or impractical to block outright. 

Common C2 hiding places include: 

  • DNS queries, 
  • HTTP and HTTPS requests, 
  • TLS-encrypted sessions, 
  • proxy traffic, 
  • cloud-hosted infrastructure, 
  • content delivery networks, 
  • legitimate remote access tools, 
  • non-standard ports, 
  • domain generation algorithms, 
  • tunneled traffic, 
  • fallback channels. 

Encryption makes this harder. Attackers may use encrypted channels to conceal the content of C2 traffic. Without decryption, security teams may not see the payload. But that does not mean the traffic becomes invisible. Timing, destination, certificate details, session behavior, packet sizes, DNS patterns, byte ratios, and protocol metadata can still provide useful evidence. 

There is another challenge: modern C2 frameworks are flexible. Tools such as Cobalt Strike allow operators to change how network indicators look. That weakens detection methods that depend only on static indicators such as one known URI, one user agent, or one fixed beacon pattern. 

So strong C2 traffic detection needs more than signatures. It needs behavior, context, correlation, and evidence.  

Quote

“Command-and-control detection is not about spotting one obviously malicious connection. In most real environments, C2 hides inside legitimate channels like DNS, HTTPS, cloud traffic, and software updates. The real advantage of NDR is that it looks at behavior over time: which asset is communicating, how often, with whom, using what protocol, and whether that pattern makes sense for the system’s normal role. That context is what turns weak network signals into actionable threat detection.” 

At that point, NDR becomes an investigation acceleration layer. Instead of forcing analysts to manually correlate disconnected events, it helps them quickly reconstruct the attack path across users, hosts, protocols, and sessions. When integrated with UEBA, it adds another layer of context by helping distinguish user-driven activity from machine-driven movement, improving confidence in separating real compromise from legitimate administrative behavior.” 

JooYeong Ang, Sales Engineer, NetWitness

How NDR Detects Command-and-Control Traffic 

C2 appears as outbound traffic to the internet, or may also be connected to internal scanning, lateral movement, credential abuse, staging, or peer-to-peer communication. Since NDR continuously monitors traffic across north-south and east-west paths, it can detect command-and-control traffic.  

A strong NDR approach usually combines several detection methods. 

1. Detecting Beaconing Patterns

Beaconing is one of the classic C2 behaviors. 

A compromised host may contact the attacker infrastructure every few seconds, minutes, or hours to check in for instructions. Sometimes the interval is very regular. Sometimes it includes jitter to make the timing less obvious. 

NDR can identify suspicious beaconing by looking for: 

  • repeated outbound connections from the same host, 
  • regular or semi-regular timing intervals, 
  • small but persistent data transfers, 
  • repeated contact with rare destinations, 
  • unusual communication outside business hours, 
  • similar session sizes over time, 
  • low-volume traffic that persists for days, 
  • connections that do not match the asset’s normal role. 

A single outbound connection may not look malicious. A workstation contacting an unknown external domain every 10 minutes for two days is different. That pattern gives analysts something worth investigating. 

This is where network security monitoring helps. It gives the SOC enough historical context to understand whether a connection is normal, rare, new, or suspicious for that host. 

2. Analyzing DNS for C2 Indicators

Attackers use DNS because it is widely allowed, easy to blend into, and often under-monitored compared with web traffic; therefore, it is one of the most useful places to hunt C2. Some C2 channels use DNS only to resolve attacker infrastructure. Others use DNS more aggressively for tunneling, staging, or command exchange. 

NDR can support DNS-based C2 traffic detection by identifying: 

  • unusual DNS query volume, 
  • long or encoded-looking subdomains, 
  • repeated queries to rare domains, 
  • high NXDOMAIN activity, 
  • newly observed domains, 
  • DNS requests to unauthorized resolvers, 
  • domain generation algorithm patterns, 
  • suspicious TTL behavior, 
  • DNS tunneling indicators, 
  • internal systems resolving domains they have never contacted before. 

For example, a server that rarely makes external DNS requests but suddenly starts resolving long, random-looking domains should get attention. The same applies to workstations that generate repeated failed lookups across many algorithmic-looking domains. 

DNS does not prove C2 by itself. But it often gives threat hunters an early thread to pull. 

3. Inspecting HTTP, HTTPS, and TLS Behavior

A lot of C2 traffic hides inside web traffic because web traffic is everywhere. 

An attacker does not need the connection to look perfect. It only needs to look boring enough to avoid immediate attention. That is why network threat detection has to inspect more than destination IPs. 

NDR can examine HTTP, HTTPS, and TLS metadata for signs such as: 

  • rare or suspicious user agents, 
  • unusual URI structures, 
  • odd HTTP methods, 
  • abnormal header combinations, 
  • suspicious GET and POST patterns, 
  • strange client-server byte ratios, 
  • repeated connections to low-reputation infrastructure, 
  • TLS certificate anomalies, 
  • self-signed or newly issued certificates, 
  • mismatched SNI and certificate details, 
  • unusual JA3 or JA4 fingerprints, 
  • protocol and port mismatches, 
  • session duration anomalies. 

This is especially useful when payloads are encrypted. Even without decrypting the content, analysts can still evaluate how the session behaves. 

4. Building a Baseline of Normal Network Behavior

C2 detection improves when the SOC understands what “normal” looks like. 

Not every rare connection is malicious. Not every periodic connection is beaconing. Not every new domain is suspicious. Context matters. 

NDR solutions use behavioral analytics to compare current activity against normal network behavior for users, hosts, servers, applications, peer groups, and destinations. 

This helps flag activity such as: 

  • a workstation communicating with infrastructure it has never contacted before, 
  • a database server initiating unusual outbound web sessions, 
  • a domain controller making unexpected external connections, 
  • a user device contacting rare destinations after a suspicious login, 
  • a server using protocols outside its normal role, 
  • an internal asset suddenly behaving like a relay or proxy. 

This is where advanced threat detection becomes more practical. The SOC is not just asking, “Is this known bad?” It is asking, “Is this behavior normal for this asset, at this time, in this environment?” 

That distinction is important because unknown C2 infrastructure will not always appear in threat intelligence feeds immediately. 

5. Correlating Threat Intelligence With Network Evidence 

Threat intelligence still matters. Known malicious IPs, domains, URLs, certificates, malware infrastructure, C2 framework patterns, and reputation signals can help NDR solutions identify active threats faster. 

But threat intelligence should not be the only layer. Attackers rotate infrastructure quickly. They use compromised servers. They host C2 in cloud environments. They customize tooling. They use newly registered domains or blend into legitimate services. 

A stronger model is layered: 

  • signatures help catch known tooling, 
  • threat intelligence helps identify suspicious infrastructure, 
  • behavioral analytics helps detect unknown or modified activity, 
  • packet and metadata evidence helps analysts validate the alert. 

6. Using Packet and Metadata Evidence to Validate the Alert

Once an alert fires, the SOC needs to know what happened. Did the host really communicate with C2 infrastructure? Was data transferred? Did the session include file movement? Was the traffic connected to lateral movement? Was it part of a larger attack path? 

That is why packet evidence and enriched metadata are valuable. A mature NDR workflow should help analysts answer: 

  • Which host initiated the connection? 
  • What destination did it contact? 
  • Which protocol and application were used? 
  • When did the activity begin? 
  • How often did the host communicate? 
  • How much data moved? 
  • Were DNS queries involved? 
  • Was the session encrypted? 
  • Were there related internal connections before or after? 
  • Did the same host show signs of scanning, authentication attempts, or data staging? 
  • Is the behavior isolated or part of a broader threat detection and response workflow? 

Packet-level evidence is especially useful when the SOC needs confidence. Metadata can show the shape of the activity. Full packet capture, where available, can help reconstruct the session and validate what took place. 

NDR solution

Why Encrypted C2 Does Not Make NDR Useless 

Encrypted C2 is a real challenge, but it does not make network detection and response irrelevant. It changes what analysts can inspect. 

If decryption is available and legally/operationally appropriate, payload inspection can reveal more details. Without decryption, NDR still has useful evidence to work with, including: 

  • flow metadata, 
  • session timing, 
  • destination reputation, 
  • certificate details, 
  • SNI behavior, 
  • TLS fingerprints, 
  • packet size patterns, 
  • connection frequency, 
  • byte ratios, 
  • protocol mismatch, 
  • historical baseline deviation, 
  • related DNS behavior, 
  • related internal movement. 

Think of it this way: encryption may hide the conversation, but it does not hide the fact that the conversation happened, who participated, how often it happened, how much data moved, and whether the behavior fits the system’s normal role. That is often enough to start a high-quality investigation. 

 

How NDR Supports Cybersecurity Threat Hunting for C2 

C2 hunting works best when analysts can ask flexible questions. 

Instead of waiting for a single high-confidence alert, threat hunters can search for suspicious patterns such as: 

  • first-seen domains, 
  • rare external destinations, 
  • low-and-slow beaconing, 
  • abnormal DNS activity, 
  • repeated failed DNS lookups, 
  • suspicious TLS fingerprints, 
  • odd user agents, 
  • new outbound traffic from sensitive servers, 
  • protocol mismatch, 
  • internal scanning followed by outbound communication, 
  • traffic to newly registered or low-reputation domains. 

This is why network traffic analysis is so useful for hunting. It lets analysts pivot from one weak signal into related evidence. 

For example, a hunter may start with a rare external destination. From there, they can pivot to every internal host that contacted it, review DNS behavior, inspect related TLS metadata, check session timing, correlate endpoint activity, and determine whether the pattern is benign or malicious. 

That is the practical difference between having network data and having searchable, enriched, investigation-ready network evidence. 

 

Where NetWitness Fits in C2 Detection 

With NetWitness, we approach C2 detection from the position that alerts alone are not enough. Analysts need visibility, context, and evidence they can actually investigate. 

Our NDR capabilities are built around full-packet capture, metadata enrichment, NetFlow, and visibility across on-premises, cloud, and virtual environments. That matters for C2 because the attacker’s communication path may cross internet egress, internal east-west traffic, data center traffic, cloud workloads, or virtual network segments. 

We also support real-time behavior analytics, threat intelligence, machine learning, session reconstruction, and flexible capture models, including full-packet capture and metadata-only approaches. For C2 investigations, that flexibility is important. Some environments need deep forensic visibility in high-value segments. Others need broader metadata coverage at scale. A practical architecture often needs both. 

Where we are particularly strong is in the investigation layer. C2 detection should not stop at “this looks suspicious.” Analysts need to validate the session, reconstruct activity where packet capture is available, inspect metadata, pivot across related traffic, and understand whether the event connects to lateral movement, credential misuse, data staging, or exfiltration. 

NetWitness also adds value here because it uses unsupervised machine learning on network metadata to discover, profile, categorize, characterize, prioritize, and track assets. For C2 detection, asset context matters. A strange outbound connection from a developer workstation may mean one thing. The same behavior from a domain controller, jump server, or production database may mean something very different. 

The practical takeaway is simple: we are strongest when the SOC uses NetWitness as an evidence-driven investigation platform, not just another alert source. 

 

What to Look for in NDR Solutions for C2 Traffic Detection 

If you are evaluating NDR solutions for command-and-control detection, focus on operational capability, not just feature labels. 

Look for: 

  • visibility across internal and external network traffic, 
  • DNS, HTTP, HTTPS, TLS, and flow analysis, 
  • behavioral analytics and baselining, 
  • beaconing detection, 
  • encrypted traffic metadata analysis, 
  • threat intelligence correlation, 
  • packet capture or packet-level investigation, 
  • session reconstruction, 
  • metadata enrichment, 
  • east-west and north-south monitoring, 
  • cloud and virtual network visibility, 
  • support for threat hunting workflows, 
  • integration with SIEM, EDR, UEBA, SOAR, and case management, 
  • scalable retention options, 
  • current detection content for modern C2 frameworks. 

Network Visibility Readiness Guide

Discover how to identify blind spots, monitor traffic across cloud and on-prem environments, and strengthen detection with a practical 7-step evaluation framework. Download the guide to improve investigation speed and security clarity.

Netwitness guide


Frequently Asked Questions

1. How does NDR detect command-and-control traffic?

NDR detects command-and-control traffic by analyzing: 

  • network behavior 
  • DNS activity 
  • HTTP and HTTPS sessions 
  • TLS metadata 
  • beaconing patterns 
  • destination reputation 
  • protocol anomalies 
  • packet evidence 
  • traffic baselines 

Common signs include periodic beaconing, rare outbound destinations, suspicious DNS queries, abnormal TLS fingerprints, odd user agents, unusual byte ratios, protocol mismatch, and new external communication from sensitive systems. 

Yes, NDR can often detect encrypted C2 traffic by analyzing: 

  • metadata 
  • timing 
  • TLS fingerprints 
  • certificates 
  • destination behavior 
  • traffic shape 
  • baseline deviation 

Without decryption, it may not see payload content, but it can still identify suspicious communication patterns. 

Full packet capture helps analysts validate: 

  • suspicious sessions 
  • reconstruct activity 
  • inspect protocol behavior 
  • preserve forensic evidence 
  • understand whether C2 traffic connects to lateral movement, staging, or exfiltration. 

Cybersecurity threat hunting helps analysts proactively search for weak signals such as:  

  • rare destinations 
  • beaconing 
  • suspicious DNS behavior 
  • abnormal TLS metadata 
  • unusual outbound traffic before those signals become confirmed incidents. 

About Author

Picture of Ashwini Kolar

Ashwini Kolar

Ashwini Kolar is an engineer by education and a storyteller at heart. With over nine years of experience in content marketing, she has built her career around simplifying complex ideas and turning them into clear, useful, and actionable content. Her work spans industries such as travel, education, engineering, real estate, cybersecurity, life sciences, data management, manufacturing, and healthcare. Ashwini’s strength lies in understanding both the subject and the audience, creating content that informs, engages, and helps readers confidently take the next step. Connect with her on LinkedIn.

Related Resources

Accelerate Your Threat Detection and Response Today! 

Don’t Let Blind Spots Become Breaches

Assess whether you can track attacks across cloud, internal traffic, and remote environments

Leaving Without The Ransomware Intel?

See which groups are targeting enterprises in 2026 and how to prepare before they strike.