How Attackers Maintain Control Over Compromised Systems

Once cybercriminals gain a foothold inside your network, their next step is to maintain control—often undetected. They do this by establishing Command and Control (C2) channels that allow them to issue instructions, move laterally, exfiltrate data, or launch further attacks.

But how do defenders spot these covert operations, especially when attackers use sophisticated evasion techniques?

Unmasking C2 Communication with FortiNDR Cloud

Fortinet’s FortiNDR Cloud has proven highly effective at identifying a wide range of C2 techniques, using advanced threat detection capabilities. Here’s how:

• SSL C2 Beacons – Cybercriminals often hide their activity in encrypted traffic, using SSL C2 beacons to avoid detection by traditional security tools.
• Cobalt Strike DNS Requests – A popular tool among red teams and real-world attackers alike, Cobalt Strike leverages DNS for stealthy C2 communication. FortiNDR Cloud can detect these DNS patterns and flag suspicious behavior.
• DNS Tunneling & Long DNS Queries – These techniques exploit the DNS protocol to bypass firewalls and other security mechanisms. FortiNDR’s behavioral analytics help detect and disrupt these tunnels.
• Detection of DGA-Based Malware – FortiGuard Labs uses deep neural network-based machine learning to flag Domain Generation Algorithm (DGA) domains—constantly changing URLs generated by malware to connect to their C2 servers.
• Firewall-Level Protection – Through integration with the Fortinet Security Fabric, FortiNDR can automatically block botnet IPs and malicious domains, stopping C2 traffic at the perimeter.

Stay In Control—Don’t Let Attackers Be

The longer attackers remain inside your network, the more damage they can do. Let’s work together to detect and eliminate C2 activity before it spreads.

Learn more about our network connectivity & security solution or contact us for a bespoke solution

Source: 2025 Fortinet Global Threat Landscape Report