Web Protocols

Command and Control (C2) over Web Protocols is a subtechnique within the Deepening Control phase where attackers leverage standard web protocols such as HTTP, HTTPS, and WebSockets to establish and maintain communication channels between compromised systems and their control infrastructure. This approach is particularly effective because these protocols are commonly allowed through organizational firewalls and security controls, making the malicious traffic blend with legitimate web traffic. Attackers typically implement custom C2 channels using these protocols by embedding command instructions within seemingly normal web requests and responses, utilizing various encoding methods or steganography to hide the actual commands. The encrypted nature of HTTPS adds another layer of obfuscation, making traffic analysis more difficult for defenders. Advanced implementations may leverage legitimate web services as proxies or employ domain fronting techniques, where communication appears to be with trusted domains while actually communicating with attacker-controlled infrastructure. Detection often requires deep packet inspection, TLS decryption capabilities, or behavioral analysis to identify abnormal communication patterns within otherwise normal-looking web traffic.