C2 over App Protocols

Info

ID: AT-DC001
Tactic: Deepening Control
Sub-techniques: DNS Protocols, File Transfer Protocols, Web Protocols
OWASP Mapping: N/A, outside OWASP Top 10:2025 web application risk scope (adversary tradecraft)

C2 over App-Protocols

Adversaries may establish command-and-control (C2) channels leveraging legitimate application protocols and communication flows. For example, they might tunnel data over APIs that the application commonly uses (e.g., GraphQL, REST calls), or encode malicious instructions within the payloads processed by microservices. This evasion strategy disguises malicious traffic as normal business operations, complicating detection by defenders.

When these protocols ride on top of HTTPS or rely on widely accepted ports, the traffic may appear benign to perimeter security solutions. In cloud setups, horizontally scaled services often rely on ephemeral sessions, giving attackers many touchpoints to funnel commands or exfiltrate data. By piggybacking on known channels, adversaries minimize anomalies in network logs and hamper typical rule-based alerts.