Command-and-control (C&C) servers are the machines attackers use to maintain communication with the compromised systems in a target network. These servers issue commands to the compromised systems, ranging from a simple “Are you (still) there?” request to data exfiltration instructions and full remote control commands. The type of C&C traffic entirely depends on the malware and the attacker’s objective.
Although a C&C server is used to control the compromised systems, it’s usually the compromised system that will contact the C&C from inside the victim’s network and then wait for further instructions. This is because most modern networks have a very strict inbound filtering policy, making it impossible for attackers to directly contact the compromised machines from an external network.
