---
title: Malware command and control attack
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Malware command and control attack
---

# Malware command and control attack
Classification:attackTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1572-protocol-tunneling](https://attack.mitre.org/techniques/T1572) 
## Goal{% #goal %}

Detect malware command and control activity by correlating C2 communication channels with data exfiltration indicators within the same execution context.

## Strategy{% #strategy %}

This correlation rule identifies C2 operations by detecting combinations of the following activity groups:

- **Malicious Communication**: Outbound connections to C2 infrastructure including IRC channels, P2P malware networks, paste sites, chatrooms, penetration testing domains, ngrok tunnels, DNS TXT lookups, SSH on non-standard ports, reverse shells (netcat), SOCKS5 proxies, and terminal sharing services (tmate)
- **Data Exfiltration**: Tunneling tools, network exfiltration utilities, file synchronization tools, base64 decoding, or archive creation used to stage and move data out

The rule triggers a **high** severity signal when both malicious communication and data exfiltration are detected within the same execution context.

## Triage & Response{% #triage--response %}

1. **Block C2 communications**: Immediately block network access to the identified destination IPs and domains, and isolate infected systems.

1. **Terminate malware processes**: Stop the impacted process(es) on the affected host and container (or pod).

1. **Isolate affected systems**: Quarantine compromised containers or hosts to prevent further C2 activity and data exfiltration.

1. **Assess data exfiltration**: Identify what data may have been staged or exfiltrated by reviewing network traffic and file access patterns.

1. **Analyze malware artifacts**: Extract malware binaries, network indicators, and process arguments for forensic analysis.

1. **Hunt for additional infections**: Search for other systems with similar C2 indicators across your environment.

1. **Investigate initial access**: Determine how the malware was deployed and establish the full attack timeline.

1. **Implement preventive controls**: Deploy network egress filtering for known C2 infrastructure and enhance runtime detection capabilities.