Detecting and remediating command and control attacks at the network layer


Update – 11/10/2022 –  Protection command and control (C2) detection and remediation capabilities are now generally available in Microsoft Defender for Endpoint.

We are excited to announce the general availability of Protection command and control (C2) detection and remediation capabilities in Microsoft Defender for Endpoint. These enhancements will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious threats looking to compromise the endpoint.

Attackers often compromise existing internet-connected servers to become their command and control servers. In the event these servers become compromised, attackers use them to hide malicious traffic and deploy malicious bots used to infect endpoints. Let's say – in an attacker's ideal scenario – their malicious bots somehow manage to circumvent an organization's existing defenses. In that breach the malicious bots introduce malware into an organization's environment through a user's device. The malware can be introduced in a number of ways: from clicking a fraudulent link, downloading a suspicious file, or opening a seemingly legitimate email attachment. If an endpoint contracts any of these types of C2 malware, the compromised computer can communicate back with the malicious C2 servers, completely unbeknownst to the user (Figure 1). The response communication from the endpoint to the C2 server enables the attacker to gain full control of the endpoint. 

This is problematic for security teams as many other unprotected devices that communicate with the previously infected endpoint can become compromised themselves. This can potentially lead to a spread of malware across a network, often referred to as a “botnet” infection.


Figure 1: Sample C2 attack flow

To quickly detect and clean up these botnet infections, SecOps teams need precise alerts that can accurately define areas of compromise and previous connections to known malicious IPs. With the new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries. 




See Protect your network for the full list of requirements.

How does network layer C2 detection and remediation work?

Detecting and blocking C2 connections at the network layer

This capability works by inspecting network packets and examining them for any types of C2 malware configuration patterns. The Network Protection (NP) agent in Defender for Endpoint determines the true nature of the connection by mapping the outbound connection's IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. If our AI and scoring engines powered by the cloud deem the connection malicious, actions are taken to block the connection and malware binaries are rolled back on the endpoint to the previous clean state.

Generating incident and alert notifications in the Microsoft 365 Defender portal

After detection, an alert will surface under “Incidents and alerts” in the Microsoft 365 Defender portal (Figure 2) where the SecOps team can observe the alert name, the severity-level of the detection, device status, and other details. Customers can see more details on the alert with a full timeline and attack flow relative to their environment (Figure 3).

Screenshot 2022-10-11 212433.png

Figure 2: Alert page in the Microsoft 365 Defender portal

Screenshot 2022-10-11 212214.png

Figure 3: C2 attack flow timeline in the Microsoft 365 Defender portal

Testing/Validation: C2 detection and remediation  

Once network protection has been enabled, you can test this C2-enhanced protection experience in your environment (using PowerShell) by:

a.  Navigate to your PowerShell prompt.

b.  Type: $Response = Invoke-WebRequest -URI

c.  If the testing URL is successfully blocked, you will get (Figure 4):

Invoke-WebRequest : The request was aborted: Could not create / secure channel. 

At line:1 char:13 

+ $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreen … 

+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc 


    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand


Figure 4: PowerShell output

d.  Followed by a block notification (Figure 5).


Figure 5: Endpoint notification

e.  On the block notification, click:

  1. “OK” to make the toast notification disappear
  2. “Feedback” to open the network protection feedback page where can submit feedback to the and portal (Figure 6).




Figure 6: Web threat detections over time  

f.  In the unlikely event the testing URL is not successfully blocked, you can get and/or F12 network trace, then send the NP team ( your screenshot. 

Accessing the C2 detection and remediation report in the Microsoft 365 Defender portal  

To access the report:   

1. Go to the Microsoft 365 Defender portal ( and sign in.

2. Navigate to:  

  1. Reports -> Security report -> Devices -> 

    1. Web over time (Figure 7)
    2. Web threat summary (Figure 8)
  2. Reports -> Web Protection ->

    1. Web threat detection over time (Figure 7)
    2. Web threat summary (Figure 8) 


Figure 7: Web threat detections over time 


Figure 8: Web threat summary

Your feedback counts

We are excited to bring you a new enhancement to the Network Protection stack to further protect against command and control attacks. Try out this new capability and let us know what you think. Share your feedback with us at


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.