Palo Alto Networks Leads in C2 Threat Prevention

How Palo Alto Networks Stops C2 Threats in Their Tracks

Written by. Samaresh Nair.

What is Command-and-Control (C2)?

At its core, Command-and-Control (C2) refers to the covert communication link established between a compromised system and the attacker’s remote infrastructure.

Through this channel, attackers can:

• Send malicious commands to the infected system
• Extract stolen information
• Move laterally across the network
• Deploy additional malware

C2 channels are often encrypted, obfuscated, or disguised as legitimate traffic (e.g., HTTPS, DNS, social media platforms) to blend into routine network communications and avoid triggering alarms. If organizations can detect and block C2 activity early enough, they can effectively disrupt the attack before it escalates into a full-scale breach.

Why Command-and-Control (C2) Matters

In the modern threat landscape, Command-and-Control (C2) channels represent an attack's critical “second phase” after an initial compromise. Once inside a network, attackers leverage C2 communications to issue instructions, exfiltrate data, deploy secondary payloads, and also allow them to maintain long-term access. Disrupting C2 activity is often the last effective chance network defenders have to stop an attack before real damage occurs — be it ransomware deployment, data breach, or supply chain attack.

Sophisticated threat actors, including APT groups and ransomware operators, increasingly rely on stealthy, malleable C2 frameworks to evade traditional defenses, making C2 detection a mission-critical capability for enterprises today.

The Evasive Power of Cobalt Strike and Empire

Modern attackers rarely build C2 infrastructure from scratch. Instead, they use highly customizable and powerful frameworks such as Cobalt Strike or Empire:

🔹 Cobalt Strike

Cobalt Strike, developed initially as a legitimate red-teaming tool for penetration testing, has been extensively misused by cybercriminals and nation-state actors due to its powerful capabilities and accessibility.

• Dominance in Offensive Security Tools: As per this Dark Reading article, as of early 2024, Cobalt Strike accounted for two-thirds of offensive security tool command-and-control (C2) servers, significantly outpacing other tools like Metasploit, which was observed in just under 8% of cases. 
• Prevalence in Ransomware Attacks: As early as Q4 2022, Cobalt Strike was the most prevalent malicious tool used by ransomware groups, involved in 41% of such attacks, according to research by Trellix. 
• Global Impact: The United States led with 45.04% of targeted attacks using Cobalt Strike, followed by India (13.11%) and Hong Kong (8.36%), underscoring its widespread use across various regions, as per this article from Trellix. 
• Widespread Use: Co-opted by both criminal and nation-state groups, including ransomware operators and APTs.
• Built-In Capabilities: Provides built-in features for beaconing, payload staging, obfuscated communication, and evasion tactics like malleable C2 profiles.
• Enables dynamic adaptation: Attackers can modify encryption keys, payload delivery methods, and communication patterns in real time to evade detection and maintain control.

🔹 Empire

Empire, originally developed as an open-source post-exploitation and C2 framework, has also been extensively adopted by cybercriminals and advanced persistent threat (APT) groups due to its stealth capabilities and modular flexibility.

Prevalence in Attack Campaigns: Empire has been consistently leveraged by both cybercriminals and nation-state actors in sophisticated post-compromise activities. According to a MITRE ATT&CK Framework entry, Empire provides robust support for Windows, macOS, and Linux systems, making it a favored choice for cross-platform persistence and lateral movement.

Use in Nation-State Operations: Empire has been used in operations linked to prominent APT groups, providing sustained access and stealthy command execution during prolonged intrusion campaigns.

Flexibility and Stealth Focus: Empire operates primarily through fileless techniques, relying on PowerShell and Python agents that execute entirely in memory, minimizing artifacts that traditional endpoint security tools can detect (MITRE ATT&CK Reference).

Built for Evasion and Longevity: Empire is a favored tool among attackers due to its highly modular scripting capabilities, which allow for easy customization of payloads. It also integrates obfuscation techniques to disguise command payloads and communication, further enhancing its stealth. Additionally, Empire uses encrypted channels such as HTTPS, SMB, and other legitimate protocols, making it difficult for traditional network defenses to detect and block malicious traffic.

Why Traditional Defenses Fall Short

Most traditional network security defenses were designed for a different era — an era when attacks were more static, predictable, and signature-driven.

🔸 Intrusion Prevention Systems (IPS)

• Rely heavily on known signatures: static patterns of attack traffic.
• Cobalt Strike and Empire can quickly randomize payloads, modify metadata, and use encryption — making them invisible to signature-based IPS rules.

🔸 URL Filtering

• Blocks access to known bad domains or uncategorized URLs.
• Attackers increasingly host C2 servers on reputable cloud services, compromise legitimate domains, or constantly rotate infrastructure (Fast Flux), bypassing static URL filters.

🔸 Application Layer Gateways and Proxies

• Often focus on controlling or mimicking sanctioned applications (e.g., Facebook, YouTube).
• Sophisticated C2 traffic can hide inside allowed protocols like HTTPS or DNS, making it indistinguishable without deep inspection.

Why a Modern, Intelligence-Driven Approach is Needed

Stopping today’s C2 threats requires more than just signatures.

It demands:

• Behavioral analysis: spotting unusual command patterns, timing anomalies, and encrypted communication oddities.
• Real-time threat intelligence: dynamically identifying emerging attacker infrastructure.
• Deep traffic inspection: going beyond ports and protocols to validate payload intent, even when encrypted.
• Adaptive detection: Models that continuously learn and evolve with the threat landscape—going beyond static, historical indicators to identify emerging threats in real time.

Palo Alto Networks embodies this next-generation approach by combining:

• Advanced Threat Prevention leveraging inline deep learning
• Intelligence-driven dynamic updates
• Cloud-delivered threat analysis and sandboxing
• Integrated behavioral anomaly detection

This allows for prevention, not just detection, of sophisticated, evasive C2 threats — in real time, before damage occurs.

SecureIQLab Q1 2025 Report: Independent Validation of Leadership

The SecureIQLab Q1 2025 Command-and-Control Prevention Comparative Report evaluated leading NGFW vendors across a rigorous battery of C2 attack scenarios, including randomized, customized, and non-standard port attacks using Cobalt Strike v4.10 and Empire v5.9.5.

Palo Alto Networks emerged as the clear leader:

• 97.02% Overall C2 Block Rate
• 100% Block Rate Against Empire
• 94.04% Block Rate Against Cobalt Strike
• 92% Threat Mitigation Efficiency

While other vendors struggled under customized or adversarial scenarios, Palo Alto Networks consistently maintained top protection, validating our approach to modern C2 defense.

The C2 Battleground: Defining the Future of Cybersecurity

The ability to detect and disrupt Command-and-Control activity defines the line between minor incidents and catastrophic breaches. As attackers evolve with tools like Cobalt Strike and Empire, organizations must evolve faster, adopting intelligence-driven, behavior-based defenses that adapt to an ever-changing threat landscape.

Our latest 2025 SecureIQLab report reaffirms that Palo Alto Networks is leading the charge—delivering the real-world protection enterprises need to stop today’s most advanced cyberattacks.