After a series of ueba alerts a companys soc observes an ext - CompTIA CySA+ CSO-003

Correct answer: b. Command and Control (C2)

The Command and Control stage occurs after an attacker has successfully exploited a vulnerability on a target system. Once access is gained, the compromised system must maintain communication with the attacker's infrastructure—often referred to as a C2 server—to receive further commands, updates, or to exfiltrate data.

Key signs of C2 activity include:

• Sustained or periodic outbound traffic from the infected host to the same external destination (especially to suspicious or rarely used IP addresses or domains).
• Encrypted or obfuscated communications intended to bypass detection.
• Use of non-standard ports or protocols.

This stage is crucial for attackers to maintain control over their foothold in the network and conduct further malicious activities.

Why the other choices are incorrect:

• Weaponization: The weaponization phase is part of the pre-attack preparation. In this stage, the attacker takes a known vulnerability and pairs it with a crafted exploit and a delivery method (like a malicious macro or a booby-trapped document). This occurs entirely on the attacker's side and does not generate any network traffic, especially not from the target system. Therefore, extended outbound communication cannot be associated with this phase.
• Reconnaissance: Reconnaissance involves the attacker researching and gathering information about a potential target—such as IP addresses, domain names, employee names, or technology stack—to identify possible vulnerabilities. This stage is typically passive and occurs before any direct interaction with the target network. Because no system has been compromised at this point, there would be no internal or outbound traffic from the target system to observe.
• Exploitation: Exploitation is the initial point of compromise, where the attacker executes malicious code on the target system by taking advantage of a vulnerability. This may include triggering a buffer overflow, executing a macro, or exploiting an unpatched service. While exploitation might cause some initial communication (like a callback), it is generally a short-lived, one-time event. It does not involve the ongoing or periodic outbound communication characteristic of the C2 phase.