foresnics query about c2 beacon events on endpoint

New to blue team stuff and just wanted to confirm i got a reason understanding of what commands look like from event log view.

Say a attacker installed a c2 beacon and then was able to install a service on another endpoint adjacent to it say using a service.

I suspect in general you not see any real commands on the initial compromised endpoint as its probibly encrypted or tunneled or something.

But on the endpoint the eventual command emerges …

attacker beacon blue blue team confirm cybersecurity endpoint event events install log query service team understanding