> For the complete documentation index, see [llms.txt](https://rootguard.gitbook.io/cyberops/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rootguard.gitbook.io/cyberops/knowledge-base/junior-analyst-skills/powershell-for-secops/command-and-control-c2-discovery.md).

# Command & Control (C2) Discovery

### **Introduction**

PowerShell is a highly versatile and powerful tool that plays a critical role in security operations (SecOps), particularly in managing systems, automating processes, and conducting detailed investigations in enterprise environments. Its seamless integration with Windows and its ability to execute commands and scripts across networks make it indispensable for **Digital Forensics and Incident Response (DFIR)**. One of its significant applications in DFIR is identifying **Command & Control (C2) Discovery** activities. Command & Control is a stage in the attack lifecycle where attackers establish communication channels to control compromised systems remotely. PowerShell enables SecOps teams to efficiently detect and analyse C2 activities, allowing for rapid containment and mitigation of threats in enterprise networks.

***

### **Capabilities of PowerShell for Command & Control Discovery in DFIR**

**1. Monitoring Suspicious Network Connections:**

PowerShell can be used to detect unusual or unauthorised network connections, such as those to known malicious IPs, suspicious domains, or uncommon ports. This includes identifying connections initiated by malware or remote access tools.

**2. Detecting Beaconing and Periodic Traffic:**

Attackers often use periodic beaconing to maintain a stealthy C2 connection. PowerShell allows for querying and analysing network traffic patterns to detect such activity, particularly through scheduled queries or traffic logs.

**3. Analysing Processes and Command-Line Activity:**

Malicious C2 tools often spawn processes with specific command-line arguments. PowerShell can inspect running processes, parent-child relationships, and associated command-line parameters to uncover evidence of C2 tools in use.

**4. Inspecting System and Application Logs:**

PowerShell provides access to system logs, such as those generated by firewalls, proxies, or endpoint protection tools, to identify anomalies indicative of C2 communications. This includes events such as DNS lookups, blocked traffic, or unauthorised use of remote desktop protocols.

**5. Identifying Abused Native Tools for C2:**

Attackers frequently abuse built-in Windows tools like PowerShell itself, WMI, or `bitsadmin` to establish or maintain C2 channels. PowerShell can detect unusual usage patterns or encoded commands that indicate such abuse.

**6. Detecting Data Exfiltration Attempts:**

C2 channels are often used for data exfiltration. PowerShell can analyse file transfer activities, identify suspicious file uploads, or detect large outbound traffic spikes associated with C2 operations.

**7. Hunting for Known C2 Tools and Indicators:**

PowerShell identifies commonly used C2 frameworks and tools like Cobalt Strike, Metasploit, or Impacket by searching for known IOCs, file hashes, or process signatures.

***

### **Efficiency Provided by PowerShell in Command & Control Discovery**

1. **Comprehensive Network Visibility**: PowerShell provides detailed insights into network activity, processes, and logs, enabling analysts to detect C2 activities across endpoints and servers.
2. **Real-Time Detection**: PowerShell’s ability to execute dynamic queries and monitor logs in real-time allows for rapidly identifying C2 communication channels, reducing response times.
3. **Scalability**: With **PowerShell Remoting**, SecOps teams can simultaneously investigate potential C2 activities across multiple systems, ensuring thorough coverage in large enterprise environments.
4. **Automation of C2 Detection**: Routine tasks such as analysing network logs or inspecting processes for C2 indicators can be automated using PowerShell scripts, increasing efficiency and consistency in investigations.
5. **Customisable Detection: PowerShell scripts can be tailored to detect specific C2 techniques, including DNS tunnelling, HTTP beaconing, or the use of uncommon ports, aligning with the MITRE ATT\&CK framework.**
6. **Integration with Security Ecosystems**: PowerShell integrates seamlessly with security tools like Microsoft Sentinel, Defender for Endpoint, and SIEM platforms, enabling enriched detection, automated alerts, and response workflows.

***

By leveraging PowerShell’s capabilities, SecOps teams can efficiently uncover and mitigate Command & Control Discovery activities, reducing the likelihood of attackers maintaining control over compromised systems and ensuring the security of enterprise networks.

### Command & Control (C2) Discovery

### 1. **Network Connection Monitoring**

**1.1. Detecting Unusual Outbound Connections**

**Purpose**: Identify suspicious outbound connections to unfamiliar IP addresses or domains.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

**1.2. Monitoring Connections to High-Entropy Domains**

**Purpose**: Detect connections to high-entropy domains, often used for C2 communication.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Where-Object {($_.Message -match "QueryName") -and ($_.Message -match "[a-zA-Z0-9]{10,}")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}
```

{% endcode %}

### 2. **DNS-based C2 Detection**

**2.1. Detecting DNS Tunneling**

**Purpose**: Identify potential DNS tunneling used for C2 communication.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Where-Object {($_.Message -match "TXT") -or ($_.Message -match "TXT Record")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}
```

{% endcode %}

**2.2. Frequent DNS Requests Monitoring**

**Purpose**: Identify frequent DNS requests to the same domain, indicating possible C2 activity.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Group-Object -Property {$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '} | Where-Object {$_.Count -gt 100} |  Select-Object @{n='DomainName';e={$_.Name}}, Count
```

{% endcode %}

### 3. **HTTP/HTTPS C2 Detection**

**3.1. Detecting Suspicious User-Agent Strings**

**Purpose**: Identify HTTP/HTTPS requests with unusual or rare User-Agent strings.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "User-Agent: [^a-zA-Z0-9\- ]+"} | Select-Object TimeCreated, @{n='UserAgent';e={$_.Message -match 'User-Agent: (.*)' -replace 'User-Agent: '}}
```

{% endcode %}

**3.2. Monitoring Encrypted Traffic Anomalies**

**Purpose**: Identify anomalies in encrypted traffic patterns that may indicate HTTPS-based C2.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemotePort -eq 443 -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

### 4. **Beaconing Behavior Detection**

**4.1. Detecting Regular Interval Connections**

**Purpose**: Identify network connections occurring at regular intervals, indicative of beaconing.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Group-Object -Property RemoteAddress |  Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count
```

{% endcode %}

**4.2. Monitoring Low-Volume Periodic Traffic**

**Purpose**: Identify low-volume, periodic network traffic patterns that may suggest C2 communication.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.LocalAddress -notin 'KnownGoodIPs'} | Group-Object -Property RemoteAddress |  Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count
```

{% endcode %}

### 5. **Email-based C2 Detection**

**5.1. Detecting Suspicious Email Attachments**

**Purpose**: Identify email attachments that may contain malicious payloads or scripts.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Attachment"} | Select-Object TimeCreated, @{n='Attachment';e={$_.Message -match 'Attachment: (.*)' -replace 'Attachment: '}}
```

{% endcode %}

**5.2. Monitoring Unusual Email Communication Patterns**

**Purpose**: Detect unusual patterns in email communication, such as emails with suspicious subjects or senders.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Subject: [^a-zA-Z0-9\- ]+"} | Select-Object TimeCreated, @{n='Subject';e={$_.Message -match 'Subject: (.*)' -replace 'Subject: '}}
```

{% endcode %}

### 6. **Domain Generation Algorithm (DGA) Detection**

**6.1. Detecting DGA Domain Names**

**Purpose**: Identify domain names generated by a Domain Generation Algorithm (DGA).

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Where-Object {($_.Message -match "[a-zA-Z0-9]{10,}") -and ($_.Message -match ".com|.net|.org")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}
```

{% endcode %}

**6.2. Monitoring High-Frequency Domain Resolution**

**Purpose**: Identify frequent domain resolutions, a characteristic of DGA-based C2.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Group-cObject -Property {$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '} | Where-Object {$_.Count -gt 200} |  Select-Object @{n='DomainName';e={$_.Name}}, Count
```

{% endcode %}

### 7. **Peer-to-Peer (P2P) C2 Detection**

**7.1. Detecting P2P Protocol Traffic**

**Purpose**: Identify traffic indicative of peer-to-peer C2 communication.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.RemotePort -in 6881, 6889, 6969} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

**7.2. Monitoring Unusual Port Usage**

**Purpose**: Identify unusual port usage that may indicate non-standard P2P communications.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.RemotePort -notin (80, 443, 21, 22, 25)} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

### 8. **Command Execution and Data Exfiltration**

**8.1. Monitoring Command Execution via C2 Channels**

**Purpose**: Detect the execution of commands or scripts via C2 channels.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} |  Where-Object {$_.Properties[9].Value -match "cmd.exe|powershell.exe"} | Select-Object TimeCreated, @{n='ProcessName';e={$_.Properties[5].Value}}, @{n='CommandLine';e={$_.Properties[9].Value}}
```

{% endcode %}

**8.2. Detecting Data Exfiltration Indicators**

**Purpose**: Identify potential data exfiltration activities, such as large data transfers to external IPs

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

### 9. **TLS/SSL Certificate Anomalies**

**9.1. Detecting Self-Signed Certificates**

**Purpose**: Identify the use of self-signed certificates, which may indicate malicious HTTPS traffic.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Self-Signed"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}
```

{% endcode %}

**9.2. Monitoring for Short-Lived Certificates**

**Purpose**: Identify the use of short-lived TLS/SSL certificates, often used in malicious activities.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Certificate Expiry"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}
```

{% endcode %}

### 10. **Anonymisation Services and Tor Usage**

**10.1. Detecting Tor Network Usage**

**Purpose**: Identify connections to the Tor network, often used for anonymization.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.RemoteAddress -in 'TorExitNodesIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

**10.2. Monitoring for VPN or Proxy Services**

**Purpose**: Detect the use of VPNs or proxy services to mask C2 communication.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.RemoteAddress -in 'KnownVPNIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

### **Additional Discovery Techniques**

### 1. **Network Traffic and Connection Monitoring**

**1.1. Detecting Unusual Outbound Connections**

**Purpose**: Identify connections to suspicious or unfamiliar external IP addresses.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

**1.2. Monitoring Connections to High-Risk Countries**

**Purpose**: Detect connections to IP addresses in countries known for hosting C2 infrastructure.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {($_.RemoteAddress -match 'IP_Range_Country_X') -and ($_.State -eq 'Established')} | Select-Object LocalAddress, RemoteAddress
```

{% endcode %}

### 2. **DNS-based C2 Detection**

**2.1. Identifying Frequent DNS Queries to Unusual Domains**

**Purpose**: Detect frequent DNS queries that may indicate domain generation algorithm (DGA) activity.

{% code overflow="wrap" %}

```powershell
`Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Group-Object -Property {$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '} | Where-Object {$_.Count -gt 50} |  Select-Object @{n='DomainName';e={$_.Name}}, Count`
```

{% endcode %}

**2.2. Monitoring DNS Requests for Suspicious TLDs**

**Purpose**: Detect DNS requests to top-level domains (TLDs) commonly associated with malicious activity.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Where-Object {($_.Message -match "\.xyz$|\.pw$|\.top$")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}
```

{% endcode %}

### 3. **HTTP/HTTPS-based C2 Detection**

**3.1. Detecting Suspicious User-Agent Strings**

**Purpose**: Identify HTTP/HTTPS requests with uncommon or suspicious User-Agent strings.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "User-Agent: [^a-zA-Z0-9\- ]+"} | Select-Object TimeCreated, @{n='UserAgent';e={$_.Message -match 'User-Agent: (.*)' -replace 'User-Agent: '}}
```

{% endcode %}

**3.2. Monitoring HTTP POST Requests**

**Purpose**: Detect HTTP POST requests to suspicious endpoints, indicating potential data exfiltration.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {($_.Message -match "POST") -and ($_.Message -match "http")} | Select-Object TimeCreated, @{n='URL';e={$_.Message -match 'URL: (.*)' -replace 'URL: '}}
```

{% endcode %}

### 4. **Beaconing Behavior Detection**

**4.1. Identifying Regular Interval Network Connections**

**Purpose**: Detect beaconing behavior characterized by regular interval connections to external IPs.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection |  Group-Object -Property RemoteAddress |  Where-Object {$_.Count -gt 10} |  Select-Object @{n='RemoteAddress';e={$_.Name}}, Count
```

{% endcode %}

**4.2. Monitoring Low-Volume Periodic Traffic**

**Purpose**: Identify low-volume, periodic traffic patterns indicative of beaconing.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {($_.State -eq 'Established') -and ($_.RemoteAddress -notin 'KnownGoodIPs')} | Group-Object -Property RemoteAddress |  Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count
```

{% endcode %}

### 5. **Malicious Code and Script Execution**

**5.1. Detecting PowerShell Command Execution**

**Purpose**: Monitor for potentially malicious PowerShell command execution.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'Invoke-WebRequest|Invoke-RestMethod'} | Select-Object TimeCreated, @{n='ScriptBlock';e={$_.Message}}
```

{% endcode %}

**5.2. Monitoring JavaScript or VBScript Execution**

**Purpose**: Detect the execution of potentially malicious JavaScript or VBScript.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {($_.Properties[5].Value -match 'wscript.exe|cscript.exe') -and ($_.Properties[9].Value -match '\.js|\.vbs')} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}
```

{% endcode %}

### 6. **TLS/SSL Certificate Anomalies**

**6.1. Identifying Self-Signed Certificates**

**Purpose**: Detect the use of self-signed certificates, which may indicate malicious HTTPS traffic.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Self-Signed"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}
```

{% endcode %}

**6.2. Monitoring for Short-Lived Certificates**

**Purpose**: Identify the use of short-lived TLS/SSL certificates, often used in malicious activities.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Certificate Expiry"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}
```

{% endcode %}

### 7. **Email-based C2 Detection**

**7.1. Detecting Suspicious Email Communications**

**Purpose**: Identify email communications that may indicate C2 activity, such as exfiltration or command execution.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Email Send"} | Select-Object TimeCreated, @{n='EmailDetails';e={$_.Message}}
```

{% endcode %}

**7.2. Monitoring for Unusual Email Attachments**

**Purpose**: Detect email attachments that may contain C2 tools or scripts.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-EventLog/Email" |  Where-Object {($_.Message -match "Attachment: ") -and ($_.Message -match ".exe|.bat|.ps1")} | Select-Object TimeCreated, @{n='Attachment';e={$_.Message}}
```

{% endcode %}

### 8. **Command Execution and Data Exfiltration**

**8.1. Monitoring for Command and Control via Web Shells**

**Purpose**: Identify the use of web shells for C2 activities.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -LogName "Microsoft-Windows-IIS-Logging" |  Where-Object {($_.Message -match "POST") -and ($_.Message -match "cmd|powershell")} | Select-Object TimeCreated, @{n='Request';e={$_.Message}}
```

{% endcode %}

**8.2. Detecting Data Exfiltration Indicators**

**Purpose**: Identify potential data exfiltration activities, such as large data transfers to external IPs.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {($_.State -eq 'Established') -and ($_.RemoteAddress -notin 'KnownGoodIPs')} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

### 9. **Application Whitelisting and Execution Control Bypass**

**9.1. Detecting Execution of Non-Whitelisted Applications**

**Purpose**: Monitor the execution of applications that bypass whitelisting controls.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {($_.Properties[5].Value -notmatch 'whitelisted_app.exe|another_allowed_app.exe')} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}
```

{% endcode %}

**9.2. Monitoring Dynamic Invocation of Scripts**

**Purpose**: Detect the dynamic invocation of scripts to bypass whitelisting.

{% code overflow="wrap" %}

```powershell
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'Invoke-Expression|Invoke-Command'} | Select-Object TimeCreated, @{n='ScriptBlock';e={$_.Message}}
```

{% endcode %}

### 10. **Peer-to-Peer (P2P) C2 Detection**

**10.1. Identifying P2P Protocol Traffic**

**Purpose**: Detect traffic indicative of peer-to-peer C2 communication.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.RemotePort -in 6881, 6889, 6969} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}

**10.2. Monitoring Unusual Port Usage**

**Purpose**: Identify unusual port usage that may indicate non-standard P2P communications.

{% code overflow="wrap" %}

```powershell
Get-NetTCPConnection | Where-Object {$_.RemotePort -notin (80, 443, 21, 22, 25)} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort
```

{% endcode %}
