Command & Control (C2) Discovery

Introduction

PowerShell is a highly versatile and powerful tool that plays a critical role in security operations (SecOps), particularly in managing systems, automating processes, and conducting detailed investigations in enterprise environments. Its seamless integration with Windows and its ability to execute commands and scripts across networks make it indispensable for Digital Forensics and Incident Response (DFIR). One of its significant applications in DFIR is identifying Command & Control (C2) Discovery activities. Command & Control is a stage in the attack lifecycle where attackers establish communication channels to control compromised systems remotely. PowerShell enables SecOps teams to efficiently detect and analyse C2 activities, allowing for rapid containment and mitigation of threats in enterprise networks.

Capabilities of PowerShell for Command & Control Discovery in DFIR

1. Monitoring Suspicious Network Connections:

PowerShell can be used to detect unusual or unauthorised network connections, such as those to known malicious IPs, suspicious domains, or uncommon ports. This includes identifying connections initiated by malware or remote access tools.

2. Detecting Beaconing and Periodic Traffic:

Attackers often use periodic beaconing to maintain a stealthy C2 connection. PowerShell allows for querying and analysing network traffic patterns to detect such activity, particularly through scheduled queries or traffic logs.

3. Analysing Processes and Command-Line Activity:

Malicious C2 tools often spawn processes with specific command-line arguments. PowerShell can inspect running processes, parent-child relationships, and associated command-line parameters to uncover evidence of C2 tools in use.

4. Inspecting System and Application Logs:

PowerShell provides access to system logs, such as those generated by firewalls, proxies, or endpoint protection tools, to identify anomalies indicative of C2 communications. This includes events such as DNS lookups, blocked traffic, or unauthorised use of remote desktop protocols.

5. Identifying Abused Native Tools for C2:

Attackers frequently abuse built-in Windows tools like PowerShell itself, WMI, or bitsadmin to establish or maintain C2 channels. PowerShell can detect unusual usage patterns or encoded commands that indicate such abuse.

6. Detecting Data Exfiltration Attempts:

C2 channels are often used for data exfiltration. PowerShell can analyse file transfer activities, identify suspicious file uploads, or detect large outbound traffic spikes associated with C2 operations.

7. Hunting for Known C2 Tools and Indicators:

PowerShell identifies commonly used C2 frameworks and tools like Cobalt Strike, Metasploit, or Impacket by searching for known IOCs, file hashes, or process signatures.

Efficiency Provided by PowerShell in Command & Control Discovery

Comprehensive Network Visibility: PowerShell provides detailed insights into network activity, processes, and logs, enabling analysts to detect C2 activities across endpoints and servers.
Real-Time Detection: PowerShell’s ability to execute dynamic queries and monitor logs in real-time allows for rapidly identifying C2 communication channels, reducing response times.
Scalability: With PowerShell Remoting, SecOps teams can simultaneously investigate potential C2 activities across multiple systems, ensuring thorough coverage in large enterprise environments.
Automation of C2 Detection: Routine tasks such as analysing network logs or inspecting processes for C2 indicators can be automated using PowerShell scripts, increasing efficiency and consistency in investigations.
Customisable Detection: PowerShell scripts can be tailored to detect specific C2 techniques, including DNS tunnelling, HTTP beaconing, or the use of uncommon ports, aligning with the MITRE ATT&CK framework.
Integration with Security Ecosystems: PowerShell integrates seamlessly with security tools like Microsoft Sentinel, Defender for Endpoint, and SIEM platforms, enabling enriched detection, automated alerts, and response workflows.

By leveraging PowerShell’s capabilities, SecOps teams can efficiently uncover and mitigate Command & Control Discovery activities, reducing the likelihood of attackers maintaining control over compromised systems and ensuring the security of enterprise networks.

Command & Control (C2) Discovery

1. Network Connection Monitoring

1.1. Detecting Unusual Outbound Connections

Purpose: Identify suspicious outbound connections to unfamiliar IP addresses or domains.

Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

1.2. Monitoring Connections to High-Entropy Domains

Purpose: Detect connections to high-entropy domains, often used for C2 communication.

Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Where-Object {($_.Message -match "QueryName") -and ($_.Message -match "[a-zA-Z0-9]{10,}")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}

2. DNS-based C2 Detection

2.1. Detecting DNS Tunneling

Purpose: Identify potential DNS tunneling used for C2 communication.

Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Where-Object {($_.Message -match "TXT") -or ($_.Message -match "TXT Record")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}

2.2. Frequent DNS Requests Monitoring

Purpose: Identify frequent DNS requests to the same domain, indicating possible C2 activity.

Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Group-Object -Property {$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '} | Where-Object {$_.Count -gt 100} |  Select-Object @{n='DomainName';e={$_.Name}}, Count

3. HTTP/HTTPS C2 Detection

3.1. Detecting Suspicious User-Agent Strings

Purpose: Identify HTTP/HTTPS requests with unusual or rare User-Agent strings.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "User-Agent: [^a-zA-Z0-9\- ]+"} | Select-Object TimeCreated, @{n='UserAgent';e={$_.Message -match 'User-Agent: (.*)' -replace 'User-Agent: '}}

3.2. Monitoring Encrypted Traffic Anomalies

Purpose: Identify anomalies in encrypted traffic patterns that may indicate HTTPS-based C2.

Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemotePort -eq 443 -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

4. Beaconing Behavior Detection

4.1. Detecting Regular Interval Connections

Purpose: Identify network connections occurring at regular intervals, indicative of beaconing.

Get-NetTCPConnection | Group-Object -Property RemoteAddress |  Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count

4.2. Monitoring Low-Volume Periodic Traffic

Purpose: Identify low-volume, periodic network traffic patterns that may suggest C2 communication.

Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.LocalAddress -notin 'KnownGoodIPs'} | Group-Object -Property RemoteAddress |  Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count

5. Email-based C2 Detection

5.1. Detecting Suspicious Email Attachments

Purpose: Identify email attachments that may contain malicious payloads or scripts.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Attachment"} | Select-Object TimeCreated, @{n='Attachment';e={$_.Message -match 'Attachment: (.*)' -replace 'Attachment: '}}

5.2. Monitoring Unusual Email Communication Patterns

Purpose: Detect unusual patterns in email communication, such as emails with suspicious subjects or senders.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Subject: [^a-zA-Z0-9\- ]+"} | Select-Object TimeCreated, @{n='Subject';e={$_.Message -match 'Subject: (.*)' -replace 'Subject: '}}

6. Domain Generation Algorithm (DGA) Detection

6.1. Detecting DGA Domain Names

Purpose: Identify domain names generated by a Domain Generation Algorithm (DGA).

Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Where-Object {($_.Message -match "[a-zA-Z0-9]{10,}") -and ($_.Message -match ".com|.net|.org")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}

6.2. Monitoring High-Frequency Domain Resolution

Purpose: Identify frequent domain resolutions, a characteristic of DGA-based C2.

Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Group-cObject -Property {$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '} | Where-Object {$_.Count -gt 200} |  Select-Object @{n='DomainName';e={$_.Name}}, Count

7. Peer-to-Peer (P2P) C2 Detection

7.1. Detecting P2P Protocol Traffic

Purpose: Identify traffic indicative of peer-to-peer C2 communication.

Get-NetTCPConnection | Where-Object {$_.RemotePort -in 6881, 6889, 6969} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

7.2. Monitoring Unusual Port Usage

Purpose: Identify unusual port usage that may indicate non-standard P2P communications.

Get-NetTCPConnection | Where-Object {$_.RemotePort -notin (80, 443, 21, 22, 25)} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

8. Command Execution and Data Exfiltration

8.1. Monitoring Command Execution via C2 Channels

Purpose: Detect the execution of commands or scripts via C2 channels.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} |  Where-Object {$_.Properties[9].Value -match "cmd.exe|powershell.exe"} | Select-Object TimeCreated, @{n='ProcessName';e={$_.Properties[5].Value}}, @{n='CommandLine';e={$_.Properties[9].Value}}

8.2. Detecting Data Exfiltration Indicators

Purpose: Identify potential data exfiltration activities, such as large data transfers to external IPs

Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

9. TLS/SSL Certificate Anomalies

9.1. Detecting Self-Signed Certificates

Purpose: Identify the use of self-signed certificates, which may indicate malicious HTTPS traffic.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Self-Signed"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}

9.2. Monitoring for Short-Lived Certificates

Purpose: Identify the use of short-lived TLS/SSL certificates, often used in malicious activities.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Certificate Expiry"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}

10. Anonymisation Services and Tor Usage

10.1. Detecting Tor Network Usage

Purpose: Identify connections to the Tor network, often used for anonymization.

Get-NetTCPConnection | Where-Object {$_.RemoteAddress -in 'TorExitNodesIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

10.2. Monitoring for VPN or Proxy Services

Purpose: Detect the use of VPNs or proxy services to mask C2 communication.

Get-NetTCPConnection | Where-Object {$_.RemoteAddress -in 'KnownVPNIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

Additional Discovery Techniques

1. Network Traffic and Connection Monitoring

1.1. Detecting Unusual Outbound Connections

Purpose: Identify connections to suspicious or unfamiliar external IP addresses.

Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

1.2. Monitoring Connections to High-Risk Countries

Purpose: Detect connections to IP addresses in countries known for hosting C2 infrastructure.

Get-NetTCPConnection | Where-Object {($_.RemoteAddress -match 'IP_Range_Country_X') -and ($_.State -eq 'Established')} | Select-Object LocalAddress, RemoteAddress

2. DNS-based C2 Detection

2.1. Identifying Frequent DNS Queries to Unusual Domains

Purpose: Detect frequent DNS queries that may indicate domain generation algorithm (DGA) activity.

`Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Group-Object -Property {$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '} | Where-Object {$_.Count -gt 50} |  Select-Object @{n='DomainName';e={$_.Name}}, Count`

2.2. Monitoring DNS Requests for Suspicious TLDs

Purpose: Detect DNS requests to top-level domains (TLDs) commonly associated with malicious activity.

Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" |  Where-Object {($_.Message -match "\.xyz$|\.pw$|\.top$")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}

3. HTTP/HTTPS-based C2 Detection

3.1. Detecting Suspicious User-Agent Strings

Purpose: Identify HTTP/HTTPS requests with uncommon or suspicious User-Agent strings.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "User-Agent: [^a-zA-Z0-9\- ]+"} | Select-Object TimeCreated, @{n='UserAgent';e={$_.Message -match 'User-Agent: (.*)' -replace 'User-Agent: '}}

3.2. Monitoring HTTP POST Requests

Purpose: Detect HTTP POST requests to suspicious endpoints, indicating potential data exfiltration.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {($_.Message -match "POST") -and ($_.Message -match "http")} | Select-Object TimeCreated, @{n='URL';e={$_.Message -match 'URL: (.*)' -replace 'URL: '}}

4. Beaconing Behavior Detection

4.1. Identifying Regular Interval Network Connections

Purpose: Detect beaconing behavior characterized by regular interval connections to external IPs.

Get-NetTCPConnection |  Group-Object -Property RemoteAddress |  Where-Object {$_.Count -gt 10} |  Select-Object @{n='RemoteAddress';e={$_.Name}}, Count

4.2. Monitoring Low-Volume Periodic Traffic

Purpose: Identify low-volume, periodic traffic patterns indicative of beaconing.

Get-NetTCPConnection | Where-Object {($_.State -eq 'Established') -and ($_.RemoteAddress -notin 'KnownGoodIPs')} | Group-Object -Property RemoteAddress |  Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count

5. Malicious Code and Script Execution

5.1. Detecting PowerShell Command Execution

Purpose: Monitor for potentially malicious PowerShell command execution.

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'Invoke-WebRequest|Invoke-RestMethod'} | Select-Object TimeCreated, @{n='ScriptBlock';e={$_.Message}}

5.2. Monitoring JavaScript or VBScript Execution

Purpose: Detect the execution of potentially malicious JavaScript or VBScript.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {($_.Properties[5].Value -match 'wscript.exe|cscript.exe') -and ($_.Properties[9].Value -match '\.js|\.vbs')} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}

6. TLS/SSL Certificate Anomalies

6.1. Identifying Self-Signed Certificates

Purpose: Detect the use of self-signed certificates, which may indicate malicious HTTPS traffic.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Self-Signed"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}

6.2. Monitoring for Short-Lived Certificates

Purpose: Identify the use of short-lived TLS/SSL certificates, often used in malicious activities.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Certificate Expiry"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}

7. Email-based C2 Detection

7.1. Detecting Suspicious Email Communications

Purpose: Identify email communications that may indicate C2 activity, such as exfiltration or command execution.

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" |  Where-Object {$_.Message -match "Email Send"} | Select-Object TimeCreated, @{n='EmailDetails';e={$_.Message}}

7.2. Monitoring for Unusual Email Attachments

Purpose: Detect email attachments that may contain C2 tools or scripts.

Get-WinEvent -LogName "Microsoft-Windows-EventLog/Email" |  Where-Object {($_.Message -match "Attachment: ") -and ($_.Message -match ".exe|.bat|.ps1")} | Select-Object TimeCreated, @{n='Attachment';e={$_.Message}}

8. Command Execution and Data Exfiltration

8.1. Monitoring for Command and Control via Web Shells

Purpose: Identify the use of web shells for C2 activities.

Get-WinEvent -LogName "Microsoft-Windows-IIS-Logging" |  Where-Object {($_.Message -match "POST") -and ($_.Message -match "cmd|powershell")} | Select-Object TimeCreated, @{n='Request';e={$_.Message}}

8.2. Detecting Data Exfiltration Indicators

Purpose: Identify potential data exfiltration activities, such as large data transfers to external IPs.

Get-NetTCPConnection | Where-Object {($_.State -eq 'Established') -and ($_.RemoteAddress -notin 'KnownGoodIPs')} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

9. Application Whitelisting and Execution Control Bypass

9.1. Detecting Execution of Non-Whitelisted Applications

Purpose: Monitor the execution of applications that bypass whitelisting controls.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {($_.Properties[5].Value -notmatch 'whitelisted_app.exe|another_allowed_app.exe')} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}

9.2. Monitoring Dynamic Invocation of Scripts

Purpose: Detect the dynamic invocation of scripts to bypass whitelisting.

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'Invoke-Expression|Invoke-Command'} | Select-Object TimeCreated, @{n='ScriptBlock';e={$_.Message}}

10. Peer-to-Peer (P2P) C2 Detection

10.1. Identifying P2P Protocol Traffic

Purpose: Detect traffic indicative of peer-to-peer C2 communication.

Get-NetTCPConnection | Where-Object {$_.RemotePort -in 6881, 6889, 6969} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

10.2. Monitoring Unusual Port Usage

Purpose: Identify unusual port usage that may indicate non-standard P2P communications.

Get-NetTCPConnection | Where-Object {$_.RemotePort -notin (80, 443, 21, 22, 25)} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort

PreviousCollection Discovery NextExfiltration Discovery

Last updated 4 months ago