Command & Control (C2) Discovery
Introduction
PowerShell is a highly versatile and powerful tool that plays a critical role in security operations (SecOps), particularly in managing systems, automating processes, and conducting detailed investigations in enterprise environments. Its seamless integration with Windows and its ability to execute commands and scripts across networks make it indispensable for Digital Forensics and Incident Response (DFIR). One of its significant applications in DFIR is identifying Command & Control (C2) Discovery activities. Command & Control is a stage in the attack lifecycle where attackers establish communication channels to control compromised systems remotely. PowerShell enables SecOps teams to efficiently detect and analyse C2 activities, allowing for rapid containment and mitigation of threats in enterprise networks.
Capabilities of PowerShell for Command & Control Discovery in DFIR
1. Monitoring Suspicious Network Connections:
PowerShell can be used to detect unusual or unauthorised network connections, such as those to known malicious IPs, suspicious domains, or uncommon ports. This includes identifying connections initiated by malware or remote access tools.
2. Detecting Beaconing and Periodic Traffic:
Attackers often use periodic beaconing to maintain a stealthy C2 connection. PowerShell allows for querying and analysing network traffic patterns to detect such activity, particularly through scheduled queries or traffic logs.
3. Analysing Processes and Command-Line Activity:
Malicious C2 tools often spawn processes with specific command-line arguments. PowerShell can inspect running processes, parent-child relationships, and associated command-line parameters to uncover evidence of C2 tools in use.
4. Inspecting System and Application Logs:
PowerShell provides access to system logs, such as those generated by firewalls, proxies, or endpoint protection tools, to identify anomalies indicative of C2 communications. This includes events such as DNS lookups, blocked traffic, or unauthorised use of remote desktop protocols.
5. Identifying Abused Native Tools for C2:
Attackers frequently abuse built-in Windows tools like PowerShell itself, WMI, or bitsadmin to establish or maintain C2 channels. PowerShell can detect unusual usage patterns or encoded commands that indicate such abuse.
6. Detecting Data Exfiltration Attempts:
C2 channels are often used for data exfiltration. PowerShell can analyse file transfer activities, identify suspicious file uploads, or detect large outbound traffic spikes associated with C2 operations.
7. Hunting for Known C2 Tools and Indicators:
PowerShell identifies commonly used C2 frameworks and tools like Cobalt Strike, Metasploit, or Impacket by searching for known IOCs, file hashes, or process signatures.
Efficiency Provided by PowerShell in Command & Control Discovery
Comprehensive Network Visibility: PowerShell provides detailed insights into network activity, processes, and logs, enabling analysts to detect C2 activities across endpoints and servers.
Real-Time Detection: PowerShell’s ability to execute dynamic queries and monitor logs in real-time allows for rapidly identifying C2 communication channels, reducing response times.
Scalability: With PowerShell Remoting, SecOps teams can simultaneously investigate potential C2 activities across multiple systems, ensuring thorough coverage in large enterprise environments.
Automation of C2 Detection: Routine tasks such as analysing network logs or inspecting processes for C2 indicators can be automated using PowerShell scripts, increasing efficiency and consistency in investigations.
Customisable Detection: PowerShell scripts can be tailored to detect specific C2 techniques, including DNS tunnelling, HTTP beaconing, or the use of uncommon ports, aligning with the MITRE ATT&CK framework.
Integration with Security Ecosystems: PowerShell integrates seamlessly with security tools like Microsoft Sentinel, Defender for Endpoint, and SIEM platforms, enabling enriched detection, automated alerts, and response workflows.
By leveraging PowerShell’s capabilities, SecOps teams can efficiently uncover and mitigate Command & Control Discovery activities, reducing the likelihood of attackers maintaining control over compromised systems and ensuring the security of enterprise networks.
Command & Control (C2) Discovery
1. Network Connection Monitoring
1.1. Detecting Unusual Outbound Connections
Purpose: Identify suspicious outbound connections to unfamiliar IP addresses or domains.
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort1.2. Monitoring Connections to High-Entropy Domains
Purpose: Detect connections to high-entropy domains, often used for C2 communication.
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" | Where-Object {($_.Message -match "QueryName") -and ($_.Message -match "[a-zA-Z0-9]{10,}")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}2. DNS-based C2 Detection
2.1. Detecting DNS Tunneling
Purpose: Identify potential DNS tunneling used for C2 communication.
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" | Where-Object {($_.Message -match "TXT") -or ($_.Message -match "TXT Record")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}2.2. Frequent DNS Requests Monitoring
Purpose: Identify frequent DNS requests to the same domain, indicating possible C2 activity.
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" | Group-Object -Property {$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '} | Where-Object {$_.Count -gt 100} | Select-Object @{n='DomainName';e={$_.Name}}, Count3. HTTP/HTTPS C2 Detection
3.1. Detecting Suspicious User-Agent Strings
Purpose: Identify HTTP/HTTPS requests with unusual or rare User-Agent strings.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "User-Agent: [^a-zA-Z0-9\- ]+"} | Select-Object TimeCreated, @{n='UserAgent';e={$_.Message -match 'User-Agent: (.*)' -replace 'User-Agent: '}}3.2. Monitoring Encrypted Traffic Anomalies
Purpose: Identify anomalies in encrypted traffic patterns that may indicate HTTPS-based C2.
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemotePort -eq 443 -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort4. Beaconing Behavior Detection
4.1. Detecting Regular Interval Connections
Purpose: Identify network connections occurring at regular intervals, indicative of beaconing.
Get-NetTCPConnection | Group-Object -Property RemoteAddress | Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count4.2. Monitoring Low-Volume Periodic Traffic
Purpose: Identify low-volume, periodic network traffic patterns that may suggest C2 communication.
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.LocalAddress -notin 'KnownGoodIPs'} | Group-Object -Property RemoteAddress | Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count5. Email-based C2 Detection
5.1. Detecting Suspicious Email Attachments
Purpose: Identify email attachments that may contain malicious payloads or scripts.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "Attachment"} | Select-Object TimeCreated, @{n='Attachment';e={$_.Message -match 'Attachment: (.*)' -replace 'Attachment: '}}5.2. Monitoring Unusual Email Communication Patterns
Purpose: Detect unusual patterns in email communication, such as emails with suspicious subjects or senders.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "Subject: [^a-zA-Z0-9\- ]+"} | Select-Object TimeCreated, @{n='Subject';e={$_.Message -match 'Subject: (.*)' -replace 'Subject: '}}6. Domain Generation Algorithm (DGA) Detection
6.1. Detecting DGA Domain Names
Purpose: Identify domain names generated by a Domain Generation Algorithm (DGA).
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" | Where-Object {($_.Message -match "[a-zA-Z0-9]{10,}") -and ($_.Message -match ".com|.net|.org")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}6.2. Monitoring High-Frequency Domain Resolution
Purpose: Identify frequent domain resolutions, a characteristic of DGA-based C2.
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" | Group-cObject -Property {$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '} | Where-Object {$_.Count -gt 200} | Select-Object @{n='DomainName';e={$_.Name}}, Count7. Peer-to-Peer (P2P) C2 Detection
7.1. Detecting P2P Protocol Traffic
Purpose: Identify traffic indicative of peer-to-peer C2 communication.
Get-NetTCPConnection | Where-Object {$_.RemotePort -in 6881, 6889, 6969} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort7.2. Monitoring Unusual Port Usage
Purpose: Identify unusual port usage that may indicate non-standard P2P communications.
Get-NetTCPConnection | Where-Object {$_.RemotePort -notin (80, 443, 21, 22, 25)} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort8. Command Execution and Data Exfiltration
8.1. Monitoring Command Execution via C2 Channels
Purpose: Detect the execution of commands or scripts via C2 channels.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[9].Value -match "cmd.exe|powershell.exe"} | Select-Object TimeCreated, @{n='ProcessName';e={$_.Properties[5].Value}}, @{n='CommandLine';e={$_.Properties[9].Value}}8.2. Detecting Data Exfiltration Indicators
Purpose: Identify potential data exfiltration activities, such as large data transfers to external IPs
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort9. TLS/SSL Certificate Anomalies
9.1. Detecting Self-Signed Certificates
Purpose: Identify the use of self-signed certificates, which may indicate malicious HTTPS traffic.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "Self-Signed"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}9.2. Monitoring for Short-Lived Certificates
Purpose: Identify the use of short-lived TLS/SSL certificates, often used in malicious activities.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "Certificate Expiry"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}10. Anonymisation Services and Tor Usage
10.1. Detecting Tor Network Usage
Purpose: Identify connections to the Tor network, often used for anonymization.
Get-NetTCPConnection | Where-Object {$_.RemoteAddress -in 'TorExitNodesIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort10.2. Monitoring for VPN or Proxy Services
Purpose: Detect the use of VPNs or proxy services to mask C2 communication.
Get-NetTCPConnection | Where-Object {$_.RemoteAddress -in 'KnownVPNIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePortAdditional Discovery Techniques
1. Network Traffic and Connection Monitoring
1.1. Detecting Unusual Outbound Connections
Purpose: Identify connections to suspicious or unfamiliar external IP addresses.
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort1.2. Monitoring Connections to High-Risk Countries
Purpose: Detect connections to IP addresses in countries known for hosting C2 infrastructure.
Get-NetTCPConnection | Where-Object {($_.RemoteAddress -match 'IP_Range_Country_X') -and ($_.State -eq 'Established')} | Select-Object LocalAddress, RemoteAddress2. DNS-based C2 Detection
2.1. Identifying Frequent DNS Queries to Unusual Domains
Purpose: Detect frequent DNS queries that may indicate domain generation algorithm (DGA) activity.
`Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" | Group-Object -Property {$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '} | Where-Object {$_.Count -gt 50} | Select-Object @{n='DomainName';e={$_.Name}}, Count`2.2. Monitoring DNS Requests for Suspicious TLDs
Purpose: Detect DNS requests to top-level domains (TLDs) commonly associated with malicious activity.
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" | Where-Object {($_.Message -match "\.xyz$|\.pw$|\.top$")} | Select-Object TimeCreated, @{n='DomainName';e={$_.Message -match 'QueryName: (.*)' -replace 'QueryName: '}}3. HTTP/HTTPS-based C2 Detection
3.1. Detecting Suspicious User-Agent Strings
Purpose: Identify HTTP/HTTPS requests with uncommon or suspicious User-Agent strings.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "User-Agent: [^a-zA-Z0-9\- ]+"} | Select-Object TimeCreated, @{n='UserAgent';e={$_.Message -match 'User-Agent: (.*)' -replace 'User-Agent: '}}3.2. Monitoring HTTP POST Requests
Purpose: Detect HTTP POST requests to suspicious endpoints, indicating potential data exfiltration.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {($_.Message -match "POST") -and ($_.Message -match "http")} | Select-Object TimeCreated, @{n='URL';e={$_.Message -match 'URL: (.*)' -replace 'URL: '}}4. Beaconing Behavior Detection
4.1. Identifying Regular Interval Network Connections
Purpose: Detect beaconing behavior characterized by regular interval connections to external IPs.
Get-NetTCPConnection | Group-Object -Property RemoteAddress | Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count4.2. Monitoring Low-Volume Periodic Traffic
Purpose: Identify low-volume, periodic traffic patterns indicative of beaconing.
Get-NetTCPConnection | Where-Object {($_.State -eq 'Established') -and ($_.RemoteAddress -notin 'KnownGoodIPs')} | Group-Object -Property RemoteAddress | Where-Object {$_.Count -gt 10} | Select-Object @{n='RemoteAddress';e={$_.Name}}, Count5. Malicious Code and Script Execution
5.1. Detecting PowerShell Command Execution
Purpose: Monitor for potentially malicious PowerShell command execution.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'Invoke-WebRequest|Invoke-RestMethod'} | Select-Object TimeCreated, @{n='ScriptBlock';e={$_.Message}}5.2. Monitoring JavaScript or VBScript Execution
Purpose: Detect the execution of potentially malicious JavaScript or VBScript.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {($_.Properties[5].Value -match 'wscript.exe|cscript.exe') -and ($_.Properties[9].Value -match '\.js|\.vbs')} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}6. TLS/SSL Certificate Anomalies
6.1. Identifying Self-Signed Certificates
Purpose: Detect the use of self-signed certificates, which may indicate malicious HTTPS traffic.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "Self-Signed"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}6.2. Monitoring for Short-Lived Certificates
Purpose: Identify the use of short-lived TLS/SSL certificates, often used in malicious activities.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "Certificate Expiry"} | Select-Object TimeCreated, @{n='Certificate';e={$_.Message -match 'Certificate: (.*)' -replace 'Certificate: '}}7. Email-based C2 Detection
7.1. Detecting Suspicious Email Communications
Purpose: Identify email communications that may indicate C2 activity, such as exfiltration or command execution.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "Email Send"} | Select-Object TimeCreated, @{n='EmailDetails';e={$_.Message}}7.2. Monitoring for Unusual Email Attachments
Purpose: Detect email attachments that may contain C2 tools or scripts.
Get-WinEvent -LogName "Microsoft-Windows-EventLog/Email" | Where-Object {($_.Message -match "Attachment: ") -and ($_.Message -match ".exe|.bat|.ps1")} | Select-Object TimeCreated, @{n='Attachment';e={$_.Message}}8. Command Execution and Data Exfiltration
8.1. Monitoring for Command and Control via Web Shells
Purpose: Identify the use of web shells for C2 activities.
Get-WinEvent -LogName "Microsoft-Windows-IIS-Logging" | Where-Object {($_.Message -match "POST") -and ($_.Message -match "cmd|powershell")} | Select-Object TimeCreated, @{n='Request';e={$_.Message}}8.2. Detecting Data Exfiltration Indicators
Purpose: Identify potential data exfiltration activities, such as large data transfers to external IPs.
Get-NetTCPConnection | Where-Object {($_.State -eq 'Established') -and ($_.RemoteAddress -notin 'KnownGoodIPs')} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort9. Application Whitelisting and Execution Control Bypass
9.1. Detecting Execution of Non-Whitelisted Applications
Purpose: Monitor the execution of applications that bypass whitelisting controls.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {($_.Properties[5].Value -notmatch 'whitelisted_app.exe|another_allowed_app.exe')} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}9.2. Monitoring Dynamic Invocation of Scripts
Purpose: Detect the dynamic invocation of scripts to bypass whitelisting.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'Invoke-Expression|Invoke-Command'} | Select-Object TimeCreated, @{n='ScriptBlock';e={$_.Message}}10. Peer-to-Peer (P2P) C2 Detection
10.1. Identifying P2P Protocol Traffic
Purpose: Detect traffic indicative of peer-to-peer C2 communication.
Get-NetTCPConnection | Where-Object {$_.RemotePort -in 6881, 6889, 6969} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort10.2. Monitoring Unusual Port Usage
Purpose: Identify unusual port usage that may indicate non-standard P2P communications.
Get-NetTCPConnection | Where-Object {$_.RemotePort -notin (80, 443, 21, 22, 25)} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePortLast updated