Command-and-Control

Unspecified adversaries are using a Traffic Direction System (TDS) redirect for initial access, followed by encoded PowerShell execution to download payloads like `script.ps1` into the `ApplicationData` directory, and establishing command-and-control (C2) communication via `curl.exe` to suspicious IP addresses such as `144.31.221.82` with defense evasion techniques like post-execution cleanup, designed to operate below traditional detection thresholds.

This rule detects unusual processes spawned from a web server parent process on Linux systems, potentially indicating an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels.

This brief analyzes a Maltrail IOC list from June 1, 2026, identifying domains and IP addresses associated with various malware and threat actors, including android_fvncbot, lummac2, magentocore, sectoprat, apt_lazarus, offloader, android_joker, cyberstrikeai, and nightshadec2, potentially used for command and control, malware distribution, or phishing campaigns.

This analytic identifies ICMP traffic to external IP addresses with total bytes greater than 1,000 bytes, leveraging the Network_Traffic data model to detect potential information smuggling, covert communication, or command-and-control (C2) activities.

The rule detects script interpreters (osascript, Node.js, Python) making outbound connections to AWS S3 or CloudFront domains on macOS, which may indicate command and control or data exfiltration activity.

Detection of uncommon DNS requests originating from Bun or Node.js processes, potentially indicating malicious code execution following a supply chain attack.

Detects execution of curl or wget from processes running inside OCI/runc-backed containers, potentially indicating ingress tool transfer or data exfiltration after a container breakout.

Adversaries may abuse Curl for Windows to download files or upload data to a remote URL for command and control or exfiltration purposes.

Adversaries may abuse Cloudflare Tunnel (cloudflared) on Windows systems to proxy command and control traffic or exfiltrate data through Cloudflare's edge, evading direct connection blocking.

An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.

The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.

Detects the execution of headless browsers from suspicious parent processes with arguments indicative of scripted retrieval, bypassing application control policies and restrictions on direct download tools.

Detection of DNS queries to known remote monitoring and management (RMM) domains originating from non-browser processes on Windows systems indicates potential abuse of legitimate software for command and control.

Kimsuky is using malware that leverages the Dropbox API for command and control, enabling file exfiltration and remote code execution.

Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.

This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.

This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.

Msxsl.exe, a legitimate Windows utility, is being abused by adversaries to make network connections to non-local IPs for command and control or data exfiltration, potentially bypassing security measures.

Adversaries may abuse the Windows Certreq utility to download files or upload data to a remote URL by making an HTTP POST request, potentially for command and control or exfiltration, which can be detected by monitoring process execution events.

Attackers are using Windows script interpreters (cscript.exe or wscript.exe) to download executable files from remote locations to deliver second-stage payloads or download tools.

The rule detects unusual outbound network connections made by rundll32.exe, specifically when executed with minimal arguments, which may indicate command and control activity or defense evasion tactics on Windows systems.

Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.

This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.

The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.

A machine learning job detected potential DGA (domain generation algorithm) activity indicative of malware command and control (C2) channels, identifying source IP addresses making DNS requests with a high probability of being DGA-generated, a technique used by adversaries to evade detection.

MsBuild.exe making outbound network connections may indicate adversarial activity as attackers leverage MsBuild to execute code and evade detection.

This brief documents the detection of Cobalt Strike command and control activity through identifying specific domain naming conventions used by its implant beacons, indicative of network attack and exploitation campaigns.

Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.

This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.

Detection of suspicious Windows processes using DNS queries to determine the external IP address, potentially indicating reconnaissance or preparation for command and control activity.

This rule detects potential command and control activity where Internet Explorer (iexplore.exe) is started via the Component Object Model (COM) and makes unusual network connections, indicating adversaries might exploit Internet Explorer via COM to evade detection and bypass host-based firewall restrictions.

This rule detects network connections initiated by hh.exe, the HTML Help executable, which may indicate the execution of malicious code embedded in compiled HTML files (.chm) to deliver malicious payloads, bypass security controls, and gain initial access via social engineering.

Adversaries may use abused web services such as paste sites, VoIP, and file hosting to host malicious payloads or facilitate command and control, detected via DNS queries from Windows hosts to these services.

Detects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.

This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.

This rule detects network events indicative of RDP traffic originating from the internet, which poses a significant security risk due to its frequent exploitation as an initial access or backdoor vector.

This rule detects Kubernetes pod exec API calls using curl or wget to fetch HTTPS URLs, potentially indicating malicious activity such as staging tools or exfiltrating data.

The rule identifies unusual instances of dllhost.exe making outbound network connections to non-local IPs, which may indicate adversarial Command and Control activity and defense evasion.

Attackers abuse certutil.exe, a native Windows utility, to download/deobfuscate malware for command and control or data exfiltration, evading defenses.

This rule identifies unusual Windows processes connecting to domains using known free SSL certificates such as Let's Encrypt, which adversaries may use to conceal command and control traffic.

This rule detects SMTP traffic on TCP port 26, an alternative to the standard port 25 that the BadPatch malware family has used for command and control of Windows systems.

Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.

Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect, potentially indicating abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.

The desktopimgdownldr utility can be abused to download remote files, potentially bypassing standard download restrictions and acting as an alternative to certutil for malware or tool deployment.

Detection of multiple nslookup.exe executions with explicit query types from a single host, potentially indicating command and control activity via DNS tunneling, where attackers abuse DNS for data infiltration or exfiltration.

Attackers are increasingly abusing Cloudflare tunnels, created via the cloudflared client, for establishing stealthy command and control channels and evading network defenses by proxying traffic through Cloudflare's infrastructure.

This brief details detection strategies for NorthStar C2 agent execution on Windows endpoints, an open-source command and control framework used for penetration testing and red teaming.

This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

Adversaries may leverage Windows Background Intelligent Transfer Service (BITS) to download executable and archive files to evade defenses and establish command and control.

This analytic detects the execution of programs associated with the PuTTY SSH client suite, including putty.exe, pscp.exe, plink.exe, psftp.exe, and puttygen.exe, which can be used to establish unauthorized remote connections, transfer files, or execute commands on remote systems potentially leading to network compromise.

Detection of a process making DNS queries to the Telegram API domain, which is indicative of malware utilizing Telegram bots for command and control (C2) communications.

Attackers may abuse legitimate utilities such as TeamViewer to deploy malware interactively by remotely copying executable or script files during a TeamViewer session.

Attackers are abusing the Windows Defender MpCmdRun.exe utility to download remote files, potentially delivering malware or offensive tools into compromised systems.

The execution of Microsoft devtunnels.exe can be abused by attackers to expose compromised systems to the internet, establish covert communication channels, and bypass network security measures, facilitating data exfiltration or command-and-control.

This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.

This alert detects potential protocol tunneling activity via the execution of Yuze, a lightweight open-source tunneling tool often used by threat actors for intranet penetration via forward and reverse SOCKS5 proxy tunneling.

This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

This detection identifies potential misuse of Microsoft Devtunnels within Visual Studio by detecting image load events, indicating that an attacker could expose a compromised system or service to the internet for covert communication and data exfiltration.

This rule detects command and control activity associated with the FIN7 threat group, which is known to use domain generation algorithms (DGA) to maintain persistence in their target's network by identifying network traffic using TLS or HTTP protocols to domains with a specific pattern.

This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.