What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Jan 19, 2023
Increased Activity in Google Ads Distributing Information Stealers
THE THREAT On January 18th, 2023, eSentire Threat Intelligence identified multiple reports, both externally and internally, containing information on an ongoing increase in Google advertisements…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Dec 13, 2022
eSentire Named First Managed Detection and Response Partner by Global Insurance Provider Coalition
Waterloo, ON – December 13, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced it has been named the first global MDR partner by Coalition, the world’s first Active Insurance provider designed to prevent digital risk before it strikes. Like Coalition, eSentire is committed to putting their customers’ businesses ahead of disruption by improving their…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Jul 11, 2018

Living off the land: the command and control phase

5 minutes read
Speak With A Security Expert Now

This is the fifth and final blog post in the Living Off the Land blog series. In this edition, the focus is on how adversaries may leverage Living off the Land tools to create Command and Control (C2) communication after successfully completing the previous phases of the Cyber Kill Chain.

Executive Summary

Command and control is the second to final stage of the Cyber Kill Chain, enabling the adversary to complete their actions and objectives. In order to establish command and control communications, both penetration testers and adversaries have exploited Living Off the Land techniques in the past. Scripting languages such as PowerShell and Windows Management Interface (WMI) have been exploited to enable C2, as has remote access software. Frameworks exist for the express purpose of creating C2 communication via Living Off the Land Tools. Defenders need to be aware that remote access software and scripting software is all that is required to establish command and control in the enterprise. These tactics are discussed in greater detail below, along with mitigation steps.


There are various options adversaries can employ to establish communication using Living off the Land techniques. Common methods seen across the eSentire threat detection surface include PowerShell and Windows Management Interface (WMI). Other methods observed in the wild utilize remote access software and anti-theft applications.

There have been cases where common enterprise applications have been used to control and execute software on compromised hosts. In one particular case, TeamViewer was used to remotely deliver and execute commands against company assets, leading to the compromise of a CCleaner version. The compromised versions were downloaded by 2.3 million users before the issue was fully resolved [1].

In early May 2018, researchers identified a threat actor exploiting older versions of Absolute LoJack to establish successful C2 communication [2]. Absolute LoJack is a legitimate anti-theft solution used by organizations to track and remotely wipe stolen assets. The adversaries in this case were able to modify a LoJack agent to point to a rouge C2 server that mimics the LoJack communication protocols. By utilizing LoJack to maintain communication with the rouge server, the adversaries were able to perform malicious tasks to obtain their objectives.

The versatility of PowerShell and WMI have been noted in previous blog entries in this series; various frameworks using these languages have been created that reduce the difficulty in establishing Command and Control. One such tool is PoshC2. PoshC2 is an open source Command and Control framework that is written entirely in PowerShell [3]. It was designed for the benefit of penetration testers to establish communication after successful exploitation.

Additional Information

In order to demonstrate the use of Living off the Land tools for establishing Command and Control, the following section demonstrates the PoshC2 framework. This framework allows adversaries and pen-testers the ability to establish encrypted communication. PoshC2 was chosen to demonstrate as it has a high number of built in modules, receives frequent updates and is relatively simple to use. Figures 1-7 illustrate how potential attacks may unfold.

The server configuration settings and options for PoshC2 are shown in figure 1. The tool can be used internally on a compromised environment or externally on infrastructure owned by the adversary since it is built entirely from PowerShell. When used internally, PoshC2 can funnel traffic from multiple compromised assets through one IP address. This can minimize the chances of discovery when only monitoring egress traffic.

Figure 1: Configured C2 Server

Figure 2: Server Generated Payloads

After setting up the PoshC2 server, preconfigured payloads are automatically generated (Figure 2). The adversary can select from 23 different payloads. After selecting a payload, the attacker can easily distribute it to additional hosts. In this circumstance, the payload.bat file was selected and remotely executed on the victim machine (Figure 3). In the Delivery and Installation issue of this blog series, a similar example was shown in which WMI was used to deliver a malicious .bat file.

Figure 3: Executed .bat File

Figure 4: Connected Devices

The above image shows the list of hosts currently connected to the PoshC2 server.

PoshC2 includes a wide variety PowerShell commands that can be utilized on the controlled assets, including some commands previously mentioned in this blog series during the Reconnaissance phase [4]. In figures 5 and 6 the PoshC2 server sends commands to the infected agents to achieve additional objectives.

Figure 5: Get-RecentFiles Command Result

The Get-RecentFiles command brings up a list of recently accessed files on the machine. This allows adversaries to quickly identify potential files of interest.

Figure 6: Get-Screenshot Command Result

The Get-Screenshot command allows adversaries to take live screen captures of the victims’ machines. Obtaining screen shots could allow adversaries to obtain sensitive information displayed on the screen.

Figure 7: Remote Code Execution via C2

In figure 7, the adversary used the PoshC2 framework to launch an executable. In this case, calc.exe was launched on the affected asset. From the attacker’s perspective, this functionality opens a near limitless set of options for new attacks across the network.

PoshC2 is blocked by Windows Defender by default in Windows 10, but the framework can be easily modified to evade detection.

Mitigation Strategies

Knowing the potential threats that exist pertaining to Living Off the Land tools allows defenders to tailor aspects of security to best protect against these attacks. Each previous blog post in this series has a tailored set of recommendations for defending against the use of Living Off the Land tools in the various Kill Chain stages. Below is a list of recommended steps for reducing the likelihood of an adversary successfully establishing Command and Control.


Penetration testers and adversaries have incorporated multiple living off the land techniques in established command and control communication. Whether through scripting languages like PowerShell, or compromising remote access software, communications can be established. Over the years, tools and frameworks have been developed to leverage Living Off the Land software as demonstrated by the PoshC2 framework. The detection of Living Off the Land tools is difficult, but by combining both network and endpoint monitoring, it is possible to identify unusual command and control activity.

This blog series has outlined the use of Living Off the Land tools for reconnaissance, weaponization, delivery and installation, exploitation and the command and control phases. Combining the kill chain phases can allow adversaries to achieve their objectives. Employing the use of Living off the Land techniques by adversaries can increase the difficulty for incident responders to detect. Performing the recommendations included in this blog series can help to mitigate, stop or quickly respond to threats relying on Living off the land tools.

Previous Blogs in this Series

Living Off the Land – The Reconnaissance Phase

Living Off the Land – The Weaponization Phase

Living Off the Land – The Delivery & Installation Phases

Living Off the Land – The Exploitation Phase


[1] https://thehackernews.com/2018/04/ccleaner-malware-attack.html


[3] https://github.com/nettitude/PoshC2

[4] https://www.esentire.com/blog/living-off-the-land-the-reconnaissance-phase/

View Most Recent Blogs
Red Team
Red Team Penetration Testing Team