ASSURED

Network correlation

A single PowerShell A command-line shell and scripting language built on the .NET framework, commonly used for system administration and potentially for malicious purposes. process may look legitimate. A burst of HTTPS Traffic The flow of data between devices, systems, or servers on a network. may look harmless. Together, they reveal that the PowerShell process is Beaconing Periodic network communication from an infected host to a C2 server. to a newly registered Domain A unique name or identifier for a system, network, or organization on the internet. . The picture changes.

Two perspectives, one picture

Host perspective

Who initiated the connection?

  • Which process opened the socket
  • Under which user context it executed
  • The command-line arguments that produced it
  • What the process did locally before and after
Network perspective

Where does the traffic go?

  • Destination IP, port, and ASN
  • Frequency and cadence of communication
  • TLS certificate properties and cipher choice
  • How the destination compares to historical traffic
Case study

A beacon hiding in HTTPS

A workstation initiates outbound HTTPS connections from PowerShell at 03:15 local time.

Correlation reveals three signals that, in isolation, are not decisive:

  1. The PowerShell process launched outside the User An individual who interacts with a system, network, or application. โ€˜s normal working hours.
  2. Within seconds, the host established encrypted HTTPS sessions to a domain registered 48 hours earlier.
  3. The destination has low prevalence in historical DNS data and an untrusted TLS certificate.

Together they describe initial compromise and command-and-control. The correlation is the alert.

Why no single signal was decisive
  • PowerShell at 03:00 could be a developer working late.
  • HTTPS to a new domain could be a new SaaS tool.
  • Low-prevalence destinations exist legitimately.

Each indicator on its own would be tuned out as noise. The combination crosses the threshold.

Telemetry to analyze

Four primary surfaces, each with its own signal patterns:

๐Ÿ”Ž

DNS queries

  • Algorithmically generated DGA Domain Generation Algorithm. A technique where malware computes domain names at runtime so command-and-control servers can rotate quickly to avoid blocklists. domains detected via entropy scoring
  • Randomized subdomains
  • Extremely short TTLs or fast-flux patterns
๐Ÿ”—

Network connections

  • Traffic to recently observed external destinations
  • Known malicious ranges from threat intelligence
  • Unusual port usage, uncommon protocols
๐Ÿ“Š

Data transfer patterns

  • Automated beaconing (consistent packet sizes at consistent intervals)
  • Human-driven traffic is irregular and variable
  • Sustained large outbound transfers off-hours
๐Ÿ›ก๏ธ

Protocol usage

  • Tunneling or obfuscation (DNS over HTTPS bypassing inspection)
  • TLS abuse (malformed certificates, unusual ciphers)
  • Custom encryption layers

A finance workstation that normally talks only to internal ERP systems and then initiates TLS sessions to a low-reputation cloud storage provider outside business hours is a clear data- Exfiltration The unauthorized transfer of data from a system or network, often as part of a data breach or espionage operation. signal.

Correlation strategies

Three dimensions to weigh on every connection:

01

Connection metadata

Timestamps, source and destination IPs, ports, session durations, TLS cipher and handshake behavior.

02

Payload characteristics

Fixed packet sizes, repetitive transmission intervals, hallmarks of automated beaconing.

03

Destination reputation

Domain age, threat intelligence overlap, geographic anomalies, certificate provenance.

A PowerShell process repeatedly reaching out via HTTPS to a newly registered domain using a self-signed TLS certificate carrying a generic common name is a classic obfuscated-C2 pattern. Without combining process-level context, network Metadata Data about data: file timestamps, owner, size, hash; an email's headers; a process's parent, command line, and signing certificate. In triage, metadata is often more diagnostic than the content itself. , and reputation scoring, the same activity might pass for ordinary HTTPS traffic.

Command-and-control indicators

Adversaries hide C2 inside legitimate protocols (HTTPS, DNS). The automation underneath leaves fingerprints.

โฑ๏ธ Timing patterns

Frameworks often default to precise beacon intervals. Legitimate traffic rarely has that cadence.

๐Ÿ” TLS certificates

Mismatched, self-signed, or generic-CN certificates (impersonated vendor names). Rotating cert chains tied to short-lived infrastructure.

๐Ÿ”Ž DNS patterns

High-volume queries for random-looking domains (DGA). Rapid IP rotation tied to a single domain (fast-flux). Domains registered in the last 30 days.

๐Ÿ“ค Exfiltration indicators

Large compressed transfers outside normal hours. Outbound spikes to low-reputation destinations.

An internal database Server A computer or device that provides services, resources, or data to other devices or systems on a network. that suddenly sends gigabytes of zipped data to a generic cloud storage provider at 02:30 is a strong signal of active data theft. Even if the channel is encrypted, the volume, timing, and destination characterize the intent.

Next up

File system activity

Persistence, payload deployment, ransomware staging, exfiltration preparation. Tracking the file lifecycle and its metadata.

Read file system