Ein Beispiel Script gegen CoboltStrike und ähnliche die C2 Angriffe "CommandControl" nutzen, (bitte anpassen!)

# C2 Lockdown Script for Windows Server 2019 
# This script will block outbound network traffic to suspicious domains and IPs, disable potentially abused services,  
# and implement basic security hardening. 
 
# 1. Block outbound traffic to known malicious IPs/domains using Windows Firewall 
$maliciousIPs = @( 
    "192.168.1.100", 
    "203.0.113.5" 
    # Add more known C2 IPs here 
) 
 
$maliciousDomains = @( 
    "maliciousdomain.com", 
    "badserver.net" 
    # Add more known C2 domains here 
) 
 
# Block known malicious IPs 
foreach ($ip in $maliciousIPs) { 
    New-NetFirewallRule -DisplayName "Block Malicious IP $ip" -Direction Outbound -RemoteAddress $ip -Action Block 
} 
 
# Block known malicious domains (via DNS blocking) 
foreach ($domain in $maliciousDomains) { 
    $domainIPs = [System.Net.Dns]::GetHostAddresses($domain) 
    foreach ($ip in $domainIPs) { 
        New-NetFirewallRule -DisplayName "Block Malicious Domain $domain" -Direction Outbound -RemoteAddress $ip.IPAddressToString -Action Block 
    } 
} 
 
# 2. Disable unused or potentially vulnerable services 
$servicesToDisable = @( 
    "WinRM",         # Windows Remote Management (can be abused) 
    "PSRemoting",    # PowerShell Remoting 
    "RemoteRegistry" # Remote Registry Service 
) 
 
foreach ($service in $servicesToDisable) { 
    Stop-Service -Name $service -Force 
    Set-Service -Name $service -StartupType Disabled 
} 
 
# 3. Enable basic Windows Defender features and update signatures 
Write-Output "Enabling Windows Defender and updating signatures..." 
Set-MpPreference -DisableRealtimeMonitoring $false 
Update-MpSignature 
 
# Enable attack surface reduction rules (requires Windows Defender ATP) 
Write-Output "Enabling attack surface reduction rules..." 
Set-MpPreference -AttackSurfaceReductionRules_Actions Enabled 
 
# 4. Disable execution of scripts from untrusted sources (Constrained Language Mode) 
Write-Output "Enforcing Constrained Language Mode..." 
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force 
 
# 5. Set up logging for unusual activities 
Write-Output "Setting up enhanced logging..." 
# Enable script block logging 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Force 
 
# Enable module logging 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1 -Force 
 
# Enable transcripting 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 1 -Force 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "IncludeInvocationHeader" -Value 1 -Force 
 
# 6. Alert administrators 
$adminEmails = @("admin1@domain.com", "admin2@domain.com") 
$subject = "C2 Lockdown Activated on Server $(hostname)" 
$body = "The C2 Lockdown script has been executed on server $(hostname) at $(Get-Date). Please review the server's security settings and logs for any signs of compromise." 
foreach ($email in $adminEmails) { 
    Send-MailMessage -To $email -From "server@domain.com" -Subject $subject -Body $body -SmtpServer "smtp.domain.com" 
} 
 
Write-Output "C2 Lockdown script executed successfully." 
 
# End of Script

@Netzwerksicherheit #C2-Block #IT-SEC #Powershell