T1102

Web Service

Adversaries may use an existing, legitimate external web service as a means for relaying data to/from a compromised system. Popular websites and cloud services such as Google Drive, OneDrive, Dropbox, Pastebin, GitHub, and Discord may act as C2 channels due to the high likelihood that hosts within a network already communicate with them. This provides cover in expected noise and takes advantage of SSL/TLS encryption offered by these providers. Use of web services also protects back-end C2 infrastructure from discovery through malware binary analysis while enabling operational resiliency through dynamic infrastructure changes.

Microsoft Sentinel / Defender

kusto

let LegitBrowsers = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "safari.exe", "opera.exe", "brave.exe"]);
let WebServiceDomains = dynamic([
  "pastebin.com", "paste.ee", "ghostbin.co",
  "api.github.com", "raw.githubusercontent.com", "gist.github.com",
  "graph.microsoft.com", "onedrive.live.com", "api.onedrive.com",
  "www.googleapis.com", "drive.google.com", "storage.googleapis.com",
  "api.dropboxapi.com", "content.dropboxapi.com",
  "discord.com", "discordapp.com", "cdn.discordapp.com",
  "api.telegram.org",
  "slack.com", "api.slack.com",
  "firebaseio.com", "firebase.googleapis.com",
  "api.notion.so",
  "gitee.com",
  "top4top.io"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WebServiceDomains) or RemoteIPType == "Public"
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | project DeviceId, ProcessId=tolong(ProcessId), FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName, SHA256
) on DeviceId
| where RemoteUrl has_any (WebServiceDomains)
| where not(InitiatingProcessFileName has_any (LegitBrowsers))
| where not(FileName has_any (LegitBrowsers))
| where FileName !in~ ("OneDriveSetup.exe", "OneDrive.exe", "googledrivesync.exe", "dropbox.exe", "slack.exe", "teams.exe", "discord.exe")
| extend SuspiciousProcess = FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| extend ScriptingProcess = FileName in~ ("python.exe", "python3.exe", "ruby.exe", "perl.exe", "node.exe", "wscript.exe", "cscript.exe")
| extend UnusualParent = InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "acrobat.exe", "acrord32.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort,
         SuspiciousProcess, ScriptingProcess, UnusualParent, SHA256
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Legitimate developer tools or CI/CD pipelines making API calls to GitHub, Firebase, or Google APIs
IT management tools and monitoring agents that poll cloud APIs for configuration or telemetry upload
Custom line-of-business applications built on cloud storage APIs (OneDrive, Google Drive SDK integrations)
PowerShell scripts used legitimately by administrators to upload logs or reports to cloud storage
Antivirus or endpoint agents uploading telemetry to cloud-hosted collection endpoints

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval RemoteHostname=lower(DestinationHostname)
| where match(RemoteHostname, "(pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|firebaseio\.com|firebase\.googleapis\.com|gitee\.com|top4top\.io|api\.slack\.com)")
| eval ImageLower=lower(Image)
| where NOT match(ImageLower, "(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|onedrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|teams\.exe|discord\.exe)")
| eval SuspiciousProcess=if(match(ImageLower, "(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)"), 1, 0)
| eval ScriptingProcess=if(match(ImageLower, "(python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe)"), 1, 0)
| eval OfficeParent=if(match(lower(ParentImage), "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrobat\.exe|acrord32\.exe)"), 1, 0)
| eval RiskScore=SuspiciousProcess*3 + ScriptingProcess*2 + OfficeParent*4
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DestinationHostname, DestinationIp, DestinationPort, SuspiciousProcess, ScriptingProcess, OfficeParent, RiskScore
| sort - RiskScore, - _time

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate developer tools or CI/CD pipelines making API calls to GitHub, Firebase, or Google APIs
IT management tools and monitoring agents that poll cloud APIs for configuration or telemetry upload
Custom line-of-business applications built on cloud storage APIs
PowerShell scripts used legitimately by administrators to upload logs or reports to cloud storage
Antivirus or endpoint agents uploading telemetry to cloud-hosted collection endpoints

Elastic Security (EQL)

eql

network where event.category == "network" and network.direction == "egress" and
  destination.domain != null and
  destination.domain : (
    "*pastebin.com", "*paste.ee", "*ghostbin.co",
    "*api.github.com", "*raw.githubusercontent.com", "*gist.github.com",
    "*graph.microsoft.com", "*onedrive.live.com", "*api.onedrive.com",
    "*googleapis.com", "*drive.google.com", "*storage.googleapis.com",
    "*api.dropboxapi.com", "*content.dropboxapi.com",
    "*discord.com", "*discordapp.com", "*cdn.discordapp.com",
    "*api.telegram.org", "*slack.com", "*api.slack.com",
    "*firebaseio.com", "*firebase.googleapis.com",
    "*api.notion.so", "*gitee.com", "*top4top.io"
  ) and
  not process.name in~ (
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "safari.exe", "opera.exe", "brave.exe",
    "OneDriveSetup.exe", "OneDrive.exe", "googledrivesync.exe",
    "dropbox.exe", "slack.exe", "teams.exe", "discord.exe"
  ) and
  (
    process.name in~ (
      "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
      "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
      "bitsadmin.exe", "curl.exe", "wget.exe"
    ) or
    process.name in~ (
      "python.exe", "python3.exe", "ruby.exe", "perl.exe", "node.exe"
    ) or
    process.parent.name in~ (
      "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
      "acrobat.exe", "acrord32.exe"
    )
  )

high severity high confidence

Data Sources

Elastic Agent Endpoint Integration Winlogbeat with Sysmon module Elastic Defend (endpoint.events.network)

Required Tables

logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate automation scripts using PowerShell or Python that interact with GitHub APIs or Google Drive as part of CI/CD pipelines or DevOps workflows on developer workstations.
Security tools such as EDR agents, vulnerability scanners, or SIEM forwarders that connect to cloud telemetry endpoints including googleapis.com or Firebase.
Custom in-house tooling using curl.exe or wget.exe that legitimately downloads configuration or updates from GitHub raw content or cloud storage buckets.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  destinationip,
  destinationhostname,
  destinationport,
  username,
  "ProcessName",
  "CommandLine",
  "ParentProcessName"
FROM events
WHERE
  LOGSOURCENAME(logsourceid) LIKE '%Sysmon%'
  AND QIDNAME(qid) LIKE '%Network connection%'
  AND (
    LOWER(destinationhostname) LIKE '%pastebin.com%' OR
    LOWER(destinationhostname) LIKE '%paste.ee%' OR
    LOWER(destinationhostname) LIKE '%ghostbin.co%' OR
    LOWER(destinationhostname) LIKE '%api.github.com%' OR
    LOWER(destinationhostname) LIKE '%raw.githubusercontent.com%' OR
    LOWER(destinationhostname) LIKE '%gist.github.com%' OR
    LOWER(destinationhostname) LIKE '%graph.microsoft.com%' OR
    LOWER(destinationhostname) LIKE '%onedrive.live.com%' OR
    LOWER(destinationhostname) LIKE '%googleapis.com%' OR
    LOWER(destinationhostname) LIKE '%drive.google.com%' OR
    LOWER(destinationhostname) LIKE '%api.dropboxapi.com%' OR
    LOWER(destinationhostname) LIKE '%discord.com%' OR
    LOWER(destinationhostname) LIKE '%discordapp.com%' OR
    LOWER(destinationhostname) LIKE '%api.telegram.org%' OR
    LOWER(destinationhostname) LIKE '%slack.com%' OR
    LOWER(destinationhostname) LIKE '%firebaseio.com%' OR
    LOWER(destinationhostname) LIKE '%firebase.googleapis.com%' OR
    LOWER(destinationhostname) LIKE '%api.notion.so%' OR
    LOWER(destinationhostname) LIKE '%gitee.com%' OR
    LOWER(destinationhostname) LIKE '%top4top.io%'
  )
  AND LOWER("ProcessName") NOT LIKE '%chrome.exe%'
  AND LOWER("ProcessName") NOT LIKE '%firefox.exe%'
  AND LOWER("ProcessName") NOT LIKE '%msedge.exe%'
  AND LOWER("ProcessName") NOT LIKE '%iexplore.exe%'
  AND LOWER("ProcessName") NOT LIKE '%opera.exe%'
  AND LOWER("ProcessName") NOT LIKE '%brave.exe%'
  AND LOWER("ProcessName") NOT LIKE '%onedrive.exe%'
  AND LOWER("ProcessName") NOT LIKE '%googledrivesync.exe%'
  AND LOWER("ProcessName") NOT LIKE '%dropbox.exe%'
  AND LOWER("ProcessName") NOT LIKE '%slack.exe%'
  AND LOWER("ProcessName") NOT LIKE '%teams.exe%'
  AND LOWER("ProcessName") NOT LIKE '%discord.exe%'
  AND (
    LOWER("ProcessName") LIKE '%powershell.exe%' OR
    LOWER("ProcessName") LIKE '%pwsh.exe%' OR
    LOWER("ProcessName") LIKE '%cmd.exe%' OR
    LOWER("ProcessName") LIKE '%wscript.exe%' OR
    LOWER("ProcessName") LIKE '%cscript.exe%' OR
    LOWER("ProcessName") LIKE '%mshta.exe%' OR
    LOWER("ProcessName") LIKE '%rundll32.exe%' OR
    LOWER("ProcessName") LIKE '%regsvr32.exe%' OR
    LOWER("ProcessName") LIKE '%certutil.exe%' OR
    LOWER("ProcessName") LIKE '%bitsadmin.exe%' OR
    LOWER("ProcessName") LIKE '%curl.exe%' OR
    LOWER("ProcessName") LIKE '%wget.exe%' OR
    LOWER("ProcessName") LIKE '%python.exe%' OR
    LOWER("ProcessName") LIKE '%python3.exe%' OR
    LOWER("ProcessName") LIKE '%ruby.exe%' OR
    LOWER("ProcessName") LIKE '%perl.exe%' OR
    LOWER("ProcessName") LIKE '%node.exe%' OR
    LOWER("ParentProcessName") LIKE '%winword.exe%' OR
    LOWER("ParentProcessName") LIKE '%excel.exe%' OR
    LOWER("ParentProcessName") LIKE '%powerpnt.exe%' OR
    LOWER("ParentProcessName") LIKE '%outlook.exe%' OR
    LOWER("ParentProcessName") LIKE '%acrobat.exe%' OR
    LOWER("ParentProcessName") LIKE '%acrord32.exe%'
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon for Windows (via WinCollect agent or Universal DSM)

Required Tables

events (requires custom Sysmon DSM property extraction for ProcessName, CommandLine, ParentProcessName)

False Positives

Administrative PowerShell scripts legitimately querying Microsoft Graph API or OneDrive for inventory, user management, or SharePoint automation on managed endpoints.
Developer tools (node.exe, python.exe) on developer workstations making API calls to Firebase, Google APIs, or GitHub as part of legitimate software development activity.
Backup or sync agents not included in the exclusion list that use curl or Python to interact with cloud storage APIs such as Dropbox or Google Drive.

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*windows/sysmon*
| where EventCode = "3"
| parse regex field=_raw "<Data Name='Image'>(?<Image>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='ParentImage'>(?<ParentImage>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='CommandLine'>(?<CommandLine>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='ParentCommandLine'>(?<ParentCommandLine>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='DestinationHostname'>(?<DestinationHostname>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='DestinationIp'>(?<DestinationIp>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='DestinationPort'>(?<DestinationPort>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='User'>(?<User>[^<]+)</Data>" nodrop
| where DestinationHostname matches /(?i)(pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|firebaseio\.com|firebase\.googleapis\.com|api\.notion\.so|gitee\.com|top4top\.io)/
| where !(Image matches /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|OneDriveSetup\.exe|OneDrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|teams\.exe|discord\.exe)/)
| if(Image matches /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)/, 1, 0) as SuspiciousProcess
| if(Image matches /(?i)(python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe)/, 1, 0) as ScriptingProcess
| if(ParentImage matches /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrobat\.exe|acrord32\.exe)/, 1, 0) as OfficeParent
| SuspiciousProcess * 3 + ScriptingProcess * 2 + OfficeParent * 4 as RiskScore
| where RiskScore > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, DestinationHostname, DestinationIp, DestinationPort, SuspiciousProcess, ScriptingProcess, OfficeParent, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows) Windows Event Logs — Sysmon Operational channel

Required Tables

Sumo Logic search index with _sourceCategory mapped to Sysmon or Windows event log sources

False Positives

PowerShell scripts used by IT operations teams to query Microsoft Graph API for user or device management and automated reporting tasks on managed endpoints.
Python-based monitoring agents on endpoints that push health metrics or application telemetry to Firebase, Google Cloud Monitoring, or similar cloud platforms.
Authorized penetration testing frameworks or security tooling that contacts GitHub raw content or Pastebin as part of a known red team engagement.

Google Chronicle / SecOps

yaral

rule t1102_web_service_c2_network_connection {
  meta:
    author = "detection-engineering"
    description = "Detects non-browser processes initiating outbound network connections to web service domains known to be abused as C2 channels (MITRE T1102)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Command-And-Control"
    mitre_attack_technique = "T1102"
    mitre_attack_subtechnique = "T1102.002"
    platforms = "Windows"
    tags = "c2, web-service, t1102, network"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.target.hostname = /(?i)(pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.onedrive\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|firebaseio\.com|firebase\.googleapis\.com|api\.notion\.so|gitee\.com|top4top\.io)/
    not $net.principal.process.file.full_path = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|safari\.exe|opera\.exe|brave\.exe|OneDriveSetup\.exe|OneDrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|teams\.exe|discord\.exe)/
    (
      $net.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe)/
      or
      $net.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrobat\.exe|acrord32\.exe)/
    )

  condition:
    $net
}

high severity high confidence

Data Sources

Google Chronicle SIEM Sysmon Windows Events (via Chronicle forwarder or BindPlane) CrowdStrike Falcon (via Chronicle integration) Carbon Black (via Chronicle integration)

Required Tables

UDM events with metadata.event_type = NETWORK_CONNECTION and principal.process fields populated

False Positives

Legitimate curl.exe or wget.exe usage in scheduled tasks or administrative scripts that download configuration or software updates from GitHub raw content or cloud storage providers.
Python or Node.js development toolchains on developer machines that routinely contact Firebase, Google APIs, Slack webhooks, or npm registries for dependency resolution or build processes.
IT automation using PowerShell to interact with Microsoft Graph API, OneDrive, or SharePoint Online for user provisioning, license reporting, or file management workflows.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = DnsRequest
| DomainName = /pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.onedrive\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|firebaseio\.com|firebase\.googleapis\.com|api\.notion\.so|gitee\.com|top4top\.io/i
| ContextBaseFileName != /chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|safari\.exe|opera\.exe|brave\.exe|OneDriveSetup\.exe|OneDrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|MicrosoftTeams\.exe|Discord\.exe/i
| ContextBaseFileName = /powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe/i
| groupBy(
    [ComputerName, UserName, ContextBaseFileName, DomainName],
    function=[
      count(as=QueryCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(QueryCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (formerly Humio)

Required Tables

Falcon telemetry stream with #event_simpleName = DnsRequest

False Positives

PowerShell scripts used in endpoint management platforms (SCCM, Intune, Ansible) that resolve Microsoft Graph API or cloud service endpoints for configuration management or device compliance reporting.
Python-based devops tooling on build servers that resolves googleapis.com, Firebase, or npm CDN domains as part of legitimate CI/CD pipelines and dependency installation.
Node.js applications running as Windows services that legitimately resolve Slack, Discord webhook, or Firebase endpoints for operational alerting or application telemetry reporting.

Last updated: 2026-04-14 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1102 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Web Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Command and Control

Popular Detections