Which SIEM platforms have a T1102 detection rule?

df00tech provides T1102 (Web Service) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1102 detection?

The T1102 detection is rated medium severity with medium confidence.

What are common false positives for T1102?

Common false positives for T1102 include: Legitimate developer tools or CI/CD pipelines making API calls to GitHub, Firebase, or Google APIs; IT management tools and monitoring agents that poll cloud APIs for configuration or telemetry upload; Custom line-of-business applications built on cloud storage APIs (OneDrive, Google Drive SDK integrations).

T1102

Web Service

Q: What data sources are required to detect Web Service (T1102)?

Detecting Web Service requires the following data sources: Network Traffic: Network Connection Creation, Process: Process Creation, Microsoft Defender for Endpoint.

Command and Control Last updated: April 14, 2026

Adversaries may use an existing, legitimate external web service as a means for relaying data to/from a compromised system. Popular websites and cloud services such as Google Drive, OneDrive, Dropbox, Pastebin, GitHub, and Discord may act as C2 channels due to the high likelihood that hosts within a network already communicate with them. This provides cover in expected noise and takes advantage of SSL/TLS encryption offered by these providers. Use of web services also protects back-end C2 infrastructure from discovery through malware binary analysis while enabling operational resiliency through dynamic infrastructure changes.

What is T1102 Web Service?

Web Service (T1102) maps to the Command and Control tactic — the adversary is trying to communicate with compromised systems to control them in MITRE ATT&CK.

This page provides production-ready detection logic for Web Service, covering the data sources and telemetry it touches: Network Traffic: Network Connection Creation, Process: Process Creation, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1102 Web Service
Canonical reference: https://attack.mitre.org/techniques/T1102/

Microsoft Sentinel / Defender

kusto

let LegitBrowsers = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "safari.exe", "opera.exe", "brave.exe"]);
let WebServiceDomains = dynamic([
  "pastebin.com", "paste.ee", "ghostbin.co",
  "api.github.com", "raw.githubusercontent.com", "gist.github.com",
  "graph.microsoft.com", "onedrive.live.com", "api.onedrive.com",
  "www.googleapis.com", "drive.google.com", "storage.googleapis.com",
  "api.dropboxapi.com", "content.dropboxapi.com",
  "discord.com", "discordapp.com", "cdn.discordapp.com",
  "api.telegram.org",
  "slack.com", "api.slack.com",
  "firebaseio.com", "firebase.googleapis.com",
  "api.notion.so",
  "gitee.com",
  "top4top.io"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WebServiceDomains) or RemoteIPType == "Public"
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | project DeviceId, ProcessId=tolong(ProcessId), FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName, SHA256
) on DeviceId
| where RemoteUrl has_any (WebServiceDomains)
| where not(InitiatingProcessFileName has_any (LegitBrowsers))
| where not(FileName has_any (LegitBrowsers))
| where FileName !in~ ("OneDriveSetup.exe", "OneDrive.exe", "googledrivesync.exe", "dropbox.exe", "slack.exe", "teams.exe", "discord.exe")
| extend SuspiciousProcess = FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| extend ScriptingProcess = FileName in~ ("python.exe", "python3.exe", "ruby.exe", "perl.exe", "node.exe", "wscript.exe", "cscript.exe")
| extend UnusualParent = InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "acrobat.exe", "acrord32.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort,
         SuspiciousProcess, ScriptingProcess, UnusualParent, SHA256
| sort by Timestamp desc

Detects non-browser processes making network connections to known web service platforms commonly abused for C2 (Pastebin, GitHub, Google Drive, OneDrive, Dropbox, Discord, Telegram, Firebase, etc.). Joins DeviceNetworkEvents with DeviceProcessEvents to identify the initiating process. Excludes known legitimate cloud sync clients and browsers. Flags scripting interpreters, LOLBins, and document applications as high-suspicion initiators. Effective against malware families like BoomBox (Dropbox), Nightdoor (OneDrive/Google Drive), Carbon (Pastebin), and Raspberry Robin (Discord).

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Legitimate developer tools or CI/CD pipelines making API calls to GitHub, Firebase, or Google APIs
IT management tools and monitoring agents that poll cloud APIs for configuration or telemetry upload
Custom line-of-business applications built on cloud storage APIs (OneDrive, Google Drive SDK integrations)
PowerShell scripts used legitimately by administrators to upload logs or reports to cloud storage
Antivirus or endpoint agents uploading telemetry to cloud-hosted collection endpoints

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval RemoteHostname=lower(DestinationHostname)
| where match(RemoteHostname, "(pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|firebaseio\.com|firebase\.googleapis\.com|gitee\.com|top4top\.io|api\.slack\.com)")
| eval ImageLower=lower(Image)
| where NOT match(ImageLower, "(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|onedrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|teams\.exe|discord\.exe)")
| eval SuspiciousProcess=if(match(ImageLower, "(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)"), 1, 0)
| eval ScriptingProcess=if(match(ImageLower, "(python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe)"), 1, 0)
| eval OfficeParent=if(match(lower(ParentImage), "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrobat\.exe|acrord32\.exe)"), 1, 0)
| eval RiskScore=SuspiciousProcess*3 + ScriptingProcess*2 + OfficeParent*4
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DestinationHostname, DestinationIp, DestinationPort, SuspiciousProcess, ScriptingProcess, OfficeParent, RiskScore
| sort - RiskScore, - _time

Detects non-browser processes connecting to known web service platforms abused for C2 using Sysmon Event ID 3 (Network Connection). Excludes known legitimate applications and cloud sync clients. Assigns a risk score based on the initiating process type: office applications spawning web service connections score highest (4 points, indicating drive-by exploitation), LOLBins and scripting engines score 3 and 2 respectively. High-risk-score events should be immediately investigated for C2 infrastructure or payload staging.

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate developer tools or CI/CD pipelines making API calls to GitHub, Firebase, or Google APIs
IT management tools and monitoring agents that poll cloud APIs for configuration or telemetry upload
Custom line-of-business applications built on cloud storage APIs
PowerShell scripts used legitimately by administrators to upload logs or reports to cloud storage
Antivirus or endpoint agents uploading telemetry to cloud-hosted collection endpoints

Elastic Security (EQL)

eql

network where event.category == "network" and network.direction == "egress" and
  destination.domain != null and
  destination.domain : (
    "*pastebin.com", "*paste.ee", "*ghostbin.co",
    "*api.github.com", "*raw.githubusercontent.com", "*gist.github.com",
    "*graph.microsoft.com", "*onedrive.live.com", "*api.onedrive.com",
    "*googleapis.com", "*drive.google.com", "*storage.googleapis.com",
    "*api.dropboxapi.com", "*content.dropboxapi.com",
    "*discord.com", "*discordapp.com", "*cdn.discordapp.com",
    "*api.telegram.org", "*slack.com", "*api.slack.com",
    "*firebaseio.com", "*firebase.googleapis.com",
    "*api.notion.so", "*gitee.com", "*top4top.io"
  ) and
  not process.name in~ (
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "safari.exe", "opera.exe", "brave.exe",
    "OneDriveSetup.exe", "OneDrive.exe", "googledrivesync.exe",
    "dropbox.exe", "slack.exe", "teams.exe", "discord.exe"
  ) and
  (
    process.name in~ (
      "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
      "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
      "bitsadmin.exe", "curl.exe", "wget.exe"
    ) or
    process.name in~ (
      "python.exe", "python3.exe", "ruby.exe", "perl.exe", "node.exe"
    ) or
    process.parent.name in~ (
      "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
      "acrobat.exe", "acrord32.exe"
    )
  )

Detects non-browser, non-sync-client processes making outbound network connections to web services commonly abused as C2 channels (T1102). Matches on suspicious system utilities, scripting engines, or Office-spawned processes contacting pastebin, GitHub raw content, Google Drive, OneDrive, Dropbox, Discord, Telegram, Slack, Firebase, Notion, Gitee, or top4top.io. Uses ECS network event fields populated by Elastic Agent Endpoint or Winlogbeat with Sysmon.

high severity high confidence

Data Sources

Elastic Agent Endpoint Integration Winlogbeat with Sysmon module Elastic Defend (endpoint.events.network)

Required Tables

logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate automation scripts using PowerShell or Python that interact with GitHub APIs or Google Drive as part of CI/CD pipelines or DevOps workflows on developer workstations.
Security tools such as EDR agents, vulnerability scanners, or SIEM forwarders that connect to cloud telemetry endpoints including googleapis.com or Firebase.
Custom in-house tooling using curl.exe or wget.exe that legitimately downloads configuration or updates from GitHub raw content or cloud storage buckets.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  destinationip,
  destinationhostname,
  destinationport,
  username,
  "ProcessName",
  "CommandLine",
  "ParentProcessName"
FROM events
WHERE
  LOGSOURCENAME(logsourceid) LIKE '%Sysmon%'
  AND QIDNAME(qid) LIKE '%Network connection%'
  AND (
    LOWER(destinationhostname) LIKE '%pastebin.com%' OR
    LOWER(destinationhostname) LIKE '%paste.ee%' OR
    LOWER(destinationhostname) LIKE '%ghostbin.co%' OR
    LOWER(destinationhostname) LIKE '%api.github.com%' OR
    LOWER(destinationhostname) LIKE '%raw.githubusercontent.com%' OR
    LOWER(destinationhostname) LIKE '%gist.github.com%' OR
    LOWER(destinationhostname) LIKE '%graph.microsoft.com%' OR
    LOWER(destinationhostname) LIKE '%onedrive.live.com%' OR
    LOWER(destinationhostname) LIKE '%googleapis.com%' OR
    LOWER(destinationhostname) LIKE '%drive.google.com%' OR
    LOWER(destinationhostname) LIKE '%api.dropboxapi.com%' OR
    LOWER(destinationhostname) LIKE '%discord.com%' OR
    LOWER(destinationhostname) LIKE '%discordapp.com%' OR
    LOWER(destinationhostname) LIKE '%api.telegram.org%' OR
    LOWER(destinationhostname) LIKE '%slack.com%' OR
    LOWER(destinationhostname) LIKE '%firebaseio.com%' OR
    LOWER(destinationhostname) LIKE '%firebase.googleapis.com%' OR
    LOWER(destinationhostname) LIKE '%api.notion.so%' OR
    LOWER(destinationhostname) LIKE '%gitee.com%' OR
    LOWER(destinationhostname) LIKE '%top4top.io%'
  )
  AND LOWER("ProcessName") NOT LIKE '%chrome.exe%'
  AND LOWER("ProcessName") NOT LIKE '%firefox.exe%'
  AND LOWER("ProcessName") NOT LIKE '%msedge.exe%'
  AND LOWER("ProcessName") NOT LIKE '%iexplore.exe%'
  AND LOWER("ProcessName") NOT LIKE '%opera.exe%'
  AND LOWER("ProcessName") NOT LIKE '%brave.exe%'
  AND LOWER("ProcessName") NOT LIKE '%onedrive.exe%'
  AND LOWER("ProcessName") NOT LIKE '%googledrivesync.exe%'
  AND LOWER("ProcessName") NOT LIKE '%dropbox.exe%'
  AND LOWER("ProcessName") NOT LIKE '%slack.exe%'
  AND LOWER("ProcessName") NOT LIKE '%teams.exe%'
  AND LOWER("ProcessName") NOT LIKE '%discord.exe%'
  AND (
    LOWER("ProcessName") LIKE '%powershell.exe%' OR
    LOWER("ProcessName") LIKE '%pwsh.exe%' OR
    LOWER("ProcessName") LIKE '%cmd.exe%' OR
    LOWER("ProcessName") LIKE '%wscript.exe%' OR
    LOWER("ProcessName") LIKE '%cscript.exe%' OR
    LOWER("ProcessName") LIKE '%mshta.exe%' OR
    LOWER("ProcessName") LIKE '%rundll32.exe%' OR
    LOWER("ProcessName") LIKE '%regsvr32.exe%' OR
    LOWER("ProcessName") LIKE '%certutil.exe%' OR
    LOWER("ProcessName") LIKE '%bitsadmin.exe%' OR
    LOWER("ProcessName") LIKE '%curl.exe%' OR
    LOWER("ProcessName") LIKE '%wget.exe%' OR
    LOWER("ProcessName") LIKE '%python.exe%' OR
    LOWER("ProcessName") LIKE '%python3.exe%' OR
    LOWER("ProcessName") LIKE '%ruby.exe%' OR
    LOWER("ProcessName") LIKE '%perl.exe%' OR
    LOWER("ProcessName") LIKE '%node.exe%' OR
    LOWER("ParentProcessName") LIKE '%winword.exe%' OR
    LOWER("ParentProcessName") LIKE '%excel.exe%' OR
    LOWER("ParentProcessName") LIKE '%powerpnt.exe%' OR
    LOWER("ParentProcessName") LIKE '%outlook.exe%' OR
    LOWER("ParentProcessName") LIKE '%acrobat.exe%' OR
    LOWER("ParentProcessName") LIKE '%acrord32.exe%'
  )
ORDER BY starttime DESC
LAST 24 HOURS

QRadar AQL query detecting non-browser processes making outbound connections to web service domains commonly abused for C2 communications. Targets Sysmon network connection (EventCode=3) events enriched with process context via custom DSM properties. Excludes known legitimate sync clients and browsers while targeting scripting engines, system utilities, and Office-spawned processes. Note: ProcessName, ParentProcessName, and CommandLine are custom properties that must be extracted from Sysmon XML via a QRadar DSM extension or ALE rule.

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon for Windows (via WinCollect agent or Universal DSM)

Required Tables

events (requires custom Sysmon DSM property extraction for ProcessName, CommandLine, ParentProcessName)

False Positives

Administrative PowerShell scripts legitimately querying Microsoft Graph API or OneDrive for inventory, user management, or SharePoint automation on managed endpoints.
Developer tools (node.exe, python.exe) on developer workstations making API calls to Firebase, Google APIs, or GitHub as part of legitimate software development activity.
Backup or sync agents not included in the exclusion list that use curl or Python to interact with cloud storage APIs such as Dropbox or Google Drive.

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*windows/sysmon*
| where EventCode = "3"
| parse regex field=_raw "<Data Name='Image'>(?<Image>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='ParentImage'>(?<ParentImage>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='CommandLine'>(?<CommandLine>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='ParentCommandLine'>(?<ParentCommandLine>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='DestinationHostname'>(?<DestinationHostname>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='DestinationIp'>(?<DestinationIp>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='DestinationPort'>(?<DestinationPort>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='User'>(?<User>[^<]+)</Data>" nodrop
| where DestinationHostname matches /(?i)(pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|firebaseio\.com|firebase\.googleapis\.com|api\.notion\.so|gitee\.com|top4top\.io)/
| where !(Image matches /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|OneDriveSetup\.exe|OneDrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|teams\.exe|discord\.exe)/)
| if(Image matches /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)/, 1, 0) as SuspiciousProcess
| if(Image matches /(?i)(python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe)/, 1, 0) as ScriptingProcess
| if(ParentImage matches /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrobat\.exe|acrord32\.exe)/, 1, 0) as OfficeParent
| SuspiciousProcess * 3 + ScriptingProcess * 2 + OfficeParent * 4 as RiskScore
| where RiskScore > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, DestinationHostname, DestinationIp, DestinationPort, SuspiciousProcess, ScriptingProcess, OfficeParent, RiskScore
| sort by RiskScore desc, _messageTime desc

Sumo Logic search query targeting Sysmon EventCode=3 (network connection) events to identify suspicious processes connecting to known web service C2 domains. Parses Sysmon XML fields inline using regex, applies process exclusions for browsers and sync clients, and calculates a risk score based on process type (suspicious utility=3pts, scripting engine=2pts, office-spawned parent=4pts). Only events with RiskScore > 0 are surfaced. Mirrors the SPL risk scoring logic.

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows) Windows Event Logs — Sysmon Operational channel

Required Tables

Sumo Logic search index with _sourceCategory mapped to Sysmon or Windows event log sources

False Positives

PowerShell scripts used by IT operations teams to query Microsoft Graph API for user or device management and automated reporting tasks on managed endpoints.
Python-based monitoring agents on endpoints that push health metrics or application telemetry to Firebase, Google Cloud Monitoring, or similar cloud platforms.
Authorized penetration testing frameworks or security tooling that contacts GitHub raw content or Pastebin as part of a known red team engagement.

Google Chronicle / SecOps

yaral

rule t1102_web_service_c2_network_connection {
  meta:
    author = "detection-engineering"
    description = "Detects non-browser processes initiating outbound network connections to web service domains known to be abused as C2 channels (MITRE T1102)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Command-And-Control"
    mitre_attack_technique = "T1102"
    mitre_attack_subtechnique = "T1102.002"
    platforms = "Windows"
    tags = "c2, web-service, t1102, network"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.target.hostname = /(?i)(pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.onedrive\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|firebaseio\.com|firebase\.googleapis\.com|api\.notion\.so|gitee\.com|top4top\.io)/
    not $net.principal.process.file.full_path = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|safari\.exe|opera\.exe|brave\.exe|OneDriveSetup\.exe|OneDrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|teams\.exe|discord\.exe)/
    (
      $net.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe)/
      or
      $net.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrobat\.exe|acrord32\.exe)/
    )

  condition:
    $net
}

Chronicle YARA-L 2.0 rule detecting NETWORK_CONNECTION UDM events where a non-browser process connects to known web service domains abused as C2 channels (T1102). Targets suspicious system utilities and scripting interpreters (PowerShell, cmd, wscript, cscript, mshta, certutil, curl, wget, Python, Ruby, Perl, Node.js) and processes spawned by Microsoft Office or Adobe Acrobat making outbound connections to abuse-prone cloud service domains.

high severity high confidence

Data Sources

Google Chronicle SIEM Sysmon Windows Events (via Chronicle forwarder or BindPlane) CrowdStrike Falcon (via Chronicle integration) Carbon Black (via Chronicle integration)

Required Tables

UDM events with metadata.event_type = NETWORK_CONNECTION and principal.process fields populated

False Positives

Legitimate curl.exe or wget.exe usage in scheduled tasks or administrative scripts that download configuration or software updates from GitHub raw content or cloud storage providers.
Python or Node.js development toolchains on developer machines that routinely contact Firebase, Google APIs, Slack webhooks, or npm registries for dependency resolution or build processes.
IT automation using PowerShell to interact with Microsoft Graph API, OneDrive, or SharePoint Online for user provisioning, license reporting, or file management workflows.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = DnsRequest
| DomainName = /pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.onedrive\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|firebaseio\.com|firebase\.googleapis\.com|api\.notion\.so|gitee\.com|top4top\.io/i
| ContextBaseFileName != /chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|safari\.exe|opera\.exe|brave\.exe|OneDriveSetup\.exe|OneDrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|MicrosoftTeams\.exe|Discord\.exe/i
| ContextBaseFileName = /powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe/i
| groupBy(
    [ComputerName, UserName, ContextBaseFileName, DomainName],
    function=[
      count(as=QueryCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(QueryCount, order=desc)

CrowdStrike LogScale CQL query detecting DnsRequest events from suspicious non-browser processes resolving known web service C2 domains. Filters DNS queries originating from scripting engines and system utilities (PowerShell, cmd, wscript, certutil, curl, wget, Python, Node.js, etc.) while excluding known browsers and sync clients. Groups results by host, user, process, and resolved domain to surface high-frequency or repeated lookups indicative of active C2 beacon polling. ContextBaseFileName carries the process name field in Falcon DnsRequest events.

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (formerly Humio)

Required Tables

Falcon telemetry stream with #event_simpleName = DnsRequest

False Positives

PowerShell scripts used in endpoint management platforms (SCCM, Intune, Ansible) that resolve Microsoft Graph API or cloud service endpoints for configuration management or device compliance reporting.
Python-based devops tooling on build servers that resolves googleapis.com, Firebase, or npm CDN domains as part of legitimate CI/CD pipelines and dependency installation.
Node.js applications running as Windows services that legitimately resolve Slack, Discord webhook, or Firebase endpoints for operational alerting or application telemetry reporting.

Sigma rule & cross-platform mapping

The detection logic for Web Service (T1102) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1102 Sigma rules on detection.fyi

Platform-specific guides for T1102

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-14 Research depth: deep

References (5)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerShell Dead Drop Resolver via Pastebin
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient' and 'pastebin.com'. Sysmon Event ID 3: Network Connection to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com. PowerShell ScriptBlock Log Event ID 4104 with the full command.
Test 2Simulated OneDrive C2 Channel via Microsoft Graph API
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'graph.microsoft.com'. Sysmon Event ID 3: Network Connection to graph.microsoft.com on port 443. Sysmon Event ID 22: DNS query for graph.microsoft.com.
Test 3Curl-based GitHub Raw Content Retrieval (Linux/macOS)
Expected signal: Syslog/auditd: execve syscall for curl with arguments containing raw.githubusercontent.com. Network connection to 185.199.x.x (GitHub CDN) on port 443. Linux audit log: SYSCALL record with comm=curl, SOCKADDR with dest IP. File creation at /tmp/df00tech-test-payload.txt.
Test 4Discord Webhook C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com port 443. Sysmon Event ID 22: DNS query for discord.com. The request will fail with HTTP 401/404 but the network telemetry will still be generated.
Test 5Python-based Telegram Bot API C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'api.telegram.org'. Sysmon Event ID 3: Network Connection to api.telegram.org port 443. Sysmon Event ID 22: DNS query for api.telegram.org. The request will return HTTP 401 (invalid token) but network telemetry is generated.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1102 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Web Service

What is T1102 Web Service?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1102

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Command and Control

Popular Detections

What is T1102 Web Service?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1102

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox