T1102.001

Dead Drop Resolver

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries post content (dead drop resolvers) on services like Pastebin, GitHub, Twitter, Google Docs, YouTube, or Microsoft TechNet with embedded and often obfuscated or encoded domains or IP addresses. Infected victims reach out to these resolvers to obtain real C2 server addresses, allowing attackers to change infrastructure dynamically while hiding behind trusted domains. This technique leverages the legitimacy and SSL/TLS encryption of popular web services to blend into normal network traffic and protect back-end C2 infrastructure from discovery through malware binary analysis.

Microsoft Sentinel / Defender

kusto

let DeadDropDomains = dynamic([
  "pastebin.com", "pastebin.pl", "paste.ee", "hastebin.com",
  "github.com", "raw.githubusercontent.com", "gist.github.com",
  "twitter.com", "api.twitter.com", "t.co",
  "docs.google.com", "drive.google.com", "sites.google.com",
  "youtube.com", "youtu.be",
  "technet.microsoft.com", "social.technet.microsoft.com",
  "livejournal.com",
  "imgur.com", "i.imgur.com",
  "reddit.com", "old.reddit.com",
  "cloudflare.com", "workers.dev",
  "amazonaws.com", "s3.amazonaws.com",
  "onedrive.live.com", "sharepoint.com",
  "notion.so", "trello.com",
  "discord.com", "discordapp.com",
  "telegram.org", "t.me"
]);
let SuspiciousProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
  "curl.exe", "wget.exe", "bitsadmin.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (DeadDropDomains)
| where InitiatingProcessFileName in~ (SuspiciousProcesses)
    or (InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "safari.exe", "outlook.exe", "teams.exe", "slack.exe", "onedrive.exe", "dropbox.exe", "svchost.exe"))
| extend IsKnownBrowser = InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe")
| extend IsSuspiciousProcess = InitiatingProcessFileName in~ (SuspiciousProcesses)
| extend PastebinAccess = RemoteUrl has_any ("pastebin.com", "pastebin.pl", "paste.ee", "hastebin.com")
| extend GitHubRawAccess = RemoteUrl has_any ("raw.githubusercontent.com", "gist.github.com")
| extend SocialMediaAccess = RemoteUrl has_any ("twitter.com", "api.twitter.com", "reddit.com")
| extend CloudStorageAccess = RemoteUrl has_any ("amazonaws.com", "onedrive.live.com", "sharepoint.com", "docs.google.com", "drive.google.com")
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName,
         RemoteUrl, RemoteIP, RemotePort, RemoteIPType,
         IsKnownBrowser, IsSuspiciousProcess,
         PastebinAccess, GitHubRawAccess, SocialMediaAccess, CloudStorageAccess
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Microsoft Defender for Endpoint DeviceNetworkEvents

Required Tables

DeviceNetworkEvents

False Positives

Legitimate developer tooling (git clients, CI/CD agents, IDEs) making programmatic requests to GitHub APIs or raw content URLs
Software update mechanisms or package managers (npm, pip, Chocolatey) resolving dependencies from GitHub or cloud storage
IT automation scripts (Ansible, Chef, Puppet, Terraform) using PowerShell or cmd.exe to fetch configuration data from cloud services like S3 or SharePoint
Security monitoring agents or vulnerability scanners that fetch IOC feeds or configuration from Pastebin-like services
Corporate applications that legitimately integrate with Google Drive, SharePoint, or OneDrive using background service processes

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3)
OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22)
| eval TargetHost=coalesce(DestinationHostname, QueryName)
| eval InitiatingProcess=lower(coalesce(Image, ""))
| where match(TargetHost, "(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com|raw\.githubusercontent\.com|gist\.github\.com|api\.twitter\.com|docs\.google\.com|drive\.google\.com|youtube\.com|livejournal\.com|imgur\.com|reddit\.com|workers\.dev|amazonaws\.com|notion\.so|discord\.com|t\.me|technet\.microsoft\.com)")
| eval IsSuspiciousProcess=if(match(InitiatingProcess, "(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|java\.exe|msiexec\.exe)"), 1, 0)
| eval IsKnownBrowser=if(match(InitiatingProcess, "(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe)"), 1, 0)
| eval IsPastebin=if(match(TargetHost, "(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com)"), 1, 0)
| eval IsGitHubRaw=if(match(TargetHost, "(raw\.githubusercontent\.com|gist\.github\.com)"), 1, 0)
| eval IsSocialMedia=if(match(TargetHost, "(api\.twitter\.com|reddit\.com|livejournal\.com)"), 1, 0)
| eval IsCloudStorage=if(match(TargetHost, "(amazonaws\.com|docs\.google\.com|drive\.google\.com|onedrive\.live\.com|sharepoint\.com)"), 1, 0)
| eval RiskScore=IsSuspiciousProcess + IsPastebin + IsGitHubRaw + IsSocialMedia + IsCloudStorage
| where IsSuspiciousProcess=1 OR (IsKnownBrowser=0 AND RiskScore > 0)
| table _time, host, User, InitiatingProcess, ParentImage, CommandLine, ParentCommandLine, TargetHost, DestinationIp, DestinationPort, IsSuspiciousProcess, IsKnownBrowser, IsPastebin, IsGitHubRaw, IsSocialMedia, IsCloudStorage, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: DNS Query Sysmon Event ID 3 Sysmon Event ID 22

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate developer tooling (git clients, CI/CD agents, IDEs) making programmatic requests to GitHub APIs or raw content URLs
Software update mechanisms or package managers (npm, pip, Chocolatey) resolving dependencies from GitHub or cloud storage
IT automation scripts using PowerShell or scripting languages to fetch configuration data from cloud services
Security monitoring agents fetching threat intelligence or IOC feeds from paste sites
Developer workstations running scripts that interact with GitHub, AWS S3, or Google APIs as part of normal workflow

Elastic Security (EQL)

eql

sequence by host.id, process.entity_id with maxspan=30s
  [network where event.type == "connection" and
   network.direction == "egress" and
   (
     destination.domain : ("pastebin.com", "pastebin.pl", "paste.ee", "hastebin.com",
                            "raw.githubusercontent.com", "gist.github.com",
                            "api.twitter.com", "t.co",
                            "docs.google.com", "drive.google.com", "sites.google.com",
                            "youtube.com", "youtu.be",
                            "technet.microsoft.com", "social.technet.microsoft.com",
                            "livejournal.com", "imgur.com", "i.imgur.com",
                            "reddit.com", "old.reddit.com",
                            "workers.dev", "amazonaws.com", "s3.amazonaws.com",
                            "onedrive.live.com", "sharepoint.com",
                            "notion.so", "trello.com",
                            "discord.com", "discordapp.com",
                            "telegram.org", "t.me")
   ) and
   not process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe",
                        "opera.exe", "brave.exe", "safari.exe", "outlook.exe",
                        "teams.exe", "slack.exe", "onedrive.exe", "dropbox.exe", "svchost.exe") and
   (
     process.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                     "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
                     "curl.exe", "wget.exe", "bitsadmin.exe", "python.exe",
                     "python3.exe", "perl.exe", "ruby.exe", "java.exe", "msiexec.exe")
     or not process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe",
                             "opera.exe", "brave.exe", "safari.exe")
   )
  ]

high severity medium confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent network events

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate automation scripts or CI/CD pipelines fetching configuration from GitHub raw content or Pastebin during deployment
Developer tools (e.g., npm, pip, cargo) resolving package metadata or configuration hosted on cloud platforms
Security tooling or EDR agents performing threat intelligence lookups against paste sites or GitHub-hosted IOC lists

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  destinationip,
  destinationport,
  username,
  URL,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory,
  "ApplicationProtocol",
  devicehostname AS HostName,
  LOGSOURCETYPEID(logsourceid) AS SourceType,
  CASE
    WHEN URL MATCHES '(?i).*(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com).*' THEN 1
    ELSE 0
  END AS IsPastebin,
  CASE
    WHEN URL MATCHES '(?i).*(raw\.githubusercontent\.com|gist\.github\.com).*' THEN 1
    ELSE 0
  END AS IsGitHubRaw,
  CASE
    WHEN URL MATCHES '(?i).*(api\.twitter\.com|reddit\.com|livejournal\.com).*' THEN 1
    ELSE 0
  END AS IsSocialMedia,
  CASE
    WHEN URL MATCHES '(?i).*(amazonaws\.com|docs\.google\.com|drive\.google\.com|onedrive\.live\.com|sharepoint\.com).*' THEN 1
    ELSE 0
  END AS IsCloudStorage,
  CASE
    WHEN "Process Name" MATCHES '(?i).*(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|java\.exe|msiexec\.exe).*' THEN 1
    ELSE 0
  END AS IsSuspiciousProcess
FROM events
WHERE
  starttime > NOW() - 1 DAYS
  AND (
    URL MATCHES '(?i).*(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com|raw\.githubusercontent\.com|gist\.github\.com|api\.twitter\.com|t\.co|docs\.google\.com|drive\.google\.com|sites\.google\.com|youtube\.com|technet\.microsoft\.com|livejournal\.com|imgur\.com|reddit\.com|workers\.dev|amazonaws\.com|s3\.amazonaws\.com|onedrive\.live\.com|sharepoint\.com|notion\.so|trello\.com|discord\.com|discordapp\.com|telegram\.org|t\.me).*'
  )
  AND (
    "Process Name" MATCHES '(?i).*(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|java\.exe|msiexec\.exe).*'
    OR NOT "Process Name" MATCHES '(?i).*(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe|outlook\.exe|teams\.exe|slack\.exe|onedrive\.exe|dropbox\.exe|svchost\.exe).*'
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

QRadar Network Activity (flows) Windows Security Event Log via WinCollect Sysmon via WinCollect Endpoint Detection sources

Required Tables

events

False Positives

Automated patch management or configuration management tools (Ansible, Chef, Puppet) fetching playbooks or configs from GitHub or cloud storage
Java-based enterprise applications (JIRA, Confluence) making API calls to cloud services using java.exe as the initiating process
Python-based monitoring or DevOps scripts legitimately querying cloud APIs from servers

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /(?i)(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com|raw\.githubusercontent\.com|gist\.github\.com|api\.twitter\.com|t\.co|docs\.google\.com|drive\.google\.com|sites\.google\.com|youtube\.com|technet\.microsoft\.com|livejournal\.com|imgur\.com|reddit\.com|workers\.dev|amazonaws\.com|s3\.amazonaws\.com|onedrive\.live\.com|sharepoint\.com|notion\.so|trello\.com|discord\.com|discordapp\.com|telegram\.org|t\.me)/
| parse regex field=_raw "(?i)Image:\s*(?<ProcessImage>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)DestinationHostname:\s*(?<DestHost>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)QueryName:\s*(?<QueryName>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)CommandLine:\s*(?<CommandLine>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)ParentImage:\s*(?<ParentImage>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)User:\s*(?<User>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)DestinationIp:\s*(?<DestIP>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)DestinationPort:\s*(?<DestPort>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)Computer:\s*(?<Computer>[^\r\n]+)" nodrop
| eval TargetHost = if (!isNull(DestHost) && DestHost != "", DestHost, QueryName)
| eval ProcessName = toLowerCase(if (!isNull(ProcessImage), ProcessImage, ""))
| eval IsSuspiciousProcess = if (ProcessName matches /.*?(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|java\.exe|msiexec\.exe).*/, 1, 0)
| eval IsKnownBrowser = if (ProcessName matches /.*?(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe).*/, 1, 0)
| eval IsPastebin = if (TargetHost matches /.*?(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com).*/, 1, 0)
| eval IsGitHubRaw = if (TargetHost matches /.*?(raw\.githubusercontent\.com|gist\.github\.com).*/, 1, 0)
| eval IsSocialMedia = if (TargetHost matches /.*?(api\.twitter\.com|t\.co|reddit\.com|livejournal\.com).*/, 1, 0)
| eval IsCloudStorage = if (TargetHost matches /.*?(amazonaws\.com|docs\.google\.com|drive\.google\.com|onedrive\.live\.com|sharepoint\.com).*/, 1, 0)
| eval IsDiscordTelegram = if (TargetHost matches /.*?(discord\.com|discordapp\.com|telegram\.org|t\.me).*/, 1, 0)
| eval RiskScore = IsSuspiciousProcess + IsPastebin + IsGitHubRaw + IsSocialMedia + IsCloudStorage + IsDiscordTelegram
| where IsSuspiciousProcess = 1 or (IsKnownBrowser = 0 and RiskScore > 0)
| fields _messageTime, Computer, User, ProcessName, ProcessImage, ParentImage, CommandLine, TargetHost, DestIP, DestPort, IsSuspiciousProcess, IsKnownBrowser, IsPastebin, IsGitHubRaw, IsSocialMedia, IsCloudStorage, IsDiscordTelegram, RiskScore
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sysmon via Windows Event Log collector CrowdStrike Falcon Data Replicator Carbon Black Cloud Windows Security Events

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*endpoint*

False Positives

Software update mechanisms using curl.exe or PowerShell to download update manifests from GitHub releases or cloud storage buckets
Legitimate penetration testing tooling or red team infrastructure running from test endpoints
IT automation scripts (e.g., PowerShell DSC, Ansible WinRM) fetching configuration from SharePoint or OneDrive during scheduled maintenance

Google Chronicle / SecOps

yaral

rule dead_drop_resolver_t1102_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1102.001 Dead Drop Resolver - suspicious or non-browser processes contacting known paste sites, raw GitHub, social media APIs, and cloud storage used as C2 dead drop resolvers"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1102.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.metadata.product_event_type != "browser_navigation"

    // Match dead drop resolver domains
    (
      $e.target.hostname = /(?i)(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com)/ or
      $e.target.hostname = /(?i)(raw\.githubusercontent\.com|gist\.github\.com)/ or
      $e.target.hostname = /(?i)(api\.twitter\.com|t\.co|twitter\.com)/ or
      $e.target.hostname = /(?i)(docs\.google\.com|drive\.google\.com|sites\.google\.com)/ or
      $e.target.hostname = /(?i)(youtube\.com|youtu\.be)/ or
      $e.target.hostname = /(?i)(technet\.microsoft\.com|social\.technet\.microsoft\.com)/ or
      $e.target.hostname = /(?i)(livejournal\.com|imgur\.com|i\.imgur\.com)/ or
      $e.target.hostname = /(?i)(reddit\.com|old\.reddit\.com)/ or
      $e.target.hostname = /(?i)(workers\.dev|cloudflare\.com)/ or
      $e.target.hostname = /(?i)(amazonaws\.com|s3\.amazonaws\.com)/ or
      $e.target.hostname = /(?i)(onedrive\.live\.com|sharepoint\.com)/ or
      $e.target.hostname = /(?i)(notion\.so|trello\.com)/ or
      $e.target.hostname = /(?i)(discord\.com|discordapp\.com)/ or
      $e.target.hostname = /(?i)(telegram\.org|t\.me)/
    )

    // Must be initiated by suspicious process OR not a known browser/trusted app
    (
      $e.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|java\.exe|msiexec\.exe)/ or
      (
        not $e.principal.process.file.full_path = /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe|outlook\.exe|teams\.exe|slack\.exe|onedrive\.exe|dropbox\.exe|svchost\.exe)/
      )
    )

    $hostname = $e.principal.hostname
    $process = $e.principal.process.file.full_path
    $target = $e.target.hostname
    $user = $e.principal.user.userid

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM Endpoint telemetry (CrowdStrike, Carbon Black, SentinelOne via Chronicle ingestion) Sysmon via Chronicle Windows forwarder Network telemetry

Required Tables

NETWORK_CONNECTION UDM events

False Positives

Cloud-native application runtimes (java.exe for enterprise Java apps) legitimately reaching cloud storage endpoints for configuration or licensing
PowerShell-based administrative automation in Azure environments interacting with SharePoint or OneDrive via Microsoft Graph
Containerized workloads running python or curl to pull configurations from S3 buckets during legitimate infrastructure bootstrapping

CrowdStrike LogScale (CQL)

cql

// Dead Drop Resolver Detection - T1102.001
// Detect suspicious processes making DNS or network connections to known dead drop platforms

#event_simpleName = /^(DnsRequest|NetworkConnectIP4|NetworkConnectIP6)$/
| DomainName = /(?i)(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com|raw\.githubusercontent\.com|gist\.github\.com|api\.twitter\.com|t\.co|docs\.google\.com|drive\.google\.com|sites\.google\.com|youtube\.com|youtu\.be|technet\.microsoft\.com|livejournal\.com|imgur\.com|i\.imgur\.com|reddit\.com|old\.reddit\.com|workers\.dev|cloudflare\.com|amazonaws\.com|s3\.amazonaws\.com|onedrive\.live\.com|sharepoint\.com|notion\.so|trello\.com|discord\.com|discordapp\.com|telegram\.org|t\.me)/
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|java\.exe|msiexec\.exe)/
  OR (
    NOT ImageFileName = /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe|outlook\.exe|teams\.exe|slack\.exe|onedrive\.exe|dropbox\.exe|svchost\.exe)/
  )
| eval IsSuspiciousProcess = if(ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|java\.exe|msiexec\.exe)/, "true", "false")
| eval IsKnownBrowser = if(ImageFileName = /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe)/, "true", "false")
| eval IsPastebin = if(DomainName = /(?i)(pastebin\.com|pastebin\.pl|paste\.ee|hastebin\.com)/, "true", "false")
| eval IsGitHubRaw = if(DomainName = /(?i)(raw\.githubusercontent\.com|gist\.github\.com)/, "true", "false")
| eval IsSocialMedia = if(DomainName = /(?i)(api\.twitter\.com|t\.co|reddit\.com|livejournal\.com)/, "true", "false")
| eval IsCloudStorage = if(DomainName = /(?i)(amazonaws\.com|docs\.google\.com|drive\.google\.com|onedrive\.live\.com|sharepoint\.com)/, "true", "false")
| eval IsDiscordTelegram = if(DomainName = /(?i)(discord\.com|discordapp\.com|telegram\.org|t\.me)/, "true", "false")
| table([@timestamp, ComputerName, UserName, ImageFileName, ParentBaseFileName, CommandLine, DomainName, RemoteAddressIP4, RemotePort, IsSuspiciousProcess, IsKnownBrowser, IsPastebin, IsGitHubRaw, IsSocialMedia, IsCloudStorage, IsDiscordTelegram])
| sort(@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (DnsRequest events) CrowdStrike Falcon Sensor (NetworkConnectIP4/6 events) Falcon Data Replicator (FDR)

Required Tables

DnsRequest NetworkConnectIP4 NetworkConnectIP6

False Positives

PowerShell-based deployment pipelines in CI/CD environments pulling deployment artifacts or secrets from S3 or SharePoint
Legitimate Discord or Telegram desktop clients showing as non-browser processes while end users communicate via these platforms
Java enterprise applications with embedded HTTP clients calling cloud APIs for telemetry, licensing, or configuration synchronization

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1102.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Dead Drop Resolver

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections