T1102.002

Bidirectional Communication

Adversaries may use an existing, legitimate external web service as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and cloud storage platforms (Google Drive, OneDrive, Dropbox, GitHub, Pastebin, Twitter, Google Calendar) to host C2 instructions and receive command output. This technique is particularly evasive because traffic blends with legitimate business use of these services, which are commonly accessed prior to compromise and protected with SSL/TLS encryption.

Microsoft Sentinel / Defender

kusto

let WebServiceDomains = dynamic([
  "api.dropboxapi.com", "content.dropboxapi.com", "dropbox.com",
  "onedrive.live.com", "graph.microsoft.com", "sharepoint.com",
  "drive.google.com", "docs.google.com", "googleapis.com", "calendar.google.com",
  "api.github.com", "raw.githubusercontent.com", "gist.github.com",
  "pastebin.com", "paste.ee", "ghostbin.com", "hastebin.com",
  "api.twitter.com", "twitter.com", "t.co",
  "api.telegram.org", "discord.com", "discordapp.com",
  "slack.com", "api.slack.com",
  "technet.microsoft.com", "notion.so", "trello.com",
  "pcloud.com", "box.com", "mediafire.com", "yandex.com",
  "sites.google.com", "blogspot.com", "wordpress.com"
]);
let SuspiciousProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
  "python.exe", "python3.exe", "pythonw.exe",
  "curl.exe", "wget.exe", "bitsadmin.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WebServiceDomains) or RemoteIPType == "Public"
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend IsCloudStorage = RemoteUrl has_any ("dropbox.com", "onedrive.live.com", "drive.google.com", "sharepoint.com", "box.com", "pcloud.com")
| extend IsPasteSite = RemoteUrl has_any ("pastebin.com", "paste.ee", "ghostbin.com", "hastebin.com", "gist.github.com")
| extend IsSocialMedia = RemoteUrl has_any ("twitter.com", "api.twitter.com", "t.co", "blogspot.com", "discord.com")
| extend IsDevPlatform = RemoteUrl has_any ("api.github.com", "raw.githubusercontent.com", "gist.github.com")
| extend IsMessaging = RemoteUrl has_any ("api.telegram.org", "slack.com", "api.slack.com")
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | project ProcessTimestamp=Timestamp, DeviceName, InitiatingProcessId=ProcessId,
              ProcessCommandLine, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName
) on DeviceName, $left.InitiatingProcessId == $right.InitiatingProcessId
| extend SuspiciousCmdLine = InitiatingProcessCommandLine has_any (
    "-enc", "-EncodedCommand", "DownloadString", "Invoke-Expression", "IEX",
    "Net.WebClient", "Invoke-WebRequest", "Start-BitsTransfer",
    "[Convert]::FromBase64", "frombase64", "base64"
)
| where IsCloudStorage or IsPasteSite or IsSocialMedia or IsDevPlatform or IsMessaging
| project Timestamp, DeviceName, AccountName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          RemoteUrl, RemoteIP, RemotePort,
          IsCloudStorage, IsPasteSite, IsSocialMedia, IsDevPlatform, IsMessaging,
          SuspiciousCmdLine, InitiatingProcessParentFileName
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Legitimate IT automation scripts using PowerShell to interact with OneDrive, SharePoint, or Microsoft Graph API for business purposes
Developer workstations using curl, Python, or PowerShell to access GitHub APIs, Pastebin, or other development resources
Backup and sync agents or IT tools that legitimately upload/download files from Dropbox, OneDrive, or Google Drive
Security tools or monitoring scripts that use Pastebin or GitHub to pull configuration data or threat intelligence feeds
Collaboration tools (Slack, Teams, Discord) that spawn browser processes or helper utilities to handle webhooks or integrations

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3)
| eval Image=lower(Image), DestinationHostname=lower(DestinationHostname)
| eval IsCloudStorage=if(match(DestinationHostname, "(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|graph\.microsoft\.com)"), 1, 0)
| eval IsPasteSite=if(match(DestinationHostname, "(pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com)"), 1, 0)
| eval IsSocialMedia=if(match(DestinationHostname, "(twitter\.com|api\.twitter\.com|t\.co|blogspot\.com|discord\.com|discordapp\.com)"), 1, 0)
| eval IsDevPlatform=if(match(DestinationHostname, "(api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com)"), 1, 0)
| eval IsMessaging=if(match(DestinationHostname, "(api\.telegram\.org|slack\.com|api\.slack\.com)"), 1, 0)
| eval IsWebServiceC2Target=IsCloudStorage+IsPasteSite+IsSocialMedia+IsDevPlatform+IsMessaging
| where IsWebServiceC2Target > 0
| eval IsSuspiciousProcess=if(match(Image, "(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|python.*\.exe|curl\.exe|wget\.exe|bitsadmin\.exe)"), 1, 0)
| where IsSuspiciousProcess=1
| eval ServiceType=case(
    IsCloudStorage=1, "CloudStorage",
    IsPasteSite=1, "PasteSite",
    IsSocialMedia=1, "SocialMedia",
    IsDevPlatform=1, "DevPlatform",
    IsMessaging=1, "Messaging",
    true(), "Unknown"
)
| lookup dnslookup clienthost AS DestinationIp OUTPUT clientip AS ResolvedIP
| stats count AS ConnectionCount,
        values(DestinationHostname) AS Destinations,
        values(DestinationPort) AS Ports,
        values(ServiceType) AS ServiceTypes,
        earliest(_time) AS FirstSeen,
        latest(_time) AS LastSeen
    by host, User, Image, ProcessId, ParentImage
| where ConnectionCount >= 1
| eval Duration=LastSeen-FirstSeen
| sort - ConnectionCount

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate IT automation scripts using PowerShell to interact with OneDrive, SharePoint, or Microsoft Graph API for business purposes
Developer workstations using curl, Python, or PowerShell to access GitHub APIs, Pastebin, or other development resources
Backup and sync agents or IT tools that legitimately upload/download files from Dropbox, OneDrive, or Google Drive
Security tools or monitoring scripts that use Pastebin or GitHub to pull configuration data or threat intelligence feeds
Collaboration tools or browser extensions spawning system utilities to handle webhooks or integrations

Elastic Security (EQL)

eql

sequence by host.name, process.pid with maxspan=5m
  [process where event.category == "process" and event.type == "start" and
    process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
                      "python.exe", "python3.exe", "pythonw.exe",
                      "curl.exe", "wget.exe", "bitsadmin.exe")]
  [network where event.category == "network" and event.type in ("start", "connection") and
    destination.domain : (
      "*.dropbox.com", "*.onedrive.live.com", "*.drive.google.com",
      "*.sharepoint.com", "*.box.com", "*.pcloud.com", "*.graph.microsoft.com",
      "*.pastebin.com", "*.paste.ee", "*.ghostbin.com", "*.hastebin.com",
      "*.gist.github.com", "*.api.github.com", "*.raw.githubusercontent.com",
      "*.twitter.com", "*.t.co", "*.blogspot.com",
      "*.discord.com", "*.discordapp.com", "*.api.telegram.org",
      "*.slack.com", "*.api.slack.com", "*.notion.so", "*.trello.com",
      "*.wordpress.com", "*.mediafire.com", "*.yandex.com",
      "*.sites.google.com", "*.technet.microsoft.com"
    )
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security agent (ECS process and network events) Winlogbeat with Sysmon module (process and network event types) Auditbeat (Linux process and network activity)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-*

False Positives

IT administrators running sanctioned PowerShell scripts that sync files to SharePoint or OneDrive as part of business continuity or data migration projects
Developers using curl.exe or python.exe in CI/CD automation pipelines that legitimately call GitHub APIs for build artifact management or package fetching
Security endpoint agents and monitoring tools that use certutil.exe for certificate management and simultaneously communicate with Microsoft graph.microsoft.com
Enterprise collaboration integrations where scheduled tasks or RMM agents use cmd.exe or wscript.exe to push status updates to Slack or Trello webhook endpoints

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "ImageFileName" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "DestinationHostname" AS DestHostname,
  destinationip AS DestIP,
  LONG(destinationport) AS DestPort,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("DestinationHostname") LIKE '%dropbox.com%'
      OR LOWER("DestinationHostname") LIKE '%onedrive.live.com%'
      OR LOWER("DestinationHostname") LIKE '%drive.google.com%'
      OR LOWER("DestinationHostname") LIKE '%sharepoint.com%'
      OR LOWER("DestinationHostname") LIKE '%box.com%'
      OR LOWER("DestinationHostname") LIKE '%pcloud.com%'
      OR LOWER("DestinationHostname") LIKE '%graph.microsoft.com%' THEN 'CloudStorage'
    WHEN LOWER("DestinationHostname") LIKE '%pastebin.com%'
      OR LOWER("DestinationHostname") LIKE '%paste.ee%'
      OR LOWER("DestinationHostname") LIKE '%ghostbin.com%'
      OR LOWER("DestinationHostname") LIKE '%hastebin.com%'
      OR LOWER("DestinationHostname") LIKE '%gist.github.com%' THEN 'PasteSite'
    WHEN LOWER("DestinationHostname") LIKE '%api.github.com%'
      OR LOWER("DestinationHostname") LIKE '%raw.githubusercontent.com%' THEN 'DevPlatform'
    WHEN LOWER("DestinationHostname") LIKE '%twitter.com%'
      OR LOWER("DestinationHostname") LIKE '%t.co%'
      OR LOWER("DestinationHostname") LIKE '%blogspot.com%'
      OR LOWER("DestinationHostname") LIKE '%discord.com%'
      OR LOWER("DestinationHostname") LIKE '%discordapp.com%' THEN 'SocialMedia'
    WHEN LOWER("DestinationHostname") LIKE '%api.telegram.org%'
      OR LOWER("DestinationHostname") LIKE '%slack.com%'
      OR LOWER("DestinationHostname") LIKE '%api.slack.com%' THEN 'Messaging'
    ELSE 'OtherWebService'
  END AS ServiceCategory
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (93, 119)
  AND "EventID" = '3'
  AND (
    LOWER("DestinationHostname") LIKE '%dropbox.com%' OR
    LOWER("DestinationHostname") LIKE '%onedrive.live.com%' OR
    LOWER("DestinationHostname") LIKE '%drive.google.com%' OR
    LOWER("DestinationHostname") LIKE '%sharepoint.com%' OR
    LOWER("DestinationHostname") LIKE '%box.com%' OR
    LOWER("DestinationHostname") LIKE '%pcloud.com%' OR
    LOWER("DestinationHostname") LIKE '%graph.microsoft.com%' OR
    LOWER("DestinationHostname") LIKE '%pastebin.com%' OR
    LOWER("DestinationHostname") LIKE '%paste.ee%' OR
    LOWER("DestinationHostname") LIKE '%ghostbin.com%' OR
    LOWER("DestinationHostname") LIKE '%hastebin.com%' OR
    LOWER("DestinationHostname") LIKE '%gist.github.com%' OR
    LOWER("DestinationHostname") LIKE '%api.github.com%' OR
    LOWER("DestinationHostname") LIKE '%raw.githubusercontent.com%' OR
    LOWER("DestinationHostname") LIKE '%twitter.com%' OR
    LOWER("DestinationHostname") LIKE '%t.co%' OR
    LOWER("DestinationHostname") LIKE '%discord.com%' OR
    LOWER("DestinationHostname") LIKE '%discordapp.com%' OR
    LOWER("DestinationHostname") LIKE '%api.telegram.org%' OR
    LOWER("DestinationHostname") LIKE '%slack.com%' OR
    LOWER("DestinationHostname") LIKE '%notion.so%' OR
    LOWER("DestinationHostname") LIKE '%trello.com%' OR
    LOWER("DestinationHostname") LIKE '%blogspot.com%' OR
    LOWER("DestinationHostname") LIKE '%wordpress.com%' OR
    LOWER("DestinationHostname") LIKE '%mediafire.com%' OR
    LOWER("DestinationHostname") LIKE '%yandex.com%'
  )
  AND (
    LOWER("ImageFileName") LIKE '%powershell.exe' OR
    LOWER("ImageFileName") LIKE '%pwsh.exe' OR
    LOWER("ImageFileName") LIKE '%cmd.exe' OR
    LOWER("ImageFileName") LIKE '%wscript.exe' OR
    LOWER("ImageFileName") LIKE '%cscript.exe' OR
    LOWER("ImageFileName") LIKE '%mshta.exe' OR
    LOWER("ImageFileName") LIKE '%rundll32.exe' OR
    LOWER("ImageFileName") LIKE '%regsvr32.exe' OR
    LOWER("ImageFileName") LIKE '%certutil.exe' OR
    LOWER("ImageFileName") LIKE '%python%.exe' OR
    LOWER("ImageFileName") LIKE '%curl.exe' OR
    LOWER("ImageFileName") LIKE '%wget.exe' OR
    LOWER("ImageFileName") LIKE '%bitsadmin.exe'
  )
  AND starttime > (NOW() - 86400)
ORDER BY starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Sysmon via QRadar DSM (log source type 93) Microsoft Windows Security Event Log via QRadar DSM (log source type 119)

Required Tables

events

False Positives

IT administrators using PowerShell scripts to access SharePoint document libraries or OneDrive for Business as part of approved data governance or compliance workflows
DevOps engineers running curl.exe or Python scripts to interact with GitHub REST APIs for sanctioned release pipeline automation and artifact retrieval
Helpdesk or ITSM automation using cmd.exe or wscript.exe to post status updates to Slack or Trello via webhook integrations configured by IT operations
Endpoint security tooling using certutil.exe for certificate revocation list (CRL) checks that also communicate with Microsoft cloud services as part of normal PKI validation

Sumo Logic CSE

sql

(_sourceCategory="*sysmon*" OR _sourceCategory="*windows*events*") EventCode=3
| parse regex "(?i)<Image>(?<Image>[^<]+)</Image>"
| parse regex "(?i)<DestinationHostname>(?<DestHostname>[^<]+)</DestinationHostname>"
| parse regex "(?i)<User>(?<User>[^<]+)</User>"
| parse regex "(?i)<DestinationPort>(?<DestPort>[^<]+)</DestinationPort>"
| parse regex "(?i)<SourceIp>(?<SourceIP>[^<]+)</SourceIp>"
| parse regex "(?i)<CommandLine>(?<CommandLine>[^<]+)</CommandLine>" nodrop
| parse regex "(?i)<ParentImage>(?<ParentImage>[^<]+)</ParentImage>" nodrop
| where (DestHostname matches "*dropbox.com*"
  OR DestHostname matches "*onedrive.live.com*"
  OR DestHostname matches "*drive.google.com*"
  OR DestHostname matches "*sharepoint.com*"
  OR DestHostname matches "*box.com*"
  OR DestHostname matches "*pcloud.com*"
  OR DestHostname matches "*graph.microsoft.com*"
  OR DestHostname matches "*pastebin.com*"
  OR DestHostname matches "*paste.ee*"
  OR DestHostname matches "*ghostbin.com*"
  OR DestHostname matches "*hastebin.com*"
  OR DestHostname matches "*gist.github.com*"
  OR DestHostname matches "*api.github.com*"
  OR DestHostname matches "*raw.githubusercontent.com*"
  OR DestHostname matches "*twitter.com*"
  OR DestHostname matches "*t.co*"
  OR DestHostname matches "*discord.com*"
  OR DestHostname matches "*discordapp.com*"
  OR DestHostname matches "*api.telegram.org*"
  OR DestHostname matches "*slack.com*"
  OR DestHostname matches "*notion.so*"
  OR DestHostname matches "*trello.com*"
  OR DestHostname matches "*blogspot.com*"
  OR DestHostname matches "*wordpress.com*"
  OR DestHostname matches "*mediafire.com*"
  OR DestHostname matches "*yandex.com*")
| where (Image matches "*powershell.exe*"
  OR Image matches "*pwsh.exe*"
  OR Image matches "*cmd.exe*"
  OR Image matches "*wscript.exe*"
  OR Image matches "*cscript.exe*"
  OR Image matches "*mshta.exe*"
  OR Image matches "*rundll32.exe*"
  OR Image matches "*regsvr32.exe*"
  OR Image matches "*certutil.exe*"
  OR Image matches "*python*.exe*"
  OR Image matches "*curl.exe*"
  OR Image matches "*wget.exe*"
  OR Image matches "*bitsadmin.exe*")
| eval IsCloudStorage = if(DestHostname matches "*dropbox.com*" OR DestHostname matches "*onedrive.live.com*" OR DestHostname matches "*drive.google.com*" OR DestHostname matches "*sharepoint.com*" OR DestHostname matches "*box.com*" OR DestHostname matches "*pcloud.com*" OR DestHostname matches "*graph.microsoft.com*", 1, 0)
| eval IsPasteSite = if(DestHostname matches "*pastebin.com*" OR DestHostname matches "*paste.ee*" OR DestHostname matches "*ghostbin.com*" OR DestHostname matches "*hastebin.com*" OR DestHostname matches "*gist.github.com*", 1, 0)
| eval IsSocialMedia = if(DestHostname matches "*twitter.com*" OR DestHostname matches "*t.co*" OR DestHostname matches "*blogspot.com*" OR DestHostname matches "*discord.com*" OR DestHostname matches "*discordapp.com*", 1, 0)
| eval IsDevPlatform = if(DestHostname matches "*api.github.com*" OR DestHostname matches "*raw.githubusercontent.com*" OR DestHostname matches "*gist.github.com*", 1, 0)
| eval IsMessaging = if(DestHostname matches "*api.telegram.org*" OR DestHostname matches "*slack.com*", 1, 0)
| eval ServiceType = if(IsCloudStorage=1, "CloudStorage", if(IsPasteSite=1, "PasteSite", if(IsSocialMedia=1, "SocialMedia", if(IsDevPlatform=1, "DevPlatform", if(IsMessaging=1, "Messaging", "Other")))))
| eval HasSuspiciousCmdLine = if(CommandLine matches "*-enc*" OR CommandLine matches "*-EncodedCommand*" OR CommandLine matches "*DownloadString*" OR CommandLine matches "*Invoke-Expression*" OR CommandLine matches "*IEX*" OR CommandLine matches "*Net.WebClient*" OR CommandLine matches "*FromBase64*" OR CommandLine matches "*base64*", "true", "false")
| stats count as ConnectionCount, values(DestHostname) as Destinations, values(DestPort) as Ports, values(ServiceType) as ServiceTypes, min(_messageTime) as FirstSeen, max(_messageTime) as LastSeen by _sourceHost, User, Image, ServiceType, HasSuspiciousCmdLine
| sort by ConnectionCount desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon Operational channel) Sumo Logic Windows agent collecting Microsoft-Windows-Sysmon/Operational

Required Tables

_sourceCategory containing Sysmon operational XML event logs

False Positives

System administrators running sanctioned PowerShell scripts that access SharePoint or OneDrive for Business as part of enterprise data migration or backup workflows
DevOps automation pipelines that use cmd.exe or curl.exe to pull build artifacts from GitHub Releases or post deployment notifications to Slack
Enterprise collaboration and ITSM tools configured by IT operations that use wscript.exe or cscript.exe to interact with Trello, Notion, or other SaaS platforms
Scheduled Python-based monitoring scripts that push health metrics or alerts to Telegram or Discord webhooks as part of approved operational tooling

Google Chronicle / SecOps

yaral

rule t1102_002_webservice_c2_bidirectional {
  meta:
    author = "Detection Engineering"
    description = "Detects suspicious processes initiating network connections to known web service C2 platforms consistent with T1102.002 Bidirectional Communication via Web Services"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1102.002"
    severity = "HIGH"
    confidence = "HIGH"
    priority = "HIGH"

  events:
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|python[0-9]*\.exe|pythonw\.exe|curl\.exe|wget\.exe|bitsadmin\.exe)$/
    $e1.principal.hostname = $host
    $e1.principal.process.pid = $pid

    $e2.metadata.event_type = "NETWORK_CONNECTION"
    $e2.principal.hostname = $host
    $e2.principal.process.pid = $pid
    (
      $e2.target.hostname = /(?i)(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|graph\.microsoft\.com|pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com|api\.github\.com|raw\.githubusercontent\.com|api\.twitter\.com|twitter\.com|t\.co|blogspot\.com|discord\.com|discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|notion\.so|trello\.com|wordpress\.com|mediafire\.com|yandex\.com|sites\.google\.com|technet\.microsoft\.com)/ or
      $e2.network.http.request_url = /(?i)(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com|api\.github\.com|raw\.githubusercontent\.com|twitter\.com|t\.co|discord\.com|discordapp\.com|api\.telegram\.org|slack\.com|notion\.so|trello\.com|wordpress\.com|mediafire\.com)/
    )

  match:
    $host, $pid over 5m

  condition:
    $e1 and $e2
}

high severity high confidence

Data Sources

Chronicle UDM via Google Security Operations (endpoint telemetry with process and network event types) Chronicle UDM ingestion from EDR agents (CrowdStrike, SentinelOne, Carbon Black) forwarding PROCESS_LAUNCH and NETWORK_CONNECTION events Chronicle UDM via Sysmon data forwarded through Chronicle forwarder

Required Tables

UDM events with event_type PROCESS_LAUNCH UDM events with event_type NETWORK_CONNECTION

False Positives

IT operations teams running PowerShell scripts to provision or manage SharePoint Online sites and OneDrive libraries within authorized change management windows
Software developers using curl.exe or Python for legitimate GitHub API calls in automated build, test, or deployment scripts on developer workstations
RMM or endpoint management agents that spawn cmd.exe or wscript.exe subprocesses to push status information to SaaS-based ticketing platforms like Trello or Notion
Security tooling using certutil.exe for certificate chain validation and OCSP/CRL checks that also connect to graph.microsoft.com or Microsoft cloud endpoints

CrowdStrike LogScale (CQL)

cql

#event_simpleName=DnsRequest
| DomainName = /(?i)(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|graph\.microsoft\.com|pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com|api\.github\.com|raw\.githubusercontent\.com|api\.twitter\.com|twitter\.com|t\.co|blogspot\.com|discord\.com|discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|notion\.so|trello\.com|wordpress\.com|mediafire\.com|yandex\.com|sites\.google\.com|technet\.microsoft\.com)/
| rename(field=ContextProcessId_decimal, as=CorrelationPID)
| join(
    { #event_simpleName=ProcessRollup2
      | ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|python[0-9]*\.exe|pythonw\.exe|curl\.exe|wget\.exe|bitsadmin\.exe)$/
      | rename(field=TargetProcessId_decimal, as=CorrelationPID)
    },
    field=[CorrelationPID, aid],
    include=[ImageFileName, CommandLine, ParentBaseFileName, UserName]
  )
| ServiceCategory := case {
    DomainName = /(?i)(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|graph\.microsoft\.com)/ => "CloudStorage";
    DomainName = /(?i)(pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com)/ => "PasteSite";
    DomainName = /(?i)(api\.github\.com|raw\.githubusercontent\.com)/ => "DevPlatform";
    DomainName = /(?i)(twitter\.com|api\.twitter\.com|t\.co|blogspot\.com|discord\.com|discordapp\.com)/ => "SocialMedia";
    DomainName = /(?i)(api\.telegram\.org|slack\.com|api\.slack\.com)/ => "Messaging";
    * => "OtherWebService"
  }
| HasEncodedPayload := if(CommandLine = /(?i)(-enc|-EncodedCommand|DownloadString|Invoke-Expression|IEX|Net\.WebClient|Invoke-WebRequest|Start-BitsTransfer|FromBase64String|base64)/, "true", "false")
| groupBy(
    [ComputerName, UserName, ImageFileName, DomainName, ServiceCategory, HasEncodedPayload],
    function=[
      count(as=ConnectionCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen),
      collect(CommandLine, limit=5)
    ]
  )
| sort(ConnectionCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor DnsRequest events (EventSimpleName=DnsRequest) CrowdStrike Falcon sensor process execution events (EventSimpleName=ProcessRollup2)

Required Tables

DnsRequest ProcessRollup2

False Positives

IT operations staff running authorized PowerShell scripts for SharePoint Online or OneDrive provisioning tasks on managed endpoints within approved change windows
Software developers on developer workstations using curl.exe or Python to access GitHub APIs for version control, package management, or CI/CD pipeline operations
Monitoring and observability agents that spawn cmd.exe processes to deliver alerts or metrics to Slack, Discord, or Telegram webhook endpoints as part of sanctioned operational tooling
Windows Update and patch management processes that invoke bitsadmin.exe for background downloads and also connect to Microsoft graph.microsoft.com or technet.microsoft.com endpoints

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1102.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Bidirectional Communication

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections