Detect Bidirectional Communication in Google Chronicle
Adversaries may use an existing, legitimate external web service as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and cloud storage platforms (Google Drive, OneDrive, Dropbox, GitHub, Pastebin, Twitter, Google Calendar) to host C2 instructions and receive command output. This technique is particularly evasive because traffic blends with legitimate business use of these services, which are commonly accessed prior to compromise and protected with SSL/TLS encryption.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1102 Web Service
- Sub-technique
- T1102.002 Bidirectional Communication
- Canonical reference
- https://attack.mitre.org/techniques/T1102/002/
YARA-L Detection Query
rule t1102_002_webservice_c2_bidirectional {
meta:
author = "Detection Engineering"
description = "Detects suspicious processes initiating network connections to known web service C2 platforms consistent with T1102.002 Bidirectional Communication via Web Services"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1102.002"
severity = "HIGH"
confidence = "HIGH"
priority = "HIGH"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|python[0-9]*\.exe|pythonw\.exe|curl\.exe|wget\.exe|bitsadmin\.exe)$/
$e1.principal.hostname = $host
$e1.principal.process.pid = $pid
$e2.metadata.event_type = "NETWORK_CONNECTION"
$e2.principal.hostname = $host
$e2.principal.process.pid = $pid
(
$e2.target.hostname = /(?i)(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|graph\.microsoft\.com|pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com|api\.github\.com|raw\.githubusercontent\.com|api\.twitter\.com|twitter\.com|t\.co|blogspot\.com|discord\.com|discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|notion\.so|trello\.com|wordpress\.com|mediafire\.com|yandex\.com|sites\.google\.com|technet\.microsoft\.com)/ or
$e2.network.http.request_url = /(?i)(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com|api\.github\.com|raw\.githubusercontent\.com|twitter\.com|t\.co|discord\.com|discordapp\.com|api\.telegram\.org|slack\.com|notion\.so|trello\.com|wordpress\.com|mediafire\.com)/
)
match:
$host, $pid over 5m
condition:
$e1 and $e2
}Chronicle YARA-L 2.0 rule that correlates PROCESS_LAUNCH events for known suspicious executables with subsequent NETWORK_CONNECTION events to known web service C2 infrastructure within a 5-minute window, grouped by host and process PID. Covers cloud storage providers, paste sites, social media platforms, developer hosting services, and messaging APIs commonly abused for bidirectional C2 traffic that blends with legitimate business use.
Data Sources
Required Tables
False Positives & Tuning
- IT operations teams running PowerShell scripts to provision or manage SharePoint Online sites and OneDrive libraries within authorized change management windows
- Software developers using curl.exe or Python for legitimate GitHub API calls in automated build, test, or deployment scripts on developer workstations
- RMM or endpoint management agents that spawn cmd.exe or wscript.exe subprocesses to push status information to SaaS-based ticketing platforms like Trello or Notion
- Security tooling using certutil.exe for certificate chain validation and OCSP/CRL checks that also connect to graph.microsoft.com or Microsoft cloud endpoints
Other platforms for T1102.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Dropbox API C2 Simulation via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-WindowStyle Hidden', 'api.dropboxapi.com', 'Invoke-RestMethod', 'Authorization'. Sysmon Event ID 3: Network Connection to api.dropboxapi.com (162.125.x.x) on port 443. Sysmon Event ID 22: DNS Query for api.dropboxapi.com and content.dropboxapi.com.
- Test 2Pastebin Read/Write C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'pastebin.com', 'Net.WebClient', 'DownloadString', 'UploadString', '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Two Network Connections to pastebin.com on port 443. Sysmon Event ID 22: DNS Query for pastebin.com.
- Test 3OneDrive Network Drive C2 Simulation (PowerStallion Technique)
Expected signal: Security Event ID 4688 or Sysmon Event ID 1: Process Create for cmd.exe with 'net use' and 'd.docs.live.net'. Child process powershell.exe with 'Get-Content', 'Out-File'. Sysmon Event ID 3: Network Connection to d.docs.live.net (OneDrive WebDAV endpoint) on port 443. Sysmon Event ID 22: DNS Query for d.docs.live.net.
- Test 4Google Drive C2 Read via Python (RIFLESPINE Technique)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com', 'drive/v3/files', 'urllib'. Sysmon Event ID 3: Network Connections to www.googleapis.com on port 443. Sysmon Event ID 22: DNS Query for www.googleapis.com.
References (12)
- https://attack.mitre.org/techniques/T1102/002/
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://research.checkpoint.com/2021/indigozebra-apt-continues-to-target-central-asia-with-evolving-tools/
- https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
- https://www.trendmicro.com/en_us/research/20/b/the-operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia.html
- https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
- https://www.mandiant.com/sites/default/files/2022-02/rt-apt1-report.pdf
- https://blog.f-secure.com/wp-content/uploads/2019/10/CozyDuke.pdf
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-espionage-targets
- https://www.welivesecurity.com/en/eset-research/oilrig-uses-backdoors-downloader-cyberespionage-campaigns-against-israel/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Unlock Pro Content
Get the full detection package for T1102.002 including response playbook, investigation guide, and atomic red team tests.