Detect Bidirectional Communication in Elastic Security
Adversaries may use an existing, legitimate external web service as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and cloud storage platforms (Google Drive, OneDrive, Dropbox, GitHub, Pastebin, Twitter, Google Calendar) to host C2 instructions and receive command output. This technique is particularly evasive because traffic blends with legitimate business use of these services, which are commonly accessed prior to compromise and protected with SSL/TLS encryption.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1102 Web Service
- Sub-technique
- T1102.002 Bidirectional Communication
- Canonical reference
- https://attack.mitre.org/techniques/T1102/002/
Elastic Detection Query
sequence by host.name, process.pid with maxspan=5m
[process where event.category == "process" and event.type == "start" and
process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"python.exe", "python3.exe", "pythonw.exe",
"curl.exe", "wget.exe", "bitsadmin.exe")]
[network where event.category == "network" and event.type in ("start", "connection") and
destination.domain : (
"*.dropbox.com", "*.onedrive.live.com", "*.drive.google.com",
"*.sharepoint.com", "*.box.com", "*.pcloud.com", "*.graph.microsoft.com",
"*.pastebin.com", "*.paste.ee", "*.ghostbin.com", "*.hastebin.com",
"*.gist.github.com", "*.api.github.com", "*.raw.githubusercontent.com",
"*.twitter.com", "*.t.co", "*.blogspot.com",
"*.discord.com", "*.discordapp.com", "*.api.telegram.org",
"*.slack.com", "*.api.slack.com", "*.notion.so", "*.trello.com",
"*.wordpress.com", "*.mediafire.com", "*.yandex.com",
"*.sites.google.com", "*.technet.microsoft.com"
)
]Detects suspicious interpreter and download utility processes initiating outbound connections to known web service C2 platforms including cloud storage, paste sites, social media, developer platforms, and messaging services. Sequences process start events with subsequent network connection events within 5 minutes on the same host and process ID to confirm the suspicious binary is the network originator.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running sanctioned PowerShell scripts that sync files to SharePoint or OneDrive as part of business continuity or data migration projects
- Developers using curl.exe or python.exe in CI/CD automation pipelines that legitimately call GitHub APIs for build artifact management or package fetching
- Security endpoint agents and monitoring tools that use certutil.exe for certificate management and simultaneously communicate with Microsoft graph.microsoft.com
- Enterprise collaboration integrations where scheduled tasks or RMM agents use cmd.exe or wscript.exe to push status updates to Slack or Trello webhook endpoints
Other platforms for T1102.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Dropbox API C2 Simulation via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-WindowStyle Hidden', 'api.dropboxapi.com', 'Invoke-RestMethod', 'Authorization'. Sysmon Event ID 3: Network Connection to api.dropboxapi.com (162.125.x.x) on port 443. Sysmon Event ID 22: DNS Query for api.dropboxapi.com and content.dropboxapi.com.
- Test 2Pastebin Read/Write C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'pastebin.com', 'Net.WebClient', 'DownloadString', 'UploadString', '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Two Network Connections to pastebin.com on port 443. Sysmon Event ID 22: DNS Query for pastebin.com.
- Test 3OneDrive Network Drive C2 Simulation (PowerStallion Technique)
Expected signal: Security Event ID 4688 or Sysmon Event ID 1: Process Create for cmd.exe with 'net use' and 'd.docs.live.net'. Child process powershell.exe with 'Get-Content', 'Out-File'. Sysmon Event ID 3: Network Connection to d.docs.live.net (OneDrive WebDAV endpoint) on port 443. Sysmon Event ID 22: DNS Query for d.docs.live.net.
- Test 4Google Drive C2 Read via Python (RIFLESPINE Technique)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com', 'drive/v3/files', 'urllib'. Sysmon Event ID 3: Network Connections to www.googleapis.com on port 443. Sysmon Event ID 22: DNS Query for www.googleapis.com.
References (12)
- https://attack.mitre.org/techniques/T1102/002/
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://research.checkpoint.com/2021/indigozebra-apt-continues-to-target-central-asia-with-evolving-tools/
- https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
- https://www.trendmicro.com/en_us/research/20/b/the-operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia.html
- https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
- https://www.mandiant.com/sites/default/files/2022-02/rt-apt1-report.pdf
- https://blog.f-secure.com/wp-content/uploads/2019/10/CozyDuke.pdf
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-espionage-targets
- https://www.welivesecurity.com/en/eset-research/oilrig-uses-backdoors-downloader-cyberespionage-campaigns-against-israel/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Unlock Pro Content
Get the full detection package for T1102.002 including response playbook, investigation guide, and atomic red team tests.