T1102.002 IBM QRadar · QRadar

Detect Bidirectional Communication in IBM QRadar

Adversaries may use an existing, legitimate external web service as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and cloud storage platforms (Google Drive, OneDrive, Dropbox, GitHub, Pastebin, Twitter, Google Calendar) to host C2 instructions and receive command output. This technique is particularly evasive because traffic blends with legitimate business use of these services, which are commonly accessed prior to compromise and protected with SSL/TLS encryption.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1102 Web Service
Sub-technique
T1102.002 Bidirectional Communication
Canonical reference
https://attack.mitre.org/techniques/T1102/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "ImageFileName" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "DestinationHostname" AS DestHostname,
  destinationip AS DestIP,
  LONG(destinationport) AS DestPort,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("DestinationHostname") LIKE '%dropbox.com%'
      OR LOWER("DestinationHostname") LIKE '%onedrive.live.com%'
      OR LOWER("DestinationHostname") LIKE '%drive.google.com%'
      OR LOWER("DestinationHostname") LIKE '%sharepoint.com%'
      OR LOWER("DestinationHostname") LIKE '%box.com%'
      OR LOWER("DestinationHostname") LIKE '%pcloud.com%'
      OR LOWER("DestinationHostname") LIKE '%graph.microsoft.com%' THEN 'CloudStorage'
    WHEN LOWER("DestinationHostname") LIKE '%pastebin.com%'
      OR LOWER("DestinationHostname") LIKE '%paste.ee%'
      OR LOWER("DestinationHostname") LIKE '%ghostbin.com%'
      OR LOWER("DestinationHostname") LIKE '%hastebin.com%'
      OR LOWER("DestinationHostname") LIKE '%gist.github.com%' THEN 'PasteSite'
    WHEN LOWER("DestinationHostname") LIKE '%api.github.com%'
      OR LOWER("DestinationHostname") LIKE '%raw.githubusercontent.com%' THEN 'DevPlatform'
    WHEN LOWER("DestinationHostname") LIKE '%twitter.com%'
      OR LOWER("DestinationHostname") LIKE '%t.co%'
      OR LOWER("DestinationHostname") LIKE '%blogspot.com%'
      OR LOWER("DestinationHostname") LIKE '%discord.com%'
      OR LOWER("DestinationHostname") LIKE '%discordapp.com%' THEN 'SocialMedia'
    WHEN LOWER("DestinationHostname") LIKE '%api.telegram.org%'
      OR LOWER("DestinationHostname") LIKE '%slack.com%'
      OR LOWER("DestinationHostname") LIKE '%api.slack.com%' THEN 'Messaging'
    ELSE 'OtherWebService'
  END AS ServiceCategory
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (93, 119)
  AND "EventID" = '3'
  AND (
    LOWER("DestinationHostname") LIKE '%dropbox.com%' OR
    LOWER("DestinationHostname") LIKE '%onedrive.live.com%' OR
    LOWER("DestinationHostname") LIKE '%drive.google.com%' OR
    LOWER("DestinationHostname") LIKE '%sharepoint.com%' OR
    LOWER("DestinationHostname") LIKE '%box.com%' OR
    LOWER("DestinationHostname") LIKE '%pcloud.com%' OR
    LOWER("DestinationHostname") LIKE '%graph.microsoft.com%' OR
    LOWER("DestinationHostname") LIKE '%pastebin.com%' OR
    LOWER("DestinationHostname") LIKE '%paste.ee%' OR
    LOWER("DestinationHostname") LIKE '%ghostbin.com%' OR
    LOWER("DestinationHostname") LIKE '%hastebin.com%' OR
    LOWER("DestinationHostname") LIKE '%gist.github.com%' OR
    LOWER("DestinationHostname") LIKE '%api.github.com%' OR
    LOWER("DestinationHostname") LIKE '%raw.githubusercontent.com%' OR
    LOWER("DestinationHostname") LIKE '%twitter.com%' OR
    LOWER("DestinationHostname") LIKE '%t.co%' OR
    LOWER("DestinationHostname") LIKE '%discord.com%' OR
    LOWER("DestinationHostname") LIKE '%discordapp.com%' OR
    LOWER("DestinationHostname") LIKE '%api.telegram.org%' OR
    LOWER("DestinationHostname") LIKE '%slack.com%' OR
    LOWER("DestinationHostname") LIKE '%notion.so%' OR
    LOWER("DestinationHostname") LIKE '%trello.com%' OR
    LOWER("DestinationHostname") LIKE '%blogspot.com%' OR
    LOWER("DestinationHostname") LIKE '%wordpress.com%' OR
    LOWER("DestinationHostname") LIKE '%mediafire.com%' OR
    LOWER("DestinationHostname") LIKE '%yandex.com%'
  )
  AND (
    LOWER("ImageFileName") LIKE '%powershell.exe' OR
    LOWER("ImageFileName") LIKE '%pwsh.exe' OR
    LOWER("ImageFileName") LIKE '%cmd.exe' OR
    LOWER("ImageFileName") LIKE '%wscript.exe' OR
    LOWER("ImageFileName") LIKE '%cscript.exe' OR
    LOWER("ImageFileName") LIKE '%mshta.exe' OR
    LOWER("ImageFileName") LIKE '%rundll32.exe' OR
    LOWER("ImageFileName") LIKE '%regsvr32.exe' OR
    LOWER("ImageFileName") LIKE '%certutil.exe' OR
    LOWER("ImageFileName") LIKE '%python%.exe' OR
    LOWER("ImageFileName") LIKE '%curl.exe' OR
    LOWER("ImageFileName") LIKE '%wget.exe' OR
    LOWER("ImageFileName") LIKE '%bitsadmin.exe'
  )
  AND starttime > (NOW() - 86400)
ORDER BY starttime DESC
high severity high confidence

Detects Sysmon Event ID 3 (Network Connection Detected) events ingested via QRadar DSM where scripting engines, interpreters, or download utilities establish outbound connections to known web service C2 platforms. Uses a CASE expression to classify the target service category for analyst triage, and restricts to QRadar log source type IDs for Sysmon (93) and Windows Security (119).

Data Sources

Microsoft Windows Sysmon via QRadar DSM (log source type 93)Microsoft Windows Security Event Log via QRadar DSM (log source type 119)

Required Tables

events

False Positives & Tuning

  • IT administrators using PowerShell scripts to access SharePoint document libraries or OneDrive for Business as part of approved data governance or compliance workflows
  • DevOps engineers running curl.exe or Python scripts to interact with GitHub REST APIs for sanctioned release pipeline automation and artifact retrieval
  • Helpdesk or ITSM automation using cmd.exe or wscript.exe to post status updates to Slack or Trello via webhook integrations configured by IT operations
  • Endpoint security tooling using certutil.exe for certificate revocation list (CRL) checks that also communicate with Microsoft cloud services as part of normal PKI validation
Download portable Sigma rule (.yml)

Other platforms for T1102.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Dropbox API C2 Simulation via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-WindowStyle Hidden', 'api.dropboxapi.com', 'Invoke-RestMethod', 'Authorization'. Sysmon Event ID 3: Network Connection to api.dropboxapi.com (162.125.x.x) on port 443. Sysmon Event ID 22: DNS Query for api.dropboxapi.com and content.dropboxapi.com.

  2. Test 2Pastebin Read/Write C2 Simulation

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'pastebin.com', 'Net.WebClient', 'DownloadString', 'UploadString', '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Two Network Connections to pastebin.com on port 443. Sysmon Event ID 22: DNS Query for pastebin.com.

  3. Test 3OneDrive Network Drive C2 Simulation (PowerStallion Technique)

    Expected signal: Security Event ID 4688 or Sysmon Event ID 1: Process Create for cmd.exe with 'net use' and 'd.docs.live.net'. Child process powershell.exe with 'Get-Content', 'Out-File'. Sysmon Event ID 3: Network Connection to d.docs.live.net (OneDrive WebDAV endpoint) on port 443. Sysmon Event ID 22: DNS Query for d.docs.live.net.

  4. Test 4Google Drive C2 Read via Python (RIFLESPINE Technique)

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com', 'drive/v3/files', 'urllib'. Sysmon Event ID 3: Network Connections to www.googleapis.com on port 443. Sysmon Event ID 22: DNS Query for www.googleapis.com.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1102.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1102Web Service

Related Sub-techniques

T1102.001Dead Drop ResolverT1102.003One-Way Communication

Related Techniques

T1102Web ServiceT1102.001Dead Drop ResolverT1102.003One-Way CommunicationT1567Exfiltration Over Web ServiceT1567.002Exfiltration to Cloud StorageT1105Ingress Tool TransferT1071.001Web ProtocolsT1573Encrypted ChannelT1027Obfuscated Files or InformationT1053.005Scheduled TaskT1078Valid Accounts

Same Tactic: Command and Control

Popular Detections