Detect Bidirectional Communication in Microsoft Sentinel
Adversaries may use an existing, legitimate external web service as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and cloud storage platforms (Google Drive, OneDrive, Dropbox, GitHub, Pastebin, Twitter, Google Calendar) to host C2 instructions and receive command output. This technique is particularly evasive because traffic blends with legitimate business use of these services, which are commonly accessed prior to compromise and protected with SSL/TLS encryption.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1102 Web Service
- Sub-technique
- T1102.002 Bidirectional Communication
- Canonical reference
- https://attack.mitre.org/techniques/T1102/002/
KQL Detection Query
let WebServiceDomains = dynamic([
"api.dropboxapi.com", "content.dropboxapi.com", "dropbox.com",
"onedrive.live.com", "graph.microsoft.com", "sharepoint.com",
"drive.google.com", "docs.google.com", "googleapis.com", "calendar.google.com",
"api.github.com", "raw.githubusercontent.com", "gist.github.com",
"pastebin.com", "paste.ee", "ghostbin.com", "hastebin.com",
"api.twitter.com", "twitter.com", "t.co",
"api.telegram.org", "discord.com", "discordapp.com",
"slack.com", "api.slack.com",
"technet.microsoft.com", "notion.so", "trello.com",
"pcloud.com", "box.com", "mediafire.com", "yandex.com",
"sites.google.com", "blogspot.com", "wordpress.com"
]);
let SuspiciousProcesses = dynamic([
"powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"python.exe", "python3.exe", "pythonw.exe",
"curl.exe", "wget.exe", "bitsadmin.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WebServiceDomains) or RemoteIPType == "Public"
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend IsCloudStorage = RemoteUrl has_any ("dropbox.com", "onedrive.live.com", "drive.google.com", "sharepoint.com", "box.com", "pcloud.com")
| extend IsPasteSite = RemoteUrl has_any ("pastebin.com", "paste.ee", "ghostbin.com", "hastebin.com", "gist.github.com")
| extend IsSocialMedia = RemoteUrl has_any ("twitter.com", "api.twitter.com", "t.co", "blogspot.com", "discord.com")
| extend IsDevPlatform = RemoteUrl has_any ("api.github.com", "raw.githubusercontent.com", "gist.github.com")
| extend IsMessaging = RemoteUrl has_any ("api.telegram.org", "slack.com", "api.slack.com")
| join kind=leftouter (
DeviceProcessEvents
| where Timestamp > ago(24h)
| project ProcessTimestamp=Timestamp, DeviceName, InitiatingProcessId=ProcessId,
ProcessCommandLine, InitiatingProcessCommandLine,
InitiatingProcessParentFileName
) on DeviceName, $left.InitiatingProcessId == $right.InitiatingProcessId
| extend SuspiciousCmdLine = InitiatingProcessCommandLine has_any (
"-enc", "-EncodedCommand", "DownloadString", "Invoke-Expression", "IEX",
"Net.WebClient", "Invoke-WebRequest", "Start-BitsTransfer",
"[Convert]::FromBase64", "frombase64", "base64"
)
| where IsCloudStorage or IsPasteSite or IsSocialMedia or IsDevPlatform or IsMessaging
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
RemoteUrl, RemoteIP, RemotePort,
IsCloudStorage, IsPasteSite, IsSocialMedia, IsDevPlatform, IsMessaging,
SuspiciousCmdLine, InitiatingProcessParentFileName
| sort by Timestamp descDetects processes communicating with known legitimate web services commonly abused for bidirectional C2 communication, including cloud storage platforms (Dropbox, OneDrive, Google Drive), paste sites (Pastebin, Gist), social media (Twitter, Discord), and developer platforms (GitHub). Focuses on scripting engines and system utilities making these connections, with optional correlation to suspicious command-line patterns indicative of C2 client behavior.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT automation scripts using PowerShell to interact with OneDrive, SharePoint, or Microsoft Graph API for business purposes
- Developer workstations using curl, Python, or PowerShell to access GitHub APIs, Pastebin, or other development resources
- Backup and sync agents or IT tools that legitimately upload/download files from Dropbox, OneDrive, or Google Drive
- Security tools or monitoring scripts that use Pastebin or GitHub to pull configuration data or threat intelligence feeds
- Collaboration tools (Slack, Teams, Discord) that spawn browser processes or helper utilities to handle webhooks or integrations
Other platforms for T1102.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Dropbox API C2 Simulation via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-WindowStyle Hidden', 'api.dropboxapi.com', 'Invoke-RestMethod', 'Authorization'. Sysmon Event ID 3: Network Connection to api.dropboxapi.com (162.125.x.x) on port 443. Sysmon Event ID 22: DNS Query for api.dropboxapi.com and content.dropboxapi.com.
- Test 2Pastebin Read/Write C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'pastebin.com', 'Net.WebClient', 'DownloadString', 'UploadString', '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Two Network Connections to pastebin.com on port 443. Sysmon Event ID 22: DNS Query for pastebin.com.
- Test 3OneDrive Network Drive C2 Simulation (PowerStallion Technique)
Expected signal: Security Event ID 4688 or Sysmon Event ID 1: Process Create for cmd.exe with 'net use' and 'd.docs.live.net'. Child process powershell.exe with 'Get-Content', 'Out-File'. Sysmon Event ID 3: Network Connection to d.docs.live.net (OneDrive WebDAV endpoint) on port 443. Sysmon Event ID 22: DNS Query for d.docs.live.net.
- Test 4Google Drive C2 Read via Python (RIFLESPINE Technique)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com', 'drive/v3/files', 'urllib'. Sysmon Event ID 3: Network Connections to www.googleapis.com on port 443. Sysmon Event ID 22: DNS Query for www.googleapis.com.
References (12)
- https://attack.mitre.org/techniques/T1102/002/
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://research.checkpoint.com/2021/indigozebra-apt-continues-to-target-central-asia-with-evolving-tools/
- https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
- https://www.trendmicro.com/en_us/research/20/b/the-operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia.html
- https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
- https://www.mandiant.com/sites/default/files/2022-02/rt-apt1-report.pdf
- https://blog.f-secure.com/wp-content/uploads/2019/10/CozyDuke.pdf
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-espionage-targets
- https://www.welivesecurity.com/en/eset-research/oilrig-uses-backdoors-downloader-cyberespionage-campaigns-against-israel/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Unlock Pro Content
Get the full detection package for T1102.002 including response playbook, investigation guide, and atomic red team tests.