Which SIEM platforms have a T1102.002 detection rule?

df00tech provides T1102.002 (Bidirectional Communication) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1102.002 detection?

The T1102.002 detection is rated high severity with medium confidence.

What are common false positives for T1102.002?

Common false positives for T1102.002 include: Legitimate IT automation scripts using PowerShell to interact with OneDrive, SharePoint, or Microsoft Graph API for business purposes; Developer workstations using curl, Python, or PowerShell to access GitHub APIs, Pastebin, or other development resources; Backup and sync agents or IT tools that legitimately upload/download files from Dropbox, OneDrive, or Google Drive.

T1102.002 Splunk · SPL

Detect Bidirectional Communication in Splunk

Q: What data sources are required to detect Bidirectional Communication (T1102.002)?

Detecting Bidirectional Communication requires the following data sources: Network Traffic: Network Connection Creation, Process: Process Creation, Microsoft Defender for Endpoint.

Adversaries may use an existing, legitimate external web service as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and cloud storage platforms (Google Drive, OneDrive, Dropbox, GitHub, Pastebin, Twitter, Google Calendar) to host C2 instructions and receive command output. This technique is particularly evasive because traffic blends with legitimate business use of these services, which are commonly accessed prior to compromise and protected with SSL/TLS encryption.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1102 Web Service
Sub-technique: T1102.002 Bidirectional Communication
Canonical reference: https://attack.mitre.org/techniques/T1102/002/

SPL Detection Query

Splunk (SPL)

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3)
| eval Image=lower(Image), DestinationHostname=lower(DestinationHostname)
| eval IsCloudStorage=if(match(DestinationHostname, "(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|graph\.microsoft\.com)"), 1, 0)
| eval IsPasteSite=if(match(DestinationHostname, "(pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com)"), 1, 0)
| eval IsSocialMedia=if(match(DestinationHostname, "(twitter\.com|api\.twitter\.com|t\.co|blogspot\.com|discord\.com|discordapp\.com)"), 1, 0)
| eval IsDevPlatform=if(match(DestinationHostname, "(api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com)"), 1, 0)
| eval IsMessaging=if(match(DestinationHostname, "(api\.telegram\.org|slack\.com|api\.slack\.com)"), 1, 0)
| eval IsWebServiceC2Target=IsCloudStorage+IsPasteSite+IsSocialMedia+IsDevPlatform+IsMessaging
| where IsWebServiceC2Target > 0
| eval IsSuspiciousProcess=if(match(Image, "(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|python.*\.exe|curl\.exe|wget\.exe|bitsadmin\.exe)"), 1, 0)
| where IsSuspiciousProcess=1
| eval ServiceType=case(
    IsCloudStorage=1, "CloudStorage",
    IsPasteSite=1, "PasteSite",
    IsSocialMedia=1, "SocialMedia",
    IsDevPlatform=1, "DevPlatform",
    IsMessaging=1, "Messaging",
    true(), "Unknown"
)
| lookup dnslookup clienthost AS DestinationIp OUTPUT clientip AS ResolvedIP
| stats count AS ConnectionCount,
        values(DestinationHostname) AS Destinations,
        values(DestinationPort) AS Ports,
        values(ServiceType) AS ServiceTypes,
        earliest(_time) AS FirstSeen,
        latest(_time) AS LastSeen
    by host, User, Image, ProcessId, ParentImage
| where ConnectionCount >= 1
| eval Duration=LastSeen-FirstSeen
| sort - ConnectionCount

high severity medium confidence

Detects scripting engines and system utilities (PowerShell, cmd, WScript, Python, curl, etc.) making network connections to known web services commonly abused for bidirectional C2 communication using Sysmon Event ID 3 (Network Connection). Classifies destination by service type (cloud storage, paste site, social media, development platform, messaging) and aggregates connection statistics per process to help identify beaconing behavior.

Data Sources

Network Traffic: Network Connection CreationSysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

Legitimate IT automation scripts using PowerShell to interact with OneDrive, SharePoint, or Microsoft Graph API for business purposes
Developer workstations using curl, Python, or PowerShell to access GitHub APIs, Pastebin, or other development resources
Backup and sync agents or IT tools that legitimately upload/download files from Dropbox, OneDrive, or Google Drive
Security tools or monitoring scripts that use Pastebin or GitHub to pull configuration data or threat intelligence feeds
Collaboration tools or browser extensions spawning system utilities to handle webhooks or integrations

Download portable Sigma rule (.yml)

Other platforms for T1102.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Dropbox API C2 Simulation via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-WindowStyle Hidden', 'api.dropboxapi.com', 'Invoke-RestMethod', 'Authorization'. Sysmon Event ID 3: Network Connection to api.dropboxapi.com (162.125.x.x) on port 443. Sysmon Event ID 22: DNS Query for api.dropboxapi.com and content.dropboxapi.com.
Test 2Pastebin Read/Write C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'pastebin.com', 'Net.WebClient', 'DownloadString', 'UploadString', '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Two Network Connections to pastebin.com on port 443. Sysmon Event ID 22: DNS Query for pastebin.com.
Test 3OneDrive Network Drive C2 Simulation (PowerStallion Technique)
Expected signal: Security Event ID 4688 or Sysmon Event ID 1: Process Create for cmd.exe with 'net use' and 'd.docs.live.net'. Child process powershell.exe with 'Get-Content', 'Out-File'. Sysmon Event ID 3: Network Connection to d.docs.live.net (OneDrive WebDAV endpoint) on port 443. Sysmon Event ID 22: DNS Query for d.docs.live.net.
Test 4Google Drive C2 Read via Python (RIFLESPINE Technique)
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com', 'drive/v3/files', 'urllib'. Sysmon Event ID 3: Network Connections to www.googleapis.com on port 443. Sysmon Event ID 22: DNS Query for www.googleapis.com.

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1102.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Bidirectional Communication in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1102.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1102.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox