T1102.002 Sumo Logic CSE · Sumo

Detect Bidirectional Communication in Sumo Logic CSE

Adversaries may use an existing, legitimate external web service as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and cloud storage platforms (Google Drive, OneDrive, Dropbox, GitHub, Pastebin, Twitter, Google Calendar) to host C2 instructions and receive command output. This technique is particularly evasive because traffic blends with legitimate business use of these services, which are commonly accessed prior to compromise and protected with SSL/TLS encryption.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1102 Web Service
Sub-technique
T1102.002 Bidirectional Communication
Canonical reference
https://attack.mitre.org/techniques/T1102/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="*sysmon*" OR _sourceCategory="*windows*events*") EventCode=3
| parse regex "(?i)<Image>(?<Image>[^<]+)</Image>"
| parse regex "(?i)<DestinationHostname>(?<DestHostname>[^<]+)</DestinationHostname>"
| parse regex "(?i)<User>(?<User>[^<]+)</User>"
| parse regex "(?i)<DestinationPort>(?<DestPort>[^<]+)</DestinationPort>"
| parse regex "(?i)<SourceIp>(?<SourceIP>[^<]+)</SourceIp>"
| parse regex "(?i)<CommandLine>(?<CommandLine>[^<]+)</CommandLine>" nodrop
| parse regex "(?i)<ParentImage>(?<ParentImage>[^<]+)</ParentImage>" nodrop
| where (DestHostname matches "*dropbox.com*"
  OR DestHostname matches "*onedrive.live.com*"
  OR DestHostname matches "*drive.google.com*"
  OR DestHostname matches "*sharepoint.com*"
  OR DestHostname matches "*box.com*"
  OR DestHostname matches "*pcloud.com*"
  OR DestHostname matches "*graph.microsoft.com*"
  OR DestHostname matches "*pastebin.com*"
  OR DestHostname matches "*paste.ee*"
  OR DestHostname matches "*ghostbin.com*"
  OR DestHostname matches "*hastebin.com*"
  OR DestHostname matches "*gist.github.com*"
  OR DestHostname matches "*api.github.com*"
  OR DestHostname matches "*raw.githubusercontent.com*"
  OR DestHostname matches "*twitter.com*"
  OR DestHostname matches "*t.co*"
  OR DestHostname matches "*discord.com*"
  OR DestHostname matches "*discordapp.com*"
  OR DestHostname matches "*api.telegram.org*"
  OR DestHostname matches "*slack.com*"
  OR DestHostname matches "*notion.so*"
  OR DestHostname matches "*trello.com*"
  OR DestHostname matches "*blogspot.com*"
  OR DestHostname matches "*wordpress.com*"
  OR DestHostname matches "*mediafire.com*"
  OR DestHostname matches "*yandex.com*")
| where (Image matches "*powershell.exe*"
  OR Image matches "*pwsh.exe*"
  OR Image matches "*cmd.exe*"
  OR Image matches "*wscript.exe*"
  OR Image matches "*cscript.exe*"
  OR Image matches "*mshta.exe*"
  OR Image matches "*rundll32.exe*"
  OR Image matches "*regsvr32.exe*"
  OR Image matches "*certutil.exe*"
  OR Image matches "*python*.exe*"
  OR Image matches "*curl.exe*"
  OR Image matches "*wget.exe*"
  OR Image matches "*bitsadmin.exe*")
| eval IsCloudStorage = if(DestHostname matches "*dropbox.com*" OR DestHostname matches "*onedrive.live.com*" OR DestHostname matches "*drive.google.com*" OR DestHostname matches "*sharepoint.com*" OR DestHostname matches "*box.com*" OR DestHostname matches "*pcloud.com*" OR DestHostname matches "*graph.microsoft.com*", 1, 0)
| eval IsPasteSite = if(DestHostname matches "*pastebin.com*" OR DestHostname matches "*paste.ee*" OR DestHostname matches "*ghostbin.com*" OR DestHostname matches "*hastebin.com*" OR DestHostname matches "*gist.github.com*", 1, 0)
| eval IsSocialMedia = if(DestHostname matches "*twitter.com*" OR DestHostname matches "*t.co*" OR DestHostname matches "*blogspot.com*" OR DestHostname matches "*discord.com*" OR DestHostname matches "*discordapp.com*", 1, 0)
| eval IsDevPlatform = if(DestHostname matches "*api.github.com*" OR DestHostname matches "*raw.githubusercontent.com*" OR DestHostname matches "*gist.github.com*", 1, 0)
| eval IsMessaging = if(DestHostname matches "*api.telegram.org*" OR DestHostname matches "*slack.com*", 1, 0)
| eval ServiceType = if(IsCloudStorage=1, "CloudStorage", if(IsPasteSite=1, "PasteSite", if(IsSocialMedia=1, "SocialMedia", if(IsDevPlatform=1, "DevPlatform", if(IsMessaging=1, "Messaging", "Other")))))
| eval HasSuspiciousCmdLine = if(CommandLine matches "*-enc*" OR CommandLine matches "*-EncodedCommand*" OR CommandLine matches "*DownloadString*" OR CommandLine matches "*Invoke-Expression*" OR CommandLine matches "*IEX*" OR CommandLine matches "*Net.WebClient*" OR CommandLine matches "*FromBase64*" OR CommandLine matches "*base64*", "true", "false")
| stats count as ConnectionCount, values(DestHostname) as Destinations, values(DestPort) as Ports, values(ServiceType) as ServiceTypes, min(_messageTime) as FirstSeen, max(_messageTime) as LastSeen by _sourceHost, User, Image, ServiceType, HasSuspiciousCmdLine
| sort by ConnectionCount desc
high severity high confidence

Detects Sysmon EventCode 3 (Network Connection) events where suspicious system utilities, scripting engines, or download tools establish outbound connections to known web service C2 platforms. Parses XML-structured Sysmon logs with regex field extraction, applies categorical classification of target service types, and flags encoded command-line patterns consistent with PowerShell-based web client abuse. Aggregates results per host, user, and process for analyst triage.

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon Operational channel)Sumo Logic Windows agent collecting Microsoft-Windows-Sysmon/Operational

Required Tables

_sourceCategory containing Sysmon operational XML event logs

False Positives & Tuning

  • System administrators running sanctioned PowerShell scripts that access SharePoint or OneDrive for Business as part of enterprise data migration or backup workflows
  • DevOps automation pipelines that use cmd.exe or curl.exe to pull build artifacts from GitHub Releases or post deployment notifications to Slack
  • Enterprise collaboration and ITSM tools configured by IT operations that use wscript.exe or cscript.exe to interact with Trello, Notion, or other SaaS platforms
  • Scheduled Python-based monitoring scripts that push health metrics or alerts to Telegram or Discord webhooks as part of approved operational tooling
Download portable Sigma rule (.yml)

Other platforms for T1102.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Dropbox API C2 Simulation via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-WindowStyle Hidden', 'api.dropboxapi.com', 'Invoke-RestMethod', 'Authorization'. Sysmon Event ID 3: Network Connection to api.dropboxapi.com (162.125.x.x) on port 443. Sysmon Event ID 22: DNS Query for api.dropboxapi.com and content.dropboxapi.com.

  2. Test 2Pastebin Read/Write C2 Simulation

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'pastebin.com', 'Net.WebClient', 'DownloadString', 'UploadString', '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Two Network Connections to pastebin.com on port 443. Sysmon Event ID 22: DNS Query for pastebin.com.

  3. Test 3OneDrive Network Drive C2 Simulation (PowerStallion Technique)

    Expected signal: Security Event ID 4688 or Sysmon Event ID 1: Process Create for cmd.exe with 'net use' and 'd.docs.live.net'. Child process powershell.exe with 'Get-Content', 'Out-File'. Sysmon Event ID 3: Network Connection to d.docs.live.net (OneDrive WebDAV endpoint) on port 443. Sysmon Event ID 22: DNS Query for d.docs.live.net.

  4. Test 4Google Drive C2 Read via Python (RIFLESPINE Technique)

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com', 'drive/v3/files', 'urllib'. Sysmon Event ID 3: Network Connections to www.googleapis.com on port 443. Sysmon Event ID 22: DNS Query for www.googleapis.com.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1102.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1102Web Service

Related Sub-techniques

T1102.001Dead Drop ResolverT1102.003One-Way Communication

Related Techniques

T1102Web ServiceT1102.001Dead Drop ResolverT1102.003One-Way CommunicationT1567Exfiltration Over Web ServiceT1567.002Exfiltration to Cloud StorageT1105Ingress Tool TransferT1071.001Web ProtocolsT1573Encrypted ChannelT1027Obfuscated Files or InformationT1053.005Scheduled TaskT1078Valid Accounts

Same Tactic: Command and Control

Popular Detections