T1102.003

One-Way Communication

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media (GitHub, Twitter/X, Telegram, GitLab, TechNet) to host command and control (C2) instructions. Those infected systems may send output back over a different C2 channel or return no output at all. Using common services makes it easier for adversaries to hide in expected noise, and SSL/TLS encryption from Web service providers adds an additional layer of protection.

Microsoft Sentinel / Defender

kusto

let LegitWebServices = dynamic([
  "api.twitter.com", "twitter.com", "x.com", "api.x.com",
  "github.com", "raw.githubusercontent.com", "gist.github.com",
  "gitlab.com", "api.telegram.org", "t.me",
  "pastebin.com", "paste.ee", "hastebin.com",
  "technet.microsoft.com", "social.technet.microsoft.com",
  "docs.google.com", "drive.google.com", "googleapis.com",
  "onedrive.live.com", "sharepoint.com",
  "discord.com", "discordapp.com",
  "reddit.com", "redd.it",
  "notion.so", "trello.com",
  "digitalpoint.com"
]);
let SuspiciousProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
  "curl.exe", "wget.exe", "bitsadmin.exe", "msiexec.exe",
  "python.exe", "python3.exe", "ruby.exe", "node.exe",
  "wmic.exe", "msbuild.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (LegitWebServices)
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend IsEncodedCmd = InitiatingProcessCommandLine has_any ("-EncodedCommand", "-enc ", "FromBase64String", "base64")
| extend IsScheduledOrService = InitiatingProcessParentFileName in~ ("svchost.exe", "taskeng.exe", "taskhostw.exe", "services.exe", "WmiPrvSE.exe")
| extend IsScriptingHost = InitiatingProcessFileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| extend SuspiciousParent = InitiatingProcessParentFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "acrord32.exe", "acrobat.exe")
| extend NetworkRequestCount = 1
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, InitiatingProcessParentCommandLine,
         RemoteUrl, RemoteIP, RemotePort, RemoteIPType,
         IsEncodedCmd, IsScheduledOrService, IsScriptingHost, SuspiciousParent
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Developers and DevOps engineers using git clients, GitHub CLI, or GitLab runners on workstations that legitimately connect to GitHub or GitLab
IT automation tools (Ansible, Puppet, Chef) polling GitHub for configuration or playbook updates
Software update mechanisms that fetch release notes, changelogs, or update manifests from GitHub or Google APIs
Security tools and EDR agents that check reputation feeds or pull threat intel from public repositories
Collaboration tools installed as services that connect to Discord, Telegram, or Slack APIs for notifications

Splunk

spl

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval dest_host=lower(DestinationHostname)
| eval initiating_image=lower(Image)
| eval is_legit_webservice=case(
    match(dest_host, "(twitter\.com|x\.com|api\.twitter\.com|api\.x\.com)"), "twitter",
    match(dest_host, "(github\.com|raw\.githubusercontent\.com|gist\.github\.com)"), "github",
    match(dest_host, "(gitlab\.com)"), "gitlab",
    match(dest_host, "(api\.telegram\.org|t\.me)"), "telegram",
    match(dest_host, "(pastebin\.com|paste\.ee|hastebin\.com|pastecode\.io)"), "pastebin",
    match(dest_host, "(discord\.com|discordapp\.com)"), "discord",
    match(dest_host, "(docs\.google\.com|drive\.google\.com|googleapis\.com)"), "google_services",
    match(dest_host, "(reddit\.com|redd\.it)"), "reddit",
    match(dest_host, "(notion\.so|trello\.com|digitalpoint\.com)"), "other_webservice",
    match(dest_host, "(onedrive\.live\.com|sharepoint\.com)"), "microsoft_personal",
    true(), "")
| where is_legit_webservice != ""
| eval is_suspicious_process=if(match(initiating_image, "(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|python\.exe|python3\.exe|ruby\.exe|node\.exe|wmic\.exe|msbuild\.exe)"), 1, 0)
| eval is_encoded=if(match(lower(CommandLine), "(-encodedcommand|-enc\s|frombase64string|base64)"), 1, 0)
| eval is_office_parent=if(match(lower(ParentImage), "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|msaccess\.exe|acrord32\.exe|acrobat\.exe)"), 1, 0)
| eval is_service_spawn=if(match(lower(ParentImage), "(svchost\.exe|taskeng\.exe|taskhostw\.exe|services\.exe|wmiprvse\.exe)"), 1, 0)
| eval suspicion_score=is_suspicious_process + is_encoded + is_office_parent + is_service_spawn
| where is_suspicious_process=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
         DestinationHostname, DestinationIp, DestinationPort,
         is_legit_webservice, is_encoded, is_office_parent, is_service_spawn, suspicion_score
| sort - _time

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers and DevOps engineers using git clients, GitHub CLI, or GitLab runners on workstations that legitimately connect to GitHub or GitLab
IT automation tools (Ansible, Puppet, Chef) polling GitHub for configuration or playbook updates
Software update mechanisms that fetch release notes, changelogs, or update manifests from GitHub or Google APIs
Security tools and EDR agents that check reputation feeds or pull threat intel from public repositories
Collaboration tools installed as services that connect to Discord, Telegram, or Slack APIs for notifications

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line,
  "DestinationHostname" AS dest_hostname,
  "DestinationPort" AS dest_port
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) LIKE '%Sysmon%'
  AND QIDNAME(qid) LIKE '%Network connection%'
  AND (
    LOWER("DestinationHostname") LIKE '%twitter.com%' OR
    LOWER("DestinationHostname") LIKE '%x.com%' OR
    LOWER("DestinationHostname") LIKE '%github.com%' OR
    LOWER("DestinationHostname") LIKE '%githubusercontent.com%' OR
    LOWER("DestinationHostname") LIKE '%gitlab.com%' OR
    LOWER("DestinationHostname") LIKE '%telegram.org%' OR
    LOWER("DestinationHostname") LIKE '%t.me%' OR
    LOWER("DestinationHostname") LIKE '%pastebin.com%' OR
    LOWER("DestinationHostname") LIKE '%paste.ee%' OR
    LOWER("DestinationHostname") LIKE '%hastebin.com%' OR
    LOWER("DestinationHostname") LIKE '%discord.com%' OR
    LOWER("DestinationHostname") LIKE '%discordapp.com%' OR
    LOWER("DestinationHostname") LIKE '%googleapis.com%' OR
    LOWER("DestinationHostname") LIKE '%sharepoint.com%' OR
    LOWER("DestinationHostname") LIKE '%reddit.com%' OR
    LOWER("DestinationHostname") LIKE '%notion.so%' OR
    LOWER("DestinationHostname") LIKE '%trello.com%'
  )
  AND (
    LOWER("Image") LIKE '%powershell.exe' OR
    LOWER("Image") LIKE '%pwsh.exe' OR
    LOWER("Image") LIKE '%cmd.exe' OR
    LOWER("Image") LIKE '%wscript.exe' OR
    LOWER("Image") LIKE '%cscript.exe' OR
    LOWER("Image") LIKE '%mshta.exe' OR
    LOWER("Image") LIKE '%rundll32.exe' OR
    LOWER("Image") LIKE '%regsvr32.exe' OR
    LOWER("Image") LIKE '%certutil.exe' OR
    LOWER("Image") LIKE '%curl.exe' OR
    LOWER("Image") LIKE '%wget.exe' OR
    LOWER("Image") LIKE '%bitsadmin.exe' OR
    LOWER("Image") LIKE '%python.exe' OR
    LOWER("Image") LIKE '%python3.exe' OR
    LOWER("Image") LIKE '%node.exe' OR
    LOWER("Image") LIKE '%wmic.exe' OR
    LOWER("Image") LIKE '%msbuild.exe'
  )
  AND starttime > NOW - 86400000
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon DSM (Windows) Windows Security Event Log DSM

Required Tables

events

False Positives

Authorized software deployment pipelines that use bitsadmin.exe or msiexec.exe to retrieve installer packages from SharePoint Online or OneDrive corporate file shares
Penetration testing engagements or red team exercises where known C2-over-web-service techniques are being tested against authorized lab endpoints sharing the same log source
IT helpdesk automation runbooks executing PowerShell to poll GitHub repositories or Notion pages for runbook configuration at scheduled intervals

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventID = "3"
| eval dest_host = toLowerCase(DestinationHostname)
| eval proc_image = toLowerCase(Image)
| where dest_host matches "*twitter.com*"
  OR dest_host matches "*x.com*"
  OR dest_host matches "*github.com*"
  OR dest_host matches "*githubusercontent.com*"
  OR dest_host matches "*gitlab.com*"
  OR dest_host matches "*telegram.org*"
  OR dest_host matches "*t.me*"
  OR dest_host matches "*pastebin.com*"
  OR dest_host matches "*paste.ee*"
  OR dest_host matches "*hastebin.com*"
  OR dest_host matches "*discord.com*"
  OR dest_host matches "*discordapp.com*"
  OR dest_host matches "*googleapis.com*"
  OR dest_host matches "*sharepoint.com*"
  OR dest_host matches "*reddit.com*"
  OR dest_host matches "*notion.so*"
  OR dest_host matches "*trello.com*"
| where proc_image matches "*powershell.exe"
  OR proc_image matches "*pwsh.exe"
  OR proc_image matches "*cmd.exe"
  OR proc_image matches "*wscript.exe"
  OR proc_image matches "*cscript.exe"
  OR proc_image matches "*mshta.exe"
  OR proc_image matches "*rundll32.exe"
  OR proc_image matches "*regsvr32.exe"
  OR proc_image matches "*certutil.exe"
  OR proc_image matches "*curl.exe"
  OR proc_image matches "*wget.exe"
  OR proc_image matches "*bitsadmin.exe"
  OR proc_image matches "*python.exe"
  OR proc_image matches "*python3.exe"
  OR proc_image matches "*node.exe"
  OR proc_image matches "*wmic.exe"
  OR proc_image matches "*msbuild.exe"
| eval is_encoded = if(CommandLine matches "(?i).*(-encodedcommand|-enc \\S|frombase64string|base64).*", 1, 0)
| eval is_office_parent = if(ParentImage matches "(?i).*(winword|excel|powerpnt|outlook|onenote|msaccess|acrord32|acrobat)\\.exe.*", 1, 0)
| eval is_service_spawn = if(ParentImage matches "(?i).*(svchost|taskeng|taskhostw|services|wmiprvse)\\.exe.*", 1, 0)
| eval suspicion_score = is_encoded + is_office_parent + is_service_spawn
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DestinationHostname, DestinationIp, DestinationPort, is_encoded, is_office_parent, is_service_spawn, suspicion_score
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon for Windows (EventCode 3) Windows Event Log via Sumo Logic Collector

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Continuous integration runners executing under system accounts where Node.js or Python scripts resolve packages or call build APIs hosted on GitHub raw content or googleapis.com
Endpoint management or RMM agents that spawn cmd.exe or PowerShell to periodically poll SaaS status endpoints or pull configurations from SharePoint or Notion
Developer workstations where interactive use of curl.exe or wget.exe is common for testing webhook endpoints against Discord, Reddit, or Trello APIs

Google Chronicle / SecOps

yaral

rule t1102_003_one_way_c2_web_service {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects one-way C2 communication via legitimate web services initiated by suspicious LOLBin or scripting processes (MITRE ATT&CK T1102.003)"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1102.003"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "Developer tooling, IT automation scripts, CI/CD pipelines accessing public APIs"
    version = "1.0"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|msiexec\.exe|python\.exe|python3\.exe|ruby\.exe|node\.exe|wmic\.exe|msbuild\.exe)$/
    $net.target.hostname = /(?i)(twitter\.com|x\.com|github\.com|githubusercontent\.com|gitlab\.com|telegram\.org|t\.me|pastebin\.com|paste\.ee|hastebin\.com|discord\.com|discordapp\.com|googleapis\.com|sharepoint\.com|onedrive\.live\.com|reddit\.com|redd\.it|notion\.so|trello\.com|digitalpoint\.com)/
    $net.principal.hostname = $hostname

  match:
    $hostname over 5m

  outcome:
    $process_name = array_distinct($net.principal.process.file.full_path)
    $dest_domain = array_distinct($net.target.hostname)
    $command_line = array_distinct($net.principal.process.command_line)
    $parent_process = array_distinct($net.principal.process.parent_process.file.full_path)
    $is_encoded_cmd = max(if($net.principal.process.command_line = /(?i)(-EncodedCommand|-enc\s|FromBase64String|base64)/, 1, 0))
    $is_office_parent = max(if($net.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|msaccess\.exe|acrord32\.exe|acrobat\.exe)/, 1, 0))
    $is_service_spawn = max(if($net.principal.process.parent_process.file.full_path = /(?i)(svchost\.exe|taskeng\.exe|taskhostw\.exe|services\.exe|wmiprvse\.exe)/, 1, 0))
    $risk_score = max(if($net.principal.process.command_line = /(?i)(-EncodedCommand|-enc\s|FromBase64String|base64)/, 30, 0)) +
                  max(if($net.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|msaccess\.exe|acrord32\.exe|acrobat\.exe)/, 40, 0)) +
                  max(if($net.principal.process.parent_process.file.full_path = /(?i)(svchost\.exe|taskeng\.exe|taskhostw\.exe|services\.exe|wmiprvse\.exe)/, 20, 0))

  condition:
    $net
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM (NETWORK_CONNECTION events) Endpoint telemetry forwarded via Chronicle ingestion (Sysmon, CrowdStrike, Carbon Black)

Required Tables

UDM NETWORK_CONNECTION events

False Positives

DevOps tooling such as Terraform provisioners, Ansible playbooks, or Jenkins agents using PowerShell or Python runtimes to interact with GitHub or Google Cloud APIs during automated infrastructure pipelines
Scripted monitoring solutions that spawn node.exe or curl.exe to probe Discord webhooks or Telegram bot API endpoints for alerting pipeline health checks
Scheduled compliance or inventory scripts that use certutil.exe or msbuild.exe to fetch current policy baselines from SharePoint repositories

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "DnsRequest"
| DomainName = /(?i)(twitter\.com|x\.com|github\.com|githubusercontent\.com|gitlab\.com|telegram\.org|t\.me|pastebin\.com|paste\.ee|hastebin\.com|discord\.com|discordapp\.com|googleapis\.com|sharepoint\.com|onedrive\.live\.com|reddit\.com|redd\.it|notion\.so|trello\.com|digitalpoint\.com)/
| ContextBaseFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|msiexec\.exe|python\.exe|python3\.exe|ruby\.exe|node\.exe|wmic\.exe|msbuild\.exe)/
| IsEncodedCmd := if(ContextCommandLine = /(?i)(-EncodedCommand|-enc\s|FromBase64String|base64)/, "true", "false")
| IsOfficeParent := if(ContextParentImageFileName = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|msaccess\.exe|acrord32\.exe|acrobat\.exe)/, "true", "false")
| IsServiceSpawn := if(ContextParentImageFileName = /(?i)(svchost\.exe|taskeng\.exe|taskhostw\.exe|services\.exe|WmiPrvSE\.exe)/, "true", "false")
| SuspicionScore := if(IsEncodedCmd = "true", 30, 0) + if(IsOfficeParent = "true", 40, 0) + if(IsServiceSpawn = "true", 20, 0)
| table([ComputerName, UserName, ContextBaseFileName, ContextCommandLine, ContextParentImageFileName, DomainName, IsEncodedCmd, IsOfficeParent, IsServiceSpawn, SuspicionScore])
| sort(field=@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon DNS Request Telemetry (DnsRequest events)

Required Tables

DnsRequest

False Positives

Falcon-protected developer endpoints where Python.exe or Node.exe runtimes legitimately resolve github.com, googleapis.com, or npmjs.com during software development or build tasks
Automated corporate IT tooling using PowerShell or cmd.exe to query SharePoint Online or Notion APIs as part of ITSM runbook automation under svchost.exe-spawned scheduled tasks
Threat intelligence platforms or EDR management scripts using certutil.exe or bitsadmin.exe to retrieve IOC lists or update packages from trusted hosting providers such as GitHub or Google Drive

Last updated: 2026-04-17 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1102.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

One-Way Communication

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections