T1102.003 Google Chronicle · YARA-L

Detect One-Way Communication in Google Chronicle

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media (GitHub, Twitter/X, Telegram, GitLab, TechNet) to host command and control (C2) instructions. Those infected systems may send output back over a different C2 channel or return no output at all. Using common services makes it easier for adversaries to hide in expected noise, and SSL/TLS encryption from Web service providers adds an additional layer of protection.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1102 Web Service
Sub-technique
T1102.003 One-Way Communication
Canonical reference
https://attack.mitre.org/techniques/T1102/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1102_003_one_way_c2_web_service {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects one-way C2 communication via legitimate web services initiated by suspicious LOLBin or scripting processes (MITRE ATT&CK T1102.003)"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1102.003"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "Developer tooling, IT automation scripts, CI/CD pipelines accessing public APIs"
    version = "1.0"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|msiexec\.exe|python\.exe|python3\.exe|ruby\.exe|node\.exe|wmic\.exe|msbuild\.exe)$/
    $net.target.hostname = /(?i)(twitter\.com|x\.com|github\.com|githubusercontent\.com|gitlab\.com|telegram\.org|t\.me|pastebin\.com|paste\.ee|hastebin\.com|discord\.com|discordapp\.com|googleapis\.com|sharepoint\.com|onedrive\.live\.com|reddit\.com|redd\.it|notion\.so|trello\.com|digitalpoint\.com)/
    $net.principal.hostname = $hostname

  match:
    $hostname over 5m

  outcome:
    $process_name = array_distinct($net.principal.process.file.full_path)
    $dest_domain = array_distinct($net.target.hostname)
    $command_line = array_distinct($net.principal.process.command_line)
    $parent_process = array_distinct($net.principal.process.parent_process.file.full_path)
    $is_encoded_cmd = max(if($net.principal.process.command_line = /(?i)(-EncodedCommand|-enc\s|FromBase64String|base64)/, 1, 0))
    $is_office_parent = max(if($net.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|msaccess\.exe|acrord32\.exe|acrobat\.exe)/, 1, 0))
    $is_service_spawn = max(if($net.principal.process.parent_process.file.full_path = /(?i)(svchost\.exe|taskeng\.exe|taskhostw\.exe|services\.exe|wmiprvse\.exe)/, 1, 0))
    $risk_score = max(if($net.principal.process.command_line = /(?i)(-EncodedCommand|-enc\s|FromBase64String|base64)/, 30, 0)) +
                  max(if($net.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|msaccess\.exe|acrord32\.exe|acrobat\.exe)/, 40, 0)) +
                  max(if($net.principal.process.parent_process.file.full_path = /(?i)(svchost\.exe|taskeng\.exe|taskhostw\.exe|services\.exe|wmiprvse\.exe)/, 20, 0))

  condition:
    $net
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting NETWORK_CONNECTION UDM events from suspicious process executables to hostnames associated with legitimate web platforms commonly abused for T1102.003 one-way C2. Outcomes include process name, destination domain, command line, parent process, and a composite risk score weighted by encoded command use (+30), office application parent (+40), and service-spawned context (+20) to support alert prioritization.

Data Sources

Google Chronicle SIEMChronicle UDM (NETWORK_CONNECTION events)Endpoint telemetry forwarded via Chronicle ingestion (Sysmon, CrowdStrike, Carbon Black)

Required Tables

UDM NETWORK_CONNECTION events

False Positives & Tuning

  • DevOps tooling such as Terraform provisioners, Ansible playbooks, or Jenkins agents using PowerShell or Python runtimes to interact with GitHub or Google Cloud APIs during automated infrastructure pipelines
  • Scripted monitoring solutions that spawn node.exe or curl.exe to probe Discord webhooks or Telegram bot API endpoints for alerting pipeline health checks
  • Scheduled compliance or inventory scripts that use certutil.exe or msbuild.exe to fetch current policy baselines from SharePoint repositories
Download portable Sigma rule (.yml)

Other platforms for T1102.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell C2 Polling via Pastebin Raw URL

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest', 'pastebin.com/raw', 'Invoke-Expression', '-WindowStyle Hidden'. Sysmon Event ID 3: Network Connection to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com. PowerShell ScriptBlock Log Event ID 4104 with the full script content.

  2. Test 2Python Script Polling GitHub Raw Content for Commands

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'raw.githubusercontent.com' and urllib. Sysmon Event ID 3: Three successive network connections to raw.githubusercontent.com on port 443, approximately 30 seconds apart. Sysmon Event ID 22: DNS queries for raw.githubusercontent.com.

  3. Test 3Curl Silent Polling of Telegram Bot API

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '-s', '-o', 'api.telegram.org', 'getUpdates'. Sysmon Event ID 3: Network Connection to api.telegram.org on port 443. Sysmon Event ID 11: File creation at %TEMP%\tg_response.txt. Sysmon Event ID 22: DNS query for api.telegram.org.

  4. Test 4Scheduled Task Simulating Periodic Web Service C2 Poll

    Expected signal: Security Event ID 4698 (Scheduled Task Created) with task name 'MicrosoftEdgeUpdateTaskMachineUA_ARGUSTEST' and command containing 'raw.githubusercontent.com'. Sysmon Event ID 1: schtasks.exe process creation. Registry event for new task in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache. On execution: Sysmon Event ID 1 for powershell.exe spawned by taskeng.exe/taskhostw.exe, Sysmon Event ID 3 for network connection to raw.githubusercontent.com.

Last updated: 2026-04-17 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1102.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1102Web Service

Related Sub-techniques

T1102.001Dead Drop ResolverT1102.002Bidirectional Communication

Related Techniques

T1102Web ServiceT1102.001Dead Drop ResolverT1102.002Bidirectional CommunicationT1071.001Web ProtocolsT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1053.005Scheduled TaskT1059.001PowerShellT1059.005Visual BasicT1560Archive Collected Data

Same Tactic: Command and Control

Popular Detections