Which SIEM platforms have a T1102.003 detection rule?

df00tech provides T1102.003 (One-Way Communication) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect One-Way Communication (T1102.003)?

Detecting One-Way Communication requires the following data sources: Network Traffic: Network Connection Creation, Process: Process Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1102.003 detection?

The T1102.003 detection is rated medium severity with medium confidence.

What are common false positives for T1102.003?

Common false positives for T1102.003 include: Developers and DevOps engineers using git clients, GitHub CLI, or GitLab runners on workstations that legitimately connect to GitHub or GitLab; IT automation tools (Ansible, Puppet, Chef) polling GitHub for configuration or playbook updates; Software update mechanisms that fetch release notes, changelogs, or update manifests from GitHub or Google APIs.

T1102.003 CrowdStrike LogScale · LogScale

Detect One-Way Communication in CrowdStrike LogScale

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media (GitHub, Twitter/X, Telegram, GitLab, TechNet) to host command and control (C2) instructions. Those infected systems may send output back over a different C2 channel or return no output at all. Using common services makes it easier for adversaries to hide in expected noise, and SSL/TLS encryption from Web service providers adds an additional layer of protection.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1102 Web Service
Sub-technique: T1102.003 One-Way Communication
Canonical reference: https://attack.mitre.org/techniques/T1102/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

#event_simpleName = "DnsRequest"
| DomainName = /(?i)(twitter\.com|x\.com|github\.com|githubusercontent\.com|gitlab\.com|telegram\.org|t\.me|pastebin\.com|paste\.ee|hastebin\.com|discord\.com|discordapp\.com|googleapis\.com|sharepoint\.com|onedrive\.live\.com|reddit\.com|redd\.it|notion\.so|trello\.com|digitalpoint\.com)/
| ContextBaseFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|curl\.exe|wget\.exe|bitsadmin\.exe|msiexec\.exe|python\.exe|python3\.exe|ruby\.exe|node\.exe|wmic\.exe|msbuild\.exe)/
| IsEncodedCmd := if(ContextCommandLine = /(?i)(-EncodedCommand|-enc\s|FromBase64String|base64)/, "true", "false")
| IsOfficeParent := if(ContextParentImageFileName = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|msaccess\.exe|acrord32\.exe|acrobat\.exe)/, "true", "false")
| IsServiceSpawn := if(ContextParentImageFileName = /(?i)(svchost\.exe|taskeng\.exe|taskhostw\.exe|services\.exe|WmiPrvSE\.exe)/, "true", "false")
| SuspicionScore := if(IsEncodedCmd = "true", 30, 0) + if(IsOfficeParent = "true", 40, 0) + if(IsServiceSpawn = "true", 20, 0)
| table([ComputerName, UserName, ContextBaseFileName, ContextCommandLine, ContextParentImageFileName, DomainName, IsEncodedCmd, IsOfficeParent, IsServiceSpawn, SuspicionScore])
| sort(field=@timestamp, order=desc)

high severity medium confidence

CrowdStrike LogScale CQL query using DnsRequest telemetry to detect DNS resolution of legitimate web service domains known to be abused for one-way C2 (T1102.003), filtered to events where the initiating process (ContextBaseFileName) is a LOLBin or interpreter runtime. Enriches each result with encoded command, office parent, and service spawn boolean flags plus a composite suspicion score for analyst triage.

Data Sources

CrowdStrike Falcon EDRCrowdStrike LogScale (Humio)Falcon DNS Request Telemetry (DnsRequest events)

Required Tables

DnsRequest

False Positives & Tuning

Falcon-protected developer endpoints where Python.exe or Node.exe runtimes legitimately resolve github.com, googleapis.com, or npmjs.com during software development or build tasks
Automated corporate IT tooling using PowerShell or cmd.exe to query SharePoint Online or Notion APIs as part of ITSM runbook automation under svchost.exe-spawned scheduled tasks
Threat intelligence platforms or EDR management scripts using certutil.exe or bitsadmin.exe to retrieve IOC lists or update packages from trusted hosting providers such as GitHub or Google Drive

Download portable Sigma rule (.yml)

Other platforms for T1102.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerShell C2 Polling via Pastebin Raw URL
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest', 'pastebin.com/raw', 'Invoke-Expression', '-WindowStyle Hidden'. Sysmon Event ID 3: Network Connection to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com. PowerShell ScriptBlock Log Event ID 4104 with the full script content.
Test 2Python Script Polling GitHub Raw Content for Commands
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'raw.githubusercontent.com' and urllib. Sysmon Event ID 3: Three successive network connections to raw.githubusercontent.com on port 443, approximately 30 seconds apart. Sysmon Event ID 22: DNS queries for raw.githubusercontent.com.
Test 3Curl Silent Polling of Telegram Bot API
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '-s', '-o', 'api.telegram.org', 'getUpdates'. Sysmon Event ID 3: Network Connection to api.telegram.org on port 443. Sysmon Event ID 11: File creation at %TEMP%\tg_response.txt. Sysmon Event ID 22: DNS query for api.telegram.org.
Test 4Scheduled Task Simulating Periodic Web Service C2 Poll
Expected signal: Security Event ID 4698 (Scheduled Task Created) with task name 'MicrosoftEdgeUpdateTaskMachineUA_ARGUSTEST' and command containing 'raw.githubusercontent.com'. Sysmon Event ID 1: schtasks.exe process creation. Registry event for new task in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache. On execution: Sysmon Event ID 1 for powershell.exe spawned by taskeng.exe/taskhostw.exe, Sysmon Event ID 3 for network connection to raw.githubusercontent.com.

Last updated: 2026-04-17 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1102.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect One-Way Communication in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1102.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1102.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox