Detect One-Way Communication in Microsoft Sentinel
Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media (GitHub, Twitter/X, Telegram, GitLab, TechNet) to host command and control (C2) instructions. Those infected systems may send output back over a different C2 channel or return no output at all. Using common services makes it easier for adversaries to hide in expected noise, and SSL/TLS encryption from Web service providers adds an additional layer of protection.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1102 Web Service
- Sub-technique
- T1102.003 One-Way Communication
- Canonical reference
- https://attack.mitre.org/techniques/T1102/003/
KQL Detection Query
let LegitWebServices = dynamic([
"api.twitter.com", "twitter.com", "x.com", "api.x.com",
"github.com", "raw.githubusercontent.com", "gist.github.com",
"gitlab.com", "api.telegram.org", "t.me",
"pastebin.com", "paste.ee", "hastebin.com",
"technet.microsoft.com", "social.technet.microsoft.com",
"docs.google.com", "drive.google.com", "googleapis.com",
"onedrive.live.com", "sharepoint.com",
"discord.com", "discordapp.com",
"reddit.com", "redd.it",
"notion.so", "trello.com",
"digitalpoint.com"
]);
let SuspiciousProcesses = dynamic([
"powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"curl.exe", "wget.exe", "bitsadmin.exe", "msiexec.exe",
"python.exe", "python3.exe", "ruby.exe", "node.exe",
"wmic.exe", "msbuild.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (LegitWebServices)
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend IsEncodedCmd = InitiatingProcessCommandLine has_any ("-EncodedCommand", "-enc ", "FromBase64String", "base64")
| extend IsScheduledOrService = InitiatingProcessParentFileName in~ ("svchost.exe", "taskeng.exe", "taskhostw.exe", "services.exe", "WmiPrvSE.exe")
| extend IsScriptingHost = InitiatingProcessFileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| extend SuspiciousParent = InitiatingProcessParentFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "acrord32.exe", "acrobat.exe")
| extend NetworkRequestCount = 1
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, InitiatingProcessParentCommandLine,
RemoteUrl, RemoteIP, RemotePort, RemoteIPType,
IsEncodedCmd, IsScheduledOrService, IsScriptingHost, SuspiciousParent
| sort by Timestamp descDetects processes connecting to known legitimate web services (Twitter/X, GitHub, GitLab, Telegram, Pastebin, Discord, etc.) that could be used for one-way C2 communication. Flags connections from scripting engines, common LOLBins, and scripting languages. Enriches results with indicators such as encoded commands, suspicious parent processes (Office apps, PDF readers), or execution from scheduled tasks and services. This technique is characterized by the compromised system RECEIVING commands from a public web service rather than a traditional C2 server.
Data Sources
Required Tables
False Positives & Tuning
- Developers and DevOps engineers using git clients, GitHub CLI, or GitLab runners on workstations that legitimately connect to GitHub or GitLab
- IT automation tools (Ansible, Puppet, Chef) polling GitHub for configuration or playbook updates
- Software update mechanisms that fetch release notes, changelogs, or update manifests from GitHub or Google APIs
- Security tools and EDR agents that check reputation feeds or pull threat intel from public repositories
- Collaboration tools installed as services that connect to Discord, Telegram, or Slack APIs for notifications
Other platforms for T1102.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell C2 Polling via Pastebin Raw URL
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest', 'pastebin.com/raw', 'Invoke-Expression', '-WindowStyle Hidden'. Sysmon Event ID 3: Network Connection to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com. PowerShell ScriptBlock Log Event ID 4104 with the full script content.
- Test 2Python Script Polling GitHub Raw Content for Commands
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'raw.githubusercontent.com' and urllib. Sysmon Event ID 3: Three successive network connections to raw.githubusercontent.com on port 443, approximately 30 seconds apart. Sysmon Event ID 22: DNS queries for raw.githubusercontent.com.
- Test 3Curl Silent Polling of Telegram Bot API
Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing '-s', '-o', 'api.telegram.org', 'getUpdates'. Sysmon Event ID 3: Network Connection to api.telegram.org on port 443. Sysmon Event ID 11: File creation at %TEMP%\tg_response.txt. Sysmon Event ID 22: DNS query for api.telegram.org.
- Test 4Scheduled Task Simulating Periodic Web Service C2 Poll
Expected signal: Security Event ID 4698 (Scheduled Task Created) with task name 'MicrosoftEdgeUpdateTaskMachineUA_ARGUSTEST' and command containing 'raw.githubusercontent.com'. Sysmon Event ID 1: schtasks.exe process creation. Registry event for new task in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache. On execution: Sysmon Event ID 1 for powershell.exe spawned by taskeng.exe/taskhostw.exe, Sysmon Event ID 3 for network connection to raw.githubusercontent.com.
References (10)
- https://attack.mitre.org/techniques/T1102/003/
- https://www.prevailion.com/darkwatchman-a-new-javascript-rat/
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
- https://unit42.paloaltonetworks.com/gamaredon-group-russia-linked-threat-actor/
- https://blog.talosintelligence.com/lotus-blossom-sagerunex/
- https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1102.003/T1102.003.md
- https://www.mandiant.com/resources/blog/apt29-using-wellmess-malware-to-target-covid19-vaccine-development
Unlock Pro Content
Get the full detection package for T1102.003 including response playbook, investigation guide, and atomic red team tests.