Which SIEM platforms have a T1102 detection rule?

df00tech provides T1102 (Web Service) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Web Service (T1102)?

Detecting Web Service requires the following data sources: Network Traffic: Network Connection Creation, Process: Process Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1102 detection?

The T1102 detection is rated medium severity with medium confidence.

What are common false positives for T1102?

Common false positives for T1102 include: Legitimate developer tools or CI/CD pipelines making API calls to GitHub, Firebase, or Google APIs; IT management tools and monitoring agents that poll cloud APIs for configuration or telemetry upload; Custom line-of-business applications built on cloud storage APIs (OneDrive, Google Drive SDK integrations).

T1102 CrowdStrike LogScale · LogScale

Detect Web Service in CrowdStrike LogScale

Adversaries may use an existing, legitimate external web service as a means for relaying data to/from a compromised system. Popular websites and cloud services such as Google Drive, OneDrive, Dropbox, Pastebin, GitHub, and Discord may act as C2 channels due to the high likelihood that hosts within a network already communicate with them. This provides cover in expected noise and takes advantage of SSL/TLS encryption offered by these providers. Use of web services also protects back-end C2 infrastructure from discovery through malware binary analysis while enabling operational resiliency through dynamic infrastructure changes.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1102 Web Service
Canonical reference: https://attack.mitre.org/techniques/T1102/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

#event_simpleName = DnsRequest
| DomainName = /pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|api\.onedrive\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|firebaseio\.com|firebase\.googleapis\.com|api\.notion\.so|gitee\.com|top4top\.io/i
| ContextBaseFileName != /chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|safari\.exe|opera\.exe|brave\.exe|OneDriveSetup\.exe|OneDrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|MicrosoftTeams\.exe|Discord\.exe/i
| ContextBaseFileName = /powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe/i
| groupBy(
    [ComputerName, UserName, ContextBaseFileName, DomainName],
    function=[
      count(as=QueryCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(QueryCount, order=desc)

high severity high confidence

CrowdStrike LogScale CQL query detecting DnsRequest events from suspicious non-browser processes resolving known web service C2 domains. Filters DNS queries originating from scripting engines and system utilities (PowerShell, cmd, wscript, certutil, curl, wget, Python, Node.js, etc.) while excluding known browsers and sync clients. Groups results by host, user, process, and resolved domain to surface high-frequency or repeated lookups indicative of active C2 beacon polling. ContextBaseFileName carries the process name field in Falcon DnsRequest events.

Data Sources

CrowdStrike Falcon EDRCrowdStrike LogScale (formerly Humio)

Required Tables

Falcon telemetry stream with #event_simpleName = DnsRequest

False Positives & Tuning

PowerShell scripts used in endpoint management platforms (SCCM, Intune, Ansible) that resolve Microsoft Graph API or cloud service endpoints for configuration management or device compliance reporting.
Python-based devops tooling on build servers that resolves googleapis.com, Firebase, or npm CDN domains as part of legitimate CI/CD pipelines and dependency installation.
Node.js applications running as Windows services that legitimately resolve Slack, Discord webhook, or Firebase endpoints for operational alerting or application telemetry reporting.

Download portable Sigma rule (.yml)

Other platforms for T1102

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerShell Dead Drop Resolver via Pastebin
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient' and 'pastebin.com'. Sysmon Event ID 3: Network Connection to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com. PowerShell ScriptBlock Log Event ID 4104 with the full command.
Test 2Simulated OneDrive C2 Channel via Microsoft Graph API
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'graph.microsoft.com'. Sysmon Event ID 3: Network Connection to graph.microsoft.com on port 443. Sysmon Event ID 22: DNS query for graph.microsoft.com.
Test 3Curl-based GitHub Raw Content Retrieval (Linux/macOS)
Expected signal: Syslog/auditd: execve syscall for curl with arguments containing raw.githubusercontent.com. Network connection to 185.199.x.x (GitHub CDN) on port 443. Linux audit log: SYSCALL record with comm=curl, SOCKADDR with dest IP. File creation at /tmp/df00tech-test-payload.txt.
Test 4Discord Webhook C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com port 443. Sysmon Event ID 22: DNS query for discord.com. The request will fail with HTTP 401/404 but the network telemetry will still be generated.
Test 5Python-based Telegram Bot API C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'api.telegram.org'. Sysmon Event ID 3: Network Connection to api.telegram.org port 443. Sysmon Event ID 22: DNS query for api.telegram.org. The request will return HTTP 401 (invalid token) but network telemetry is generated.

Last updated: 2026-04-14 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1102 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Web Service in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1102

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Related Techniques

Same Tactic: Command and Control

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1102

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (3)

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox