Detect Web Service in IBM QRadar
Adversaries may use an existing, legitimate external web service as a means for relaying data to/from a compromised system. Popular websites and cloud services such as Google Drive, OneDrive, Dropbox, Pastebin, GitHub, and Discord may act as C2 channels due to the high likelihood that hosts within a network already communicate with them. This provides cover in expected noise and takes advantage of SSL/TLS encryption offered by these providers. Use of web services also protects back-end C2 infrastructure from discovery through malware binary analysis while enabling operational resiliency through dynamic infrastructure changes.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1102 Web Service
- Canonical reference
- https://attack.mitre.org/techniques/T1102/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
sourceip,
destinationip,
destinationhostname,
destinationport,
username,
"ProcessName",
"CommandLine",
"ParentProcessName"
FROM events
WHERE
LOGSOURCENAME(logsourceid) LIKE '%Sysmon%'
AND QIDNAME(qid) LIKE '%Network connection%'
AND (
LOWER(destinationhostname) LIKE '%pastebin.com%' OR
LOWER(destinationhostname) LIKE '%paste.ee%' OR
LOWER(destinationhostname) LIKE '%ghostbin.co%' OR
LOWER(destinationhostname) LIKE '%api.github.com%' OR
LOWER(destinationhostname) LIKE '%raw.githubusercontent.com%' OR
LOWER(destinationhostname) LIKE '%gist.github.com%' OR
LOWER(destinationhostname) LIKE '%graph.microsoft.com%' OR
LOWER(destinationhostname) LIKE '%onedrive.live.com%' OR
LOWER(destinationhostname) LIKE '%googleapis.com%' OR
LOWER(destinationhostname) LIKE '%drive.google.com%' OR
LOWER(destinationhostname) LIKE '%api.dropboxapi.com%' OR
LOWER(destinationhostname) LIKE '%discord.com%' OR
LOWER(destinationhostname) LIKE '%discordapp.com%' OR
LOWER(destinationhostname) LIKE '%api.telegram.org%' OR
LOWER(destinationhostname) LIKE '%slack.com%' OR
LOWER(destinationhostname) LIKE '%firebaseio.com%' OR
LOWER(destinationhostname) LIKE '%firebase.googleapis.com%' OR
LOWER(destinationhostname) LIKE '%api.notion.so%' OR
LOWER(destinationhostname) LIKE '%gitee.com%' OR
LOWER(destinationhostname) LIKE '%top4top.io%'
)
AND LOWER("ProcessName") NOT LIKE '%chrome.exe%'
AND LOWER("ProcessName") NOT LIKE '%firefox.exe%'
AND LOWER("ProcessName") NOT LIKE '%msedge.exe%'
AND LOWER("ProcessName") NOT LIKE '%iexplore.exe%'
AND LOWER("ProcessName") NOT LIKE '%opera.exe%'
AND LOWER("ProcessName") NOT LIKE '%brave.exe%'
AND LOWER("ProcessName") NOT LIKE '%onedrive.exe%'
AND LOWER("ProcessName") NOT LIKE '%googledrivesync.exe%'
AND LOWER("ProcessName") NOT LIKE '%dropbox.exe%'
AND LOWER("ProcessName") NOT LIKE '%slack.exe%'
AND LOWER("ProcessName") NOT LIKE '%teams.exe%'
AND LOWER("ProcessName") NOT LIKE '%discord.exe%'
AND (
LOWER("ProcessName") LIKE '%powershell.exe%' OR
LOWER("ProcessName") LIKE '%pwsh.exe%' OR
LOWER("ProcessName") LIKE '%cmd.exe%' OR
LOWER("ProcessName") LIKE '%wscript.exe%' OR
LOWER("ProcessName") LIKE '%cscript.exe%' OR
LOWER("ProcessName") LIKE '%mshta.exe%' OR
LOWER("ProcessName") LIKE '%rundll32.exe%' OR
LOWER("ProcessName") LIKE '%regsvr32.exe%' OR
LOWER("ProcessName") LIKE '%certutil.exe%' OR
LOWER("ProcessName") LIKE '%bitsadmin.exe%' OR
LOWER("ProcessName") LIKE '%curl.exe%' OR
LOWER("ProcessName") LIKE '%wget.exe%' OR
LOWER("ProcessName") LIKE '%python.exe%' OR
LOWER("ProcessName") LIKE '%python3.exe%' OR
LOWER("ProcessName") LIKE '%ruby.exe%' OR
LOWER("ProcessName") LIKE '%perl.exe%' OR
LOWER("ProcessName") LIKE '%node.exe%' OR
LOWER("ParentProcessName") LIKE '%winword.exe%' OR
LOWER("ParentProcessName") LIKE '%excel.exe%' OR
LOWER("ParentProcessName") LIKE '%powerpnt.exe%' OR
LOWER("ParentProcessName") LIKE '%outlook.exe%' OR
LOWER("ParentProcessName") LIKE '%acrobat.exe%' OR
LOWER("ParentProcessName") LIKE '%acrord32.exe%'
)
ORDER BY starttime DESC
LAST 24 HOURSQRadar AQL query detecting non-browser processes making outbound connections to web service domains commonly abused for C2 communications. Targets Sysmon network connection (EventCode=3) events enriched with process context via custom DSM properties. Excludes known legitimate sync clients and browsers while targeting scripting engines, system utilities, and Office-spawned processes. Note: ProcessName, ParentProcessName, and CommandLine are custom properties that must be extracted from Sysmon XML via a QRadar DSM extension or ALE rule.
Data Sources
Required Tables
False Positives & Tuning
- Administrative PowerShell scripts legitimately querying Microsoft Graph API or OneDrive for inventory, user management, or SharePoint automation on managed endpoints.
- Developer tools (node.exe, python.exe) on developer workstations making API calls to Firebase, Google APIs, or GitHub as part of legitimate software development activity.
- Backup or sync agents not included in the exclusion list that use curl or Python to interact with cloud storage APIs such as Dropbox or Google Drive.
Other platforms for T1102
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Dead Drop Resolver via Pastebin
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient' and 'pastebin.com'. Sysmon Event ID 3: Network Connection to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com. PowerShell ScriptBlock Log Event ID 4104 with the full command.
- Test 2Simulated OneDrive C2 Channel via Microsoft Graph API
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'graph.microsoft.com'. Sysmon Event ID 3: Network Connection to graph.microsoft.com on port 443. Sysmon Event ID 22: DNS query for graph.microsoft.com.
- Test 3Curl-based GitHub Raw Content Retrieval (Linux/macOS)
Expected signal: Syslog/auditd: execve syscall for curl with arguments containing raw.githubusercontent.com. Network connection to 185.199.x.x (GitHub CDN) on port 443. Linux audit log: SYSCALL record with comm=curl, SOCKADDR with dest IP. File creation at /tmp/df00tech-test-payload.txt.
- Test 4Discord Webhook C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com port 443. Sysmon Event ID 22: DNS query for discord.com. The request will fail with HTTP 401/404 but the network telemetry will still be generated.
- Test 5Python-based Telegram Bot API C2 Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'api.telegram.org'. Sysmon Event ID 3: Network Connection to api.telegram.org port 443. Sysmon Event ID 22: DNS query for api.telegram.org. The request will return HTTP 401 (invalid token) but network telemetry is generated.
References (10)
- https://attack.mitre.org/techniques/T1102/
- https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
- https://www.welivesecurity.com/en/eset-research/evasivepanda-apt-group-uses-update-channels-of-legitimate-applications-for-cyberespionage/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-apt-actor-macos
- https://unit42.paloaltonetworks.com/latrodectus-cybercrime-affiliate-activity/
- https://www.microsoft.com/en-us/security/blog/2021/05/28/breaking-down-nobelium-latest-early-stage-toolset/
- https://www.cybereason.com/blog/molerats-in-the-cloud-new-malware-arsenal-abuses-cloud-platforms-in-middle-east-espionage-campaign
- https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html
- https://hp.com/h20195/v2/getpdf.aspx/a00127091enw.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1102/T1102.md
Unlock Pro Content
Get the full detection package for T1102 including response playbook, investigation guide, and atomic red team tests.