T1102 Sumo Logic CSE · Sumo

Detect Web Service in Sumo Logic CSE

Adversaries may use an existing, legitimate external web service as a means for relaying data to/from a compromised system. Popular websites and cloud services such as Google Drive, OneDrive, Dropbox, Pastebin, GitHub, and Discord may act as C2 channels due to the high likelihood that hosts within a network already communicate with them. This provides cover in expected noise and takes advantage of SSL/TLS encryption offered by these providers. Use of web services also protects back-end C2 infrastructure from discovery through malware binary analysis while enabling operational resiliency through dynamic infrastructure changes.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1102 Web Service
Canonical reference
https://attack.mitre.org/techniques/T1102/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*sysmon* OR _sourceCategory=*windows/sysmon*
| where EventCode = "3"
| parse regex field=_raw "<Data Name='Image'>(?<Image>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='ParentImage'>(?<ParentImage>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='CommandLine'>(?<CommandLine>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='ParentCommandLine'>(?<ParentCommandLine>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='DestinationHostname'>(?<DestinationHostname>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='DestinationIp'>(?<DestinationIp>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='DestinationPort'>(?<DestinationPort>[^<]+)</Data>" nodrop
| parse regex field=_raw "<Data Name='User'>(?<User>[^<]+)</Data>" nodrop
| where DestinationHostname matches /(?i)(pastebin\.com|paste\.ee|ghostbin\.co|api\.github\.com|raw\.githubusercontent\.com|gist\.github\.com|graph\.microsoft\.com|onedrive\.live\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|discord\.com|discordapp\.com|cdn\.discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|firebaseio\.com|firebase\.googleapis\.com|api\.notion\.so|gitee\.com|top4top\.io)/
| where !(Image matches /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|OneDriveSetup\.exe|OneDrive\.exe|googledrivesync\.exe|dropbox\.exe|slack\.exe|teams\.exe|discord\.exe)/)
| if(Image matches /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)/, 1, 0) as SuspiciousProcess
| if(Image matches /(?i)(python\.exe|python3\.exe|ruby\.exe|perl\.exe|node\.exe)/, 1, 0) as ScriptingProcess
| if(ParentImage matches /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrobat\.exe|acrord32\.exe)/, 1, 0) as OfficeParent
| SuspiciousProcess * 3 + ScriptingProcess * 2 + OfficeParent * 4 as RiskScore
| where RiskScore > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, DestinationHostname, DestinationIp, DestinationPort, SuspiciousProcess, ScriptingProcess, OfficeParent, RiskScore
| sort by RiskScore desc, _messageTime desc
high severity high confidence

Sumo Logic search query targeting Sysmon EventCode=3 (network connection) events to identify suspicious processes connecting to known web service C2 domains. Parses Sysmon XML fields inline using regex, applies process exclusions for browsers and sync clients, and calculates a risk score based on process type (suspicious utility=3pts, scripting engine=2pts, office-spawned parent=4pts). Only events with RiskScore > 0 are surfaced. Mirrors the SPL risk scoring logic.

Data Sources

Sumo Logic Installed Collector (Windows)Windows Event Logs — Sysmon Operational channel

Required Tables

Sumo Logic search index with _sourceCategory mapped to Sysmon or Windows event log sources

False Positives & Tuning

  • PowerShell scripts used by IT operations teams to query Microsoft Graph API for user or device management and automated reporting tasks on managed endpoints.
  • Python-based monitoring agents on endpoints that push health metrics or application telemetry to Firebase, Google Cloud Monitoring, or similar cloud platforms.
  • Authorized penetration testing frameworks or security tooling that contacts GitHub raw content or Pastebin as part of a known red team engagement.
Download portable Sigma rule (.yml)

Other platforms for T1102

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Dead Drop Resolver via Pastebin

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient' and 'pastebin.com'. Sysmon Event ID 3: Network Connection to pastebin.com on port 443. Sysmon Event ID 22: DNS query for pastebin.com. PowerShell ScriptBlock Log Event ID 4104 with the full command.

  2. Test 2Simulated OneDrive C2 Channel via Microsoft Graph API

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'graph.microsoft.com'. Sysmon Event ID 3: Network Connection to graph.microsoft.com on port 443. Sysmon Event ID 22: DNS query for graph.microsoft.com.

  3. Test 3Curl-based GitHub Raw Content Retrieval (Linux/macOS)

    Expected signal: Syslog/auditd: execve syscall for curl with arguments containing raw.githubusercontent.com. Network connection to 185.199.x.x (GitHub CDN) on port 443. Linux audit log: SYSCALL record with comm=curl, SOCKADDR with dest IP. File creation at /tmp/df00tech-test-payload.txt.

  4. Test 4Discord Webhook C2 Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'discord.com' and 'Invoke-RestMethod'. Sysmon Event ID 3: Network Connection to discord.com port 443. Sysmon Event ID 22: DNS query for discord.com. The request will fail with HTTP 401/404 but the network telemetry will still be generated.

  5. Test 5Python-based Telegram Bot API C2 Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'api.telegram.org'. Sysmon Event ID 3: Network Connection to api.telegram.org port 443. Sysmon Event ID 22: DNS query for api.telegram.org. The request will return HTTP 401 (invalid token) but network telemetry is generated.

Last updated: 2026-04-14 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1102 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1102.001Dead Drop ResolverT1102.002Bidirectional CommunicationT1102.003One-Way CommunicationT1071.001Web ProtocolsT1105Ingress Tool TransferT1567Exfiltration Over Web ServiceT1027Obfuscated Files or InformationT1204.001Malicious LinkT1204.002Malicious FileT1566PhishingT1078Valid Accounts

Same Tactic: Command and Control

Popular Detections