T1583.006

Web Services

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services such as those offered by Google, GitHub, Discord, Telegram, or Dropbox makes it easier for adversaries to hide in expected noise. Real-world threat actors including APT29, Turla, Earth Lusca, Mustang Panda, Lazarus Group, HAFNIUM, MuddyWater, and Contagious Interview have all leveraged legitimate web platforms to host malware, stage C2 infrastructure, or receive exfiltrated data. Because the adversary's actual registration of these accounts occurs entirely outside the victim environment, detection pivots to identifying the operational use of these platforms by suspicious processes within monitored endpoints.

Microsoft Sentinel / Defender

kusto

let WebServiceDomains = dynamic([
    "api.github.com", "raw.githubusercontent.com", "gist.githubusercontent.com", "gist.github.com",
    "api.dropboxapi.com", "content.dropboxapi.com", "www.dropbox.com",
    "www.googleapis.com", "drive.google.com", "storage.googleapis.com", "firebaseio.com", "firebase.google.com",
    "api.telegram.org",
    "discord.com", "discordapp.com", "cdn.discordapp.com", "hooks.discord.com",
    "pastebin.com", "rentry.co", "paste.ee", "hastebin.com",
    "trycloudflare.com", "workers.dev",
    "notion.so", "api.notion.com",
    "graph.microsoft.com", "onedrive.live.com",
    "terabox.com", "sync.com", "onehub.com",
    "filemail.com", "file.io"
]);
let SuspiciousInitiators = dynamic([
    "powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe",
    "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe",
    "certutil.exe", "bitsadmin.exe", "curl.exe",
    "python.exe", "pythonw.exe", "python3.exe",
    "java.exe", "javaw.exe",
    "msbuild.exe", "installutil.exe", "csc.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (SuspiciousInitiators)
| where RemoteUrl has_any (WebServiceDomains)
| extend IsPayloadRetrieve = RemoteUrl has_any ("raw.githubusercontent.com", "gist.githubusercontent.com", "pastebin.com", "rentry.co", "paste.ee", "hastebin.com")
| extend IsC2Channel = RemoteUrl has_any ("api.telegram.org", "discord.com", "discordapp.com", "hooks.discord.com", "firebaseio.com", "trycloudflare.com")
| extend IsDataExfil = RemoteUrl has_any ("api.dropboxapi.com", "content.dropboxapi.com", "drive.google.com", "storage.googleapis.com", "terabox.com", "filemail.com", "onedrive.live.com")
| extend SuspicionScore = toint(IsPayloadRetrieve) + toint(IsC2Channel) + toint(IsDataExfil)
| project Timestamp, DeviceName, AccountName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessParentCommandLine,
          RemoteUrl, RemoteIP, RemotePort,
          IsPayloadRetrieve, IsC2Channel, IsDataExfil, SuspicionScore
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Microsoft Defender for Endpoint DeviceNetworkEvents

Required Tables

DeviceNetworkEvents

False Positives

Developer workstations running build pipelines, CI runners, or git clients that call api.github.com from powershell.exe or python.exe as part of automated workflows
Security tooling and vulnerability scanners that use Python or Java to pull threat intelligence feeds from GitHub or Pastebin
Legitimate Python or Java applications using the Dropbox, Google Drive, or OneDrive SDK for authorized file sync and backup
IT automation scripts using curl.exe or PowerShell to post notifications to Teams/Discord/Slack webhooks as part of sanctioned alerting pipelines
Software installers or package managers (pip, npm, maven) fetching packages from Google Storage or Firebase CDN during first-run or updates

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval proc=lower(Image)
| eval dest_host=lower(DestinationHostname)
| where match(proc, "(powershell\.exe|pwsh\.exe|cmd\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|python\.exe|pythonw\.exe|python3\.exe|java\.exe|javaw\.exe|msbuild\.exe|installutil\.exe)")
| where match(dest_host, "(api\.github\.com|raw\.githubusercontent\.com|gist\.githubusercontent\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|api\.telegram\.org|discord\.com|discordapp\.com|pastebin\.com|rentry\.co|paste\.ee|hastebin\.com|firebaseio\.com|firebase\.google\.com|trycloudflare\.com|workers\.dev|notion\.so|terabox\.com|filemail\.com|storage\.googleapis\.com|drive\.google\.com)")
| eval IsPayloadRetrieve=if(match(dest_host, "(raw\.githubusercontent\.com|gist\.githubusercontent\.com|pastebin\.com|rentry\.co|paste\.ee|hastebin\.com)"), 1, 0)
| eval IsC2Channel=if(match(dest_host, "(api\.telegram\.org|discord\.com|discordapp\.com|firebaseio\.com|trycloudflare\.com|workers\.dev)"), 1, 0)
| eval IsDataExfil=if(match(dest_host, "(api\.dropboxapi\.com|content\.dropboxapi\.com|drive\.google\.com|storage\.googleapis\.com|terabox\.com|filemail\.com)"), 1, 0)
| eval SuspicionScore=IsPayloadRetrieve + IsC2Channel + IsDataExfil
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DestinationHostname, DestinationIp, DestinationPort, IsPayloadRetrieve, IsC2Channel, IsDataExfil, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developer workstations running build pipelines, CI runners, or git clients that call api.github.com from powershell.exe or python.exe as part of automated workflows
Security tooling and vulnerability scanners that use Python or Java to pull threat intelligence feeds from GitHub or Pastebin
Legitimate Python or Java applications using the Dropbox, Google Drive, or OneDrive SDK for authorized file sync and backup
IT automation scripts using curl.exe or PowerShell to post notifications to Teams/Discord/Slack webhooks as part of sanctioned alerting pipelines
Software installers or package managers (pip, npm, maven) fetching packages from Google Storage or Firebase CDN during first-run or updates

Elastic Security (EQL)

eql

network where event.type == "start" and
  process.name in~ (
    "powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe",
    "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe",
    "certutil.exe", "bitsadmin.exe", "curl.exe",
    "python.exe", "pythonw.exe", "python3.exe",
    "java.exe", "javaw.exe",
    "msbuild.exe", "installutil.exe", "csc.exe"
  ) and
  (
    destination.domain in~ (
      "api.github.com", "raw.githubusercontent.com", "gist.githubusercontent.com",
      "gist.github.com", "api.dropboxapi.com", "content.dropboxapi.com",
      "www.dropbox.com", "www.googleapis.com", "drive.google.com",
      "storage.googleapis.com", "firebaseio.com", "firebase.google.com",
      "api.telegram.org", "discord.com", "discordapp.com",
      "cdn.discordapp.com", "hooks.discord.com", "pastebin.com",
      "rentry.co", "paste.ee", "hastebin.com", "trycloudflare.com",
      "workers.dev", "notion.so", "api.notion.com", "graph.microsoft.com",
      "onedrive.live.com", "terabox.com", "sync.com", "onehub.com",
      "filemail.com", "file.io"
    ) or
    dns.question.name in~ (
      "api.github.com", "raw.githubusercontent.com", "gist.githubusercontent.com",
      "gist.github.com", "api.dropboxapi.com", "content.dropboxapi.com",
      "www.dropbox.com", "www.googleapis.com", "drive.google.com",
      "storage.googleapis.com", "firebaseio.com", "firebase.google.com",
      "api.telegram.org", "discord.com", "discordapp.com",
      "cdn.discordapp.com", "hooks.discord.com", "pastebin.com",
      "rentry.co", "paste.ee", "hastebin.com", "trycloudflare.com",
      "workers.dev", "notion.so", "api.notion.com", "graph.microsoft.com",
      "onedrive.live.com", "terabox.com", "sync.com", "onehub.com",
      "filemail.com", "file.io"
    )
  )

high severity medium confidence

Data Sources

Elastic Security (Elastic Agent Endpoint Integration) Elastic SIEM Winlogbeat with Sysmon module Elastic Agent network telemetry

Required Tables

logs-endpoint.events.network-* winlogbeat-* logs-windows.sysmon_operational-*

False Positives

Legitimate developer workflows where PowerShell or Python scripts interact with GitHub APIs for CI/CD automation, package management (pip, npm via python), or repository cloning during sanctioned software development
IT administrators using certutil.exe, curl.exe, or bitsadmin.exe to download approved software installers or configuration files from OneDrive, Dropbox, or Google Drive as part of managed deployment processes
Security tooling and EDR agents that spawn scripting interpreters to perform telemetry uploads, signature retrievals, or configuration pulls from cloud storage endpoints controlled by the security vendor

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip AS source_ip,
  destinationip AS dest_ip,
  destinationport AS dest_port,
  username,
  "Application" AS process_name,
  "DestinationHostname" AS dest_hostname,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("DestinationHostname") LIKE '%raw.githubusercontent.com%'
      OR LOWER("DestinationHostname") LIKE '%gist.githubusercontent.com%'
      OR LOWER("DestinationHostname") LIKE '%pastebin.com%'
      OR LOWER("DestinationHostname") LIKE '%rentry.co%'
      OR LOWER("DestinationHostname") LIKE '%paste.ee%'
      OR LOWER("DestinationHostname") LIKE '%hastebin.com%'
    THEN 1 ELSE 0
  END AS IsPayloadRetrieve,
  CASE
    WHEN LOWER("DestinationHostname") LIKE '%api.telegram.org%'
      OR LOWER("DestinationHostname") LIKE '%discord.com%'
      OR LOWER("DestinationHostname") LIKE '%discordapp.com%'
      OR LOWER("DestinationHostname") LIKE '%firebaseio.com%'
      OR LOWER("DestinationHostname") LIKE '%trycloudflare.com%'
      OR LOWER("DestinationHostname") LIKE '%workers.dev%'
    THEN 1 ELSE 0
  END AS IsC2Channel,
  CASE
    WHEN LOWER("DestinationHostname") LIKE '%api.dropboxapi.com%'
      OR LOWER("DestinationHostname") LIKE '%content.dropboxapi.com%'
      OR LOWER("DestinationHostname") LIKE '%drive.google.com%'
      OR LOWER("DestinationHostname") LIKE '%storage.googleapis.com%'
      OR LOWER("DestinationHostname") LIKE '%terabox.com%'
      OR LOWER("DestinationHostname") LIKE '%filemail.com%'
      OR LOWER("DestinationHostname") LIKE '%onedrive.live.com%'
    THEN 1 ELSE 0
  END AS IsDataExfil
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon for Windows')
  AND eventid = 3
  AND (
    LOWER("Application") LIKE '%powershell.exe%' OR
    LOWER("Application") LIKE '%pwsh.exe%' OR
    LOWER("Application") LIKE '%cmd.exe%' OR
    LOWER("Application") LIKE '%mshta.exe%' OR
    LOWER("Application") LIKE '%wscript.exe%' OR
    LOWER("Application") LIKE '%cscript.exe%' OR
    LOWER("Application") LIKE '%rundll32.exe%' OR
    LOWER("Application") LIKE '%regsvr32.exe%' OR
    LOWER("Application") LIKE '%certutil.exe%' OR
    LOWER("Application") LIKE '%bitsadmin.exe%' OR
    LOWER("Application") LIKE '%curl.exe%' OR
    LOWER("Application") LIKE '%python.exe%' OR
    LOWER("Application") LIKE '%pythonw.exe%' OR
    LOWER("Application") LIKE '%python3.exe%' OR
    LOWER("Application") LIKE '%java.exe%' OR
    LOWER("Application") LIKE '%javaw.exe%' OR
    LOWER("Application") LIKE '%msbuild.exe%' OR
    LOWER("Application") LIKE '%installutil.exe%' OR
    LOWER("Application") LIKE '%csc.exe%'
  )
  AND (
    LOWER("DestinationHostname") LIKE '%api.github.com%' OR
    LOWER("DestinationHostname") LIKE '%raw.githubusercontent.com%' OR
    LOWER("DestinationHostname") LIKE '%gist.githubusercontent.com%' OR
    LOWER("DestinationHostname") LIKE '%api.dropboxapi.com%' OR
    LOWER("DestinationHostname") LIKE '%content.dropboxapi.com%' OR
    LOWER("DestinationHostname") LIKE '%api.telegram.org%' OR
    LOWER("DestinationHostname") LIKE '%discord.com%' OR
    LOWER("DestinationHostname") LIKE '%discordapp.com%' OR
    LOWER("DestinationHostname") LIKE '%pastebin.com%' OR
    LOWER("DestinationHostname") LIKE '%rentry.co%' OR
    LOWER("DestinationHostname") LIKE '%paste.ee%' OR
    LOWER("DestinationHostname") LIKE '%hastebin.com%' OR
    LOWER("DestinationHostname") LIKE '%firebaseio.com%' OR
    LOWER("DestinationHostname") LIKE '%firebase.google.com%' OR
    LOWER("DestinationHostname") LIKE '%trycloudflare.com%' OR
    LOWER("DestinationHostname") LIKE '%workers.dev%' OR
    LOWER("DestinationHostname") LIKE '%notion.so%' OR
    LOWER("DestinationHostname") LIKE '%api.notion.com%' OR
    LOWER("DestinationHostname") LIKE '%terabox.com%' OR
    LOWER("DestinationHostname") LIKE '%filemail.com%' OR
    LOWER("DestinationHostname") LIKE '%storage.googleapis.com%' OR
    LOWER("DestinationHostname") LIKE '%drive.google.com%' OR
    LOWER("DestinationHostname") LIKE '%onedrive.live.com%' OR
    LOWER("DestinationHostname") LIKE '%graph.microsoft.com%'
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LAST 10000

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon for Windows (QRadar DSM) Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Build servers running MSBuild or csc.exe as part of .NET compilation pipelines that fetch NuGet packages or deployment artifacts from GitHub or Google Cloud Storage endpoints
Endpoint management agents that invoke PowerShell to retrieve configuration baselines or push telemetry to OneDrive, Microsoft Graph, or Google Drive as part of sanctioned MDM operations
Security orchestration runbooks using curl.exe or Python scripts to pull threat intelligence feeds or YARA rule sets hosted on GitHub or pastebin equivalents for internal enrichment pipelines

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*windows*
| where EventID = "3"
| parse regex "(?i)Image:\\s*(?P<process_name>[^\r\n]+)" nodrop
| parse regex "(?i)CommandLine:\\s*(?P<command_line>[^\r\n]+)" nodrop
| parse regex "(?i)ParentImage:\\s*(?P<parent_image>[^\r\n]+)" nodrop
| parse regex "(?i)ParentCommandLine:\\s*(?P<parent_command_line>[^\r\n]+)" nodrop
| parse regex "(?i)DestinationHostname:\\s*(?P<dest_hostname>[^\r\n]+)" nodrop
| parse regex "(?i)DestinationIp:\\s*(?P<dest_ip>[^\r\n]+)" nodrop
| parse regex "(?i)DestinationPort:\\s*(?P<dest_port>[^\r\n]+)" nodrop
| parse regex "(?i)User:\\s*(?P<username>[^\r\n]+)" nodrop
| where process_name matches /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|python\.exe|pythonw\.exe|python3\.exe|java\.exe|javaw\.exe|msbuild\.exe|installutil\.exe|csc\.exe)/
| where dest_hostname matches /(?i)(api\.github\.com|raw\.githubusercontent\.com|gist\.githubusercontent\.com|gist\.github\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|www\.dropbox\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|firebaseio\.com|firebase\.google\.com|api\.telegram\.org|discord\.com|discordapp\.com|cdn\.discordapp\.com|hooks\.discord\.com|pastebin\.com|rentry\.co|paste\.ee|hastebin\.com|trycloudflare\.com|workers\.dev|notion\.so|api\.notion\.com|graph\.microsoft\.com|onedrive\.live\.com|terabox\.com|sync\.com|filemail\.com|file\.io)/
| if(dest_hostname matches /(?i)(raw\.githubusercontent\.com|gist\.githubusercontent\.com|pastebin\.com|rentry\.co|paste\.ee|hastebin\.com)/, 1, 0) as IsPayloadRetrieve
| if(dest_hostname matches /(?i)(api\.telegram\.org|discord\.com|discordapp\.com|firebaseio\.com|trycloudflare\.com|workers\.dev)/, 1, 0) as IsC2Channel
| if(dest_hostname matches /(?i)(api\.dropboxapi\.com|content\.dropboxapi\.com|drive\.google\.com|storage\.googleapis\.com|terabox\.com|filemail\.com|onedrive\.live\.com)/, 1, 0) as IsDataExfil
| (IsPayloadRetrieve + IsC2Channel + IsDataExfil) as SuspicionScore
| fields _messageTime, _sourceHost, username, process_name, command_line, parent_image, parent_command_line, dest_hostname, dest_ip, dest_port, IsPayloadRetrieve, IsC2Channel, IsDataExfil, SuspicionScore
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise (CSE) Sumo Logic Installed Collector (Windows) Sysmon for Windows operational logs

Required Tables

Windows Sysmon Event ID 3 logs (_sourceCategory=*sysmon* or *windows*)

False Positives

CI/CD build agents running MSBuild, csc.exe, or Python that resolve GitHub, Google Cloud Storage, or Dropbox hostnames as part of package retrieval and artifact publishing during sanctioned pipelines
Productivity applications (e.g., VS Code, Jupyter) that launch cmd.exe or wscript.exe as child processes to sync notebooks or projects to OneDrive, Notion, or Google Drive
Corporate IT scripts using bitsadmin.exe or certutil.exe to retrieve approved software packages from filemail.com or sync.com distribution endpoints managed by the organisation's software team

Google Chronicle / SecOps

yaral

rule t1583_006_web_services_suspicious_process_network {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects LOLBin or scripting interpreter processes making outbound network connections to web service platforms commonly abused for C2, payload staging, or data exfiltration (T1583.006). Covers threat actors including APT29, Lazarus Group, MuddyWater, HAFNIUM, Turla, and Contagious Interview."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1583.006"
    mitre_attack_technique_name = "Acquire Infrastructure: Web Services"
    severity = "HIGH"
    confidence = "MEDIUM"
    platform = "Windows"
    reference = "https://attack.mitre.org/techniques/T1583/006/"
    version = "1.0"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.process.file.full_path != ""
    re.regex($net.principal.process.file.full_path,
      `(?i)(\\|/)+(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32|certutil|bitsadmin|curl|python[w3]?|javaw?|msbuild|installutil|csc)\.exe$`)
    re.regex($net.target.hostname,
      `(?i)^(api\.github\.com|raw\.githubusercontent\.com|gist\.githubusercontent\.com|gist\.github\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|www\.dropbox\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|firebaseio\.com|firebase\.google\.com|api\.telegram\.org|discord\.com|discordapp\.com|cdn\.discordapp\.com|hooks\.discord\.com|pastebin\.com|rentry\.co|paste\.ee|hastebin\.com|trycloudflare\.com|workers\.dev|notion\.so|api\.notion\.com|graph\.microsoft\.com|onedrive\.live\.com|terabox\.com|sync\.com|onehub\.com|filemail\.com|file\.io)$`)

  condition:
    $net
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Google Cloud Security Command Center (SCC) Endpoint Detection and Response (EDR) telemetry forwarded to Chronicle

Required Tables

UDM NETWORK_CONNECTION events

False Positives

Automated software packaging pipelines where MSBuild or Python interpreters resolve GitHub API or Google Cloud Storage hostnames to retrieve build dependencies, signing certificates, or release artifacts
DevOps engineers running PowerShell or cmd.exe scripts to interact with the Microsoft Graph API or OneDrive as part of approved SharePoint/M365 automation workflows
Security operations tooling that uses Java or Python to contact Firebase or Cloudflare Workers endpoints managed by the organisation's own threat intelligence or SOAR platform infrastructure

CrowdStrike LogScale (CQL)

cql

#event_simpleName=DnsRequest
| ContextBaseFileName = /(?i)^(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32|certutil|bitsadmin|curl|python[w3]?|javaw?|msbuild|installutil|csc)\.exe$/
| DomainName = /(?i)(api\.github\.com|raw\.githubusercontent\.com|gist\.githubusercontent\.com|gist\.github\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|www\.dropbox\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|firebaseio\.com|firebase\.google\.com|api\.telegram\.org|discord\.com|discordapp\.com|cdn\.discordapp\.com|hooks\.discord\.com|pastebin\.com|rentry\.co|paste\.ee|hastebin\.com|trycloudflare\.com|workers\.dev|notion\.so|api\.notion\.com|graph\.microsoft\.com|onedrive\.live\.com|terabox\.com|sync\.com|filemail\.com|file\.io)/
| IsPayloadRetrieve := if(DomainName = /(?i)(raw\.githubusercontent\.com|gist\.githubusercontent\.com|pastebin\.com|rentry\.co|paste\.ee|hastebin\.com)/, then="1", else="0")
| IsC2Channel := if(DomainName = /(?i)(api\.telegram\.org|discord\.com|discordapp\.com|firebaseio\.com|trycloudflare\.com|workers\.dev)/, then="1", else="0")
| IsDataExfil := if(DomainName = /(?i)(api\.dropboxapi\.com|content\.dropboxapi\.com|drive\.google\.com|storage\.googleapis\.com|terabox\.com|filemail\.com|onedrive\.live\.com)/, then="1", else="0")
| SuspicionScore := parseFloat(IsPayloadRetrieve) + parseFloat(IsC2Channel) + parseFloat(IsDataExfil)
| select([@timestamp, ComputerName, UserName, ContextBaseFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DomainName, IsPayloadRetrieve, IsC2Channel, IsDataExfil, SuspicionScore])
| sort(field=@timestamp, order=desc, limit=1000)

high severity medium confidence

Data Sources

CrowdStrike Falcon LogScale (SIEM) Falcon Endpoint Protection (EDR) — DnsRequest event stream Falcon Endpoint Protection (EDR) — ProcessRollup2 event stream

Required Tables

DnsRequest ProcessRollup2

False Positives

Developer endpoints running PowerShell ISE, Python IDEs, or Java-based build tools that generate DNS lookups to GitHub, Google APIs, Firebase, or Notion as part of normal software development and collaboration activities
Enterprise software distribution or patch management systems using cmd.exe or msbuild.exe to resolve and retrieve application packages from OneDrive, Google Drive, or Dropbox distribution endpoints authorised by the IT team
Automated testing and QA frameworks that invoke curl.exe or Java test runners to contact cloud-based test result reporting services, coverage platforms, or artifact repositories sharing infrastructure with monitored domains

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1583.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001Domains T1583.002DNS Server T1583.003Virtual Private Server T1583.004Server T1583.005Botnet T1583.007Serverless T1583.008Malvertising

Web Services

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections