T1583.006 CrowdStrike LogScale · LogScale

Detect Web Services in CrowdStrike LogScale

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services such as those offered by Google, GitHub, Discord, Telegram, or Dropbox makes it easier for adversaries to hide in expected noise. Real-world threat actors including APT29, Turla, Earth Lusca, Mustang Panda, Lazarus Group, HAFNIUM, MuddyWater, and Contagious Interview have all leveraged legitimate web platforms to host malware, stage C2 infrastructure, or receive exfiltrated data. Because the adversary's actual registration of these accounts occurs entirely outside the victim environment, detection pivots to identifying the operational use of these platforms by suspicious processes within monitored endpoints.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Sub-technique
T1583.006 Web Services
Canonical reference
https://attack.mitre.org/techniques/T1583/006/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=DnsRequest
| ContextBaseFileName = /(?i)^(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32|certutil|bitsadmin|curl|python[w3]?|javaw?|msbuild|installutil|csc)\.exe$/
| DomainName = /(?i)(api\.github\.com|raw\.githubusercontent\.com|gist\.githubusercontent\.com|gist\.github\.com|api\.dropboxapi\.com|content\.dropboxapi\.com|www\.dropbox\.com|www\.googleapis\.com|drive\.google\.com|storage\.googleapis\.com|firebaseio\.com|firebase\.google\.com|api\.telegram\.org|discord\.com|discordapp\.com|cdn\.discordapp\.com|hooks\.discord\.com|pastebin\.com|rentry\.co|paste\.ee|hastebin\.com|trycloudflare\.com|workers\.dev|notion\.so|api\.notion\.com|graph\.microsoft\.com|onedrive\.live\.com|terabox\.com|sync\.com|filemail\.com|file\.io)/
| IsPayloadRetrieve := if(DomainName = /(?i)(raw\.githubusercontent\.com|gist\.githubusercontent\.com|pastebin\.com|rentry\.co|paste\.ee|hastebin\.com)/, then="1", else="0")
| IsC2Channel := if(DomainName = /(?i)(api\.telegram\.org|discord\.com|discordapp\.com|firebaseio\.com|trycloudflare\.com|workers\.dev)/, then="1", else="0")
| IsDataExfil := if(DomainName = /(?i)(api\.dropboxapi\.com|content\.dropboxapi\.com|drive\.google\.com|storage\.googleapis\.com|terabox\.com|filemail\.com|onedrive\.live\.com)/, then="1", else="0")
| SuspicionScore := parseFloat(IsPayloadRetrieve) + parseFloat(IsC2Channel) + parseFloat(IsDataExfil)
| select([@timestamp, ComputerName, UserName, ContextBaseFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DomainName, IsPayloadRetrieve, IsC2Channel, IsDataExfil, SuspicionScore])
| sort(field=@timestamp, order=desc, limit=1000)
high severity medium confidence

CrowdStrike Falcon LogScale query hunting DnsRequest telemetry events where the requesting process matches a LOLBin or scripting interpreter and the resolved domain belongs to the set of web service platforms commonly weaponized for T1583.006 operations. DNS-layer detection provides earlier visibility than network connection events alone and complements NetworkConnectIP4 telemetry for cases where destinations are reached by IP rather than hostname. Suspicion scoring mirrors the reference KQL/SPL detections for consistent analyst triage across platforms.

Data Sources

CrowdStrike Falcon LogScale (SIEM)Falcon Endpoint Protection (EDR) — DnsRequest event streamFalcon Endpoint Protection (EDR) — ProcessRollup2 event stream

Required Tables

DnsRequestProcessRollup2

False Positives & Tuning

  • Developer endpoints running PowerShell ISE, Python IDEs, or Java-based build tools that generate DNS lookups to GitHub, Google APIs, Firebase, or Notion as part of normal software development and collaboration activities
  • Enterprise software distribution or patch management systems using cmd.exe or msbuild.exe to resolve and retrieve application packages from OneDrive, Google Drive, or Dropbox distribution endpoints authorised by the IT team
  • Automated testing and QA frameworks that invoke curl.exe or Java test runners to contact cloud-based test result reporting services, coverage platforms, or artifact repositories sharing infrastructure with monitored domains
Download portable Sigma rule (.yml)

Other platforms for T1583.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Payload Retrieval from GitHub Raw Content

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient' and 'raw.githubusercontent.com'. Sysmon Event ID 3: Network Connection to raw.githubusercontent.com:443. Sysmon Event ID 22: DNS Query for raw.githubusercontent.com from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full script. DeviceNetworkEvents in MDE will show RemoteUrl matching raw.githubusercontent.com.

  2. Test 2Data Exfiltration Simulation to Dropbox API via curl

    Expected signal: Sysmon Event ID 3: Network Connection from curl.exe to content.dropboxapi.com:443. Sysmon Event ID 22: DNS Query for content.dropboxapi.com from curl.exe. Sysmon Event ID 11: File Create for the temp file. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=curl.exe, RemoteUrl matching content.dropboxapi.com. The HTTP response will be 401, but the connection event is logged regardless.

  3. Test 3Telegram Bot API C2 Polling Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'api.telegram.org' and 'getUpdates'. Sysmon Event ID 3: Network Connection from powershell.exe to api.telegram.org:443. Sysmon Event ID 22: DNS Query for api.telegram.org from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the Invoke-RestMethod call. DeviceNetworkEvents in MDE shows RemoteUrl matching api.telegram.org.

  4. Test 4Multi-Stage Web Service Abuse — Payload Retrieval Then C2 Check-In

    Expected signal: Sysmon Event ID 1: Single powershell.exe process with long command line containing both pastebin.com and discord.com references. Sysmon Event ID 3: Two network connection events — one to pastebin.com:443, one to discord.com:443. Sysmon Event ID 22: Two DNS queries — pastebin.com and discord.com — both initiated by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full script. DeviceNetworkEvents in MDE shows two entries with RemoteUrl matching pastebin.com and discord.com respectively.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1583.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.004ServerT1583.005BotnetT1583.007ServerlessT1583.008Malvertising

Related Techniques

T1102Web ServiceT1102.001Dead Drop ResolverT1102.002Bidirectional CommunicationT1567Exfiltration Over Web ServiceT1567.002Exfiltration to Cloud StorageT1566.002Spearphishing LinkT1583.007ServerlessT1105Ingress Tool TransferT1027.010Command ObfuscationT1204.001Malicious LinkT1136.001Local Account

Same Tactic: Resource Development

Popular Detections