Detect Web Services in IBM QRadar
Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services such as those offered by Google, GitHub, Discord, Telegram, or Dropbox makes it easier for adversaries to hide in expected noise. Real-world threat actors including APT29, Turla, Earth Lusca, Mustang Panda, Lazarus Group, HAFNIUM, MuddyWater, and Contagious Interview have all leveraged legitimate web platforms to host malware, stage C2 infrastructure, or receive exfiltrated data. Because the adversary's actual registration of these accounts occurs entirely outside the victim environment, detection pivots to identifying the operational use of these platforms by suspicious processes within monitored endpoints.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.006 Web Services
- Canonical reference
- https://attack.mitre.org/techniques/T1583/006/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
sourceip AS source_ip,
destinationip AS dest_ip,
destinationport AS dest_port,
username,
"Application" AS process_name,
"DestinationHostname" AS dest_hostname,
"CommandLine" AS command_line,
"ParentImage" AS parent_image,
CASE
WHEN LOWER("DestinationHostname") LIKE '%raw.githubusercontent.com%'
OR LOWER("DestinationHostname") LIKE '%gist.githubusercontent.com%'
OR LOWER("DestinationHostname") LIKE '%pastebin.com%'
OR LOWER("DestinationHostname") LIKE '%rentry.co%'
OR LOWER("DestinationHostname") LIKE '%paste.ee%'
OR LOWER("DestinationHostname") LIKE '%hastebin.com%'
THEN 1 ELSE 0
END AS IsPayloadRetrieve,
CASE
WHEN LOWER("DestinationHostname") LIKE '%api.telegram.org%'
OR LOWER("DestinationHostname") LIKE '%discord.com%'
OR LOWER("DestinationHostname") LIKE '%discordapp.com%'
OR LOWER("DestinationHostname") LIKE '%firebaseio.com%'
OR LOWER("DestinationHostname") LIKE '%trycloudflare.com%'
OR LOWER("DestinationHostname") LIKE '%workers.dev%'
THEN 1 ELSE 0
END AS IsC2Channel,
CASE
WHEN LOWER("DestinationHostname") LIKE '%api.dropboxapi.com%'
OR LOWER("DestinationHostname") LIKE '%content.dropboxapi.com%'
OR LOWER("DestinationHostname") LIKE '%drive.google.com%'
OR LOWER("DestinationHostname") LIKE '%storage.googleapis.com%'
OR LOWER("DestinationHostname") LIKE '%terabox.com%'
OR LOWER("DestinationHostname") LIKE '%filemail.com%'
OR LOWER("DestinationHostname") LIKE '%onedrive.live.com%'
THEN 1 ELSE 0
END AS IsDataExfil
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon for Windows')
AND eventid = 3
AND (
LOWER("Application") LIKE '%powershell.exe%' OR
LOWER("Application") LIKE '%pwsh.exe%' OR
LOWER("Application") LIKE '%cmd.exe%' OR
LOWER("Application") LIKE '%mshta.exe%' OR
LOWER("Application") LIKE '%wscript.exe%' OR
LOWER("Application") LIKE '%cscript.exe%' OR
LOWER("Application") LIKE '%rundll32.exe%' OR
LOWER("Application") LIKE '%regsvr32.exe%' OR
LOWER("Application") LIKE '%certutil.exe%' OR
LOWER("Application") LIKE '%bitsadmin.exe%' OR
LOWER("Application") LIKE '%curl.exe%' OR
LOWER("Application") LIKE '%python.exe%' OR
LOWER("Application") LIKE '%pythonw.exe%' OR
LOWER("Application") LIKE '%python3.exe%' OR
LOWER("Application") LIKE '%java.exe%' OR
LOWER("Application") LIKE '%javaw.exe%' OR
LOWER("Application") LIKE '%msbuild.exe%' OR
LOWER("Application") LIKE '%installutil.exe%' OR
LOWER("Application") LIKE '%csc.exe%'
)
AND (
LOWER("DestinationHostname") LIKE '%api.github.com%' OR
LOWER("DestinationHostname") LIKE '%raw.githubusercontent.com%' OR
LOWER("DestinationHostname") LIKE '%gist.githubusercontent.com%' OR
LOWER("DestinationHostname") LIKE '%api.dropboxapi.com%' OR
LOWER("DestinationHostname") LIKE '%content.dropboxapi.com%' OR
LOWER("DestinationHostname") LIKE '%api.telegram.org%' OR
LOWER("DestinationHostname") LIKE '%discord.com%' OR
LOWER("DestinationHostname") LIKE '%discordapp.com%' OR
LOWER("DestinationHostname") LIKE '%pastebin.com%' OR
LOWER("DestinationHostname") LIKE '%rentry.co%' OR
LOWER("DestinationHostname") LIKE '%paste.ee%' OR
LOWER("DestinationHostname") LIKE '%hastebin.com%' OR
LOWER("DestinationHostname") LIKE '%firebaseio.com%' OR
LOWER("DestinationHostname") LIKE '%firebase.google.com%' OR
LOWER("DestinationHostname") LIKE '%trycloudflare.com%' OR
LOWER("DestinationHostname") LIKE '%workers.dev%' OR
LOWER("DestinationHostname") LIKE '%notion.so%' OR
LOWER("DestinationHostname") LIKE '%api.notion.com%' OR
LOWER("DestinationHostname") LIKE '%terabox.com%' OR
LOWER("DestinationHostname") LIKE '%filemail.com%' OR
LOWER("DestinationHostname") LIKE '%storage.googleapis.com%' OR
LOWER("DestinationHostname") LIKE '%drive.google.com%' OR
LOWER("DestinationHostname") LIKE '%onedrive.live.com%' OR
LOWER("DestinationHostname") LIKE '%graph.microsoft.com%'
)
AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LAST 10000Identifies Sysmon Event ID 3 (Network Connection) records in IBM QRadar where the initiating process matches a known LOLBin or scripting interpreter and the destination hostname resolves to a web service platform commonly weaponized for malware staging, C2, or exfiltration. CASE expressions replicate the suspicion-score categorisation from the reference KQL/SPL detections, allowing analysts to triage by category directly in the AQL result set.
Data Sources
Required Tables
False Positives & Tuning
- Build servers running MSBuild or csc.exe as part of .NET compilation pipelines that fetch NuGet packages or deployment artifacts from GitHub or Google Cloud Storage endpoints
- Endpoint management agents that invoke PowerShell to retrieve configuration baselines or push telemetry to OneDrive, Microsoft Graph, or Google Drive as part of sanctioned MDM operations
- Security orchestration runbooks using curl.exe or Python scripts to pull threat intelligence feeds or YARA rule sets hosted on GitHub or pastebin equivalents for internal enrichment pipelines
Other platforms for T1583.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Payload Retrieval from GitHub Raw Content
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient' and 'raw.githubusercontent.com'. Sysmon Event ID 3: Network Connection to raw.githubusercontent.com:443. Sysmon Event ID 22: DNS Query for raw.githubusercontent.com from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full script. DeviceNetworkEvents in MDE will show RemoteUrl matching raw.githubusercontent.com.
- Test 2Data Exfiltration Simulation to Dropbox API via curl
Expected signal: Sysmon Event ID 3: Network Connection from curl.exe to content.dropboxapi.com:443. Sysmon Event ID 22: DNS Query for content.dropboxapi.com from curl.exe. Sysmon Event ID 11: File Create for the temp file. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=curl.exe, RemoteUrl matching content.dropboxapi.com. The HTTP response will be 401, but the connection event is logged regardless.
- Test 3Telegram Bot API C2 Polling Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'api.telegram.org' and 'getUpdates'. Sysmon Event ID 3: Network Connection from powershell.exe to api.telegram.org:443. Sysmon Event ID 22: DNS Query for api.telegram.org from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the Invoke-RestMethod call. DeviceNetworkEvents in MDE shows RemoteUrl matching api.telegram.org.
- Test 4Multi-Stage Web Service Abuse — Payload Retrieval Then C2 Check-In
Expected signal: Sysmon Event ID 1: Single powershell.exe process with long command line containing both pastebin.com and discord.com references. Sysmon Event ID 3: Two network connection events — one to pastebin.com:443, one to discord.com:443. Sysmon Event ID 22: Two DNS queries — pastebin.com and discord.com — both initiated by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full script. DeviceNetworkEvents in MDE shows two entries with RemoteUrl matching pastebin.com and discord.com respectively.
References (10)
- https://attack.mitre.org/techniques/T1583/006/
- https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf
- https://thehackernews.com/expert-insights/2024/05/github-abuse-flaw-shows-why-we-cant.html
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf
- https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
- https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign
- https://threatconnect.com/blog/infrastructure-research-hunting/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1102/T1102.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
Unlock Pro Content
Get the full detection package for T1583.006 including response playbook, investigation guide, and atomic red team tests.