T1584.006 Web Services Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let WebServiceDomains = dynamic([
    "github.com", "githubusercontent.com", "githubusercontents.com",
    "pastebin.com", "paste.ee", "pastecode.io", "hastebin.com",
    "dropbox.com", "dropboxusercontent.com",
    "googleapis.com", "drive.google.com", "docs.google.com",
    "discord.com", "discordapp.com",
    "sendgrid.net", "sendgrid.com",
    "hooks.slack.com",
    "notion.so"
]);
let SuspiciousCallers = dynamic([
    "powershell.exe", "pwsh.exe", "cmd.exe",
    "wscript.exe", "cscript.exe", "mshta.exe",
    "regsvr32.exe", "rundll32.exe", "msbuild.exe",
    "certutil.exe", "bitsadmin.exe",
    "curl.exe", "wget.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WebServiceDomains)
| where InitiatingProcessFileName in~ (SuspiciousCallers)
| extend ProcessCategory = case(
    InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe"), "ScriptingEngine",
    InitiatingProcessFileName in~ ("mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe"), "LOLBin",
    InitiatingProcessFileName in~ ("certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe"), "DownloadUtility",
    "Other"
)
| extend HighRiskParent = InitiatingProcessParentFileName in~ (
    "outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe",
    "onenote.exe", "mspub.exe", "acrord32.exe", "chrome.exe", "msedge.exe", "firefox.exe"
)
| extend WordPressPath = RemoteUrl has_any ("/wp-content/uploads/", "/wp-includes/", "/xmlrpc.php")
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteUrl, RemoteIP, RemotePort,
         InitiatingProcessParentFileName, InitiatingProcessParentCommandLine,
         ProcessCategory, HighRiskParent, WordPressPath
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Developer workstations where git.exe, the GitHub CLI (gh.exe), or IDE tools legitimately invoke curl.exe or PowerShell to call GitHub APIs for source code operations
IT automation scripts using curl.exe or PowerShell Invoke-WebRequest to download software packages or configuration files from authorized cloud storage (Dropbox, Google Drive)
Backup agents with known process names connecting to Dropbox or Google Drive APIs as part of data protection workflows
CI/CD pipeline agents running as Windows services that use PowerShell or curl to interact with GitHub repositories for deployment operations
Security tooling (threat intelligence platforms, SOAR connectors) that periodically calls external APIs to fetch threat feeds or submit samples

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval dest_host=lower(DestinationHostname)
| eval is_web_service=if(match(dest_host, "(github\.com|githubusercontent\.com|pastebin\.com|paste\.ee|pastecode\.io|hastebin\.com|dropbox\.com|dropboxusercontent\.com|googleapis\.com|drive\.google\.com|discord\.com|discordapp\.com|sendgrid\.net|hooks\.slack\.com|notion\.so)"), 1, 0)
| where is_web_service=1
| eval image_lower=lower(Image)
| eval is_suspicious=if(match(image_lower, "(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msbuild\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)"), 1, 0)
| where is_suspicious=1
| eval proc_category=case(
    match(image_lower, "(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe)"), "scripting_engine",
    match(image_lower, "(mshta\.exe|regsvr32\.exe|rundll32\.exe|msbuild\.exe)"), "lolbin",
    match(image_lower, "(certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)"), "download_utility",
    true(), "other"
)
| eval high_risk_parent=if(match(lower(ParentImage), "(outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|onenote\.exe|acrord32\.exe|chrome\.exe|msedge\.exe|firefox\.exe)"), 1, 0)
| eval risk_score=proc_category+"_"+if(high_risk_parent=1, "office_parent", "standard_parent")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DestinationHostname, DestinationIp, DestinationPort, proc_category, high_risk_parent, risk_score
| sort - _time

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developer workstations where git.exe or IDE tooling invokes curl.exe to call GitHub APIs for routine source control operations
IT automation and configuration management scripts using curl or PowerShell to download packages from authorized cloud storage
Backup agents connecting to cloud storage services (Dropbox, Google Drive) from known service account identities
CI/CD pipeline agents making GitHub API calls via PowerShell or curl as part of automated deployment processes
Security platforms (SOAR, SIEM connectors, threat intelligence tools) calling external APIs for enrichment or sample submission

Elastic Security (EQL)

eql

network where event.type == "connection_attempted"
  and network.direction == "outbound"
  and destination.port in (80, 443, 8080, 8443)
  and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*")
  and process.name : ("nslookup.exe", "powershell.exe", "cmd.exe", "python.exe", "python3")

medium severity medium confidence

Data Sources

Elastic Endpoint Security Network events DNS events

Required Tables

logs-endpoint.events.network.* logs-dns.*

False Positives

Legitimate outbound connections to cloud hosting providers for business services
Security research teams connecting to VPS infrastructure for authorized testing
IT teams managing company-owned VPS or cloud instances
Developer connections to cloud-based development environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip, destinationip, destinationport,
  "CommandLine", "Image" AS Process,
  "DestinationHostname" AS RemoteHost,
  CASE
    WHEN COUNT(*) OVER (PARTITION BY sourceip, destinationip) >= 5 THEN 80
    WHEN destinationport IN (443, 8443, 4443) THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nslookup%' OR "Image" ILIKE '%dig%' THEN 'DNS Reconnaissance'
    WHEN destinationport IN (443, 8443) THEN 'Encrypted C2 Candidate'
    ELSE 'Outbound Connection'
  END AS AlertType
FROM events
WHERE eventid = 3
  AND NOT destinationip INCIDR '10.0.0.0/8'
  AND NOT destinationip INCIDR '172.16.0.0/12'
  AND NOT destinationip INCIDR '192.168.0.0/16'
  AND destinationport IN (53, 80, 443, 8080, 8443, 4443)
  AND "Image" NOT ILIKE '%chrome%'
  AND "Image" NOT ILIKE '%firefox%'
  AND "Image" NOT ILIKE '%msedge%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

Sysmon Event ID 3 DNS logs

Required Tables

events

False Positives

Legitimate connections to cloud hosting providers for business services
Security researchers testing tools on authorized VPS infrastructure
IT teams managing company-owned remote servers
Developers connecting to cloud-based development environments

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*dns*
| json auto
| where EventCode = 3 or _sourceCategory matches "*dns*"
| where !matches(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
| eval ProcessName = lower(Image)
| where !matches(ProcessName, "chrome|firefox|msedge|outlook|teams")
| eval IsDNSRecon = if(matches(ProcessName, "nslookup|dig|host|dnsrecon"), "true", "false")
| eval RiskScore = if(IsDNSRecon = "true", 70,
    if(DestinationPort in ("443","8443","4443"), 60, 40))
| where RiskScore >= 60
| stats count AS ConnCount, values(DestinationIp) AS DestIPs, values(ProcessName) AS Processes by _sourceHost, User, DestinationPort
| sort by ConnCount desc

medium severity medium confidence

Data Sources

Sysmon DNS logs

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*dns*

False Positives

Legitimate business connections to cloud hosting and CDN providers
Authorized security testing against self-owned VPS infrastructure
Developer connections to cloud-based development or CI/CD environments
IT management connections to company-owned remote servers

Google Chronicle / SecOps

yaral

rule T1584_006_c2_infrastructure {
  meta:
    author = "Detection Engineering"
    description = "Detects potential C2 infrastructure activity and reconnaissance"
    severity = "medium"
    confidence = "medium"
    mitre_attack = "T1584.006"
    reference = "https://attack.mitre.org/techniques/T1584/006/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (443, 8443, 4443, 8080, 53)
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
    re.regex($e.principal.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|nslookup|dig)`)

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

NETWORK_CONNECTION DNS

False Positives

Legitimate business connections to cloud hosting providers
Security researchers accessing authorized VPS environments for testing
Development teams connecting to cloud-based build and test environments
IT administrators managing company-owned remote server infrastructure

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NetworkConnectIP4"
| RemotePort in (443, 8443, 4443, 8080, 53)
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| ParentBaseFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|nslookup|python)/
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort], function=[count(as=ConnCount), min(timestamp, as=FirstSeen)])
| case {
    ConnCount >= 10 AND RemotePort = 53 => RiskScore := "High";
    ConnCount >= 5 => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort, ConnCount, RiskScore, FirstSeen])
| sort(RiskScore)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Network events DNS events

Required Tables

NetworkConnectIP4

False Positives

Legitimate outbound connections to CDN or hosting infrastructure used by business apps
Authorized security research or penetration testing against owned VPS infrastructure
Development and QA teams connecting to cloud-based test environments
IT operations managing company-owned remote server infrastructure

Web Services

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections