title: Bidirectional Communication (T1102.002)
id: df00tech-t1102-002
status: experimental
description: "Adversaries may use an existing, legitimate external web service as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and cloud storage platforms (Google Drive, OneDrive, Dropbox, GitHub, Pastebin, Twitter, Google Calendar) to host C2 instructions and receive command output. This technique is particularly evasive because traffic blends with legitimate business use of these services, which are commonly accessed prior to compromise and protected with SSL/TLS encryption."
references:
  - https://attack.mitre.org/techniques/T1102/002/
  - https://df00tech.com/detections/T1102.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1102.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT automation scripts using PowerShell to interact with OneDrive, SharePoint, or Microsoft Graph API for business purposes"
  - "Developer workstations using curl, Python, or PowerShell to access GitHub APIs, Pastebin, or other development resources"
  - "Backup and sync agents or IT tools that legitimately upload/download files from Dropbox, OneDrive, or Google Drive"
  - Security tools or monitoring scripts that use Pastebin or GitHub to pull configuration data or threat intelligence feeds
  - "Collaboration tools (Slack, Teams, Discord) that spawn browser processes or helper utilities to handle webhooks or integrations"
level: high