title: One-Way Communication (T1102.003)
id: df00tech-t1102-003
status: experimental
description: "Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media (GitHub, Twitter/X, Telegram, GitLab, TechNet) to host command and control (C2) instructions. Those infected systems may send output back over a different C2 channel or return no output at all. Using common services makes it easier for adversaries to hide in expected noise, and SSL/TLS encryption from Web service providers adds an additional layer of protection."
references:
  - https://attack.mitre.org/techniques/T1102/003/
  - https://df00tech.com/detections/T1102.003
author: df00tech
date: 2026/04/17
tags:
  - attack.t1102.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developers and DevOps engineers using git clients, GitHub CLI, or GitLab runners on workstations that legitimately connect to GitHub or GitLab"
  - "IT automation tools (Ansible, Puppet, Chef) polling GitHub for configuration or playbook updates"
  - "Software update mechanisms that fetch release notes, changelogs, or update manifests from GitHub or Google APIs"
  - Security tools and EDR agents that check reputation feeds or pull threat intel from public repositories
  - "Collaboration tools installed as services that connect to Discord, Telegram, or Slack APIs for notifications"
level: medium