detection.wiki

Web Service: One-Way Communication T1102.003

Tactic: Command & Control

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.

Events covered

2 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
ESFexecProcess Execution (Notify)
ESFforkProcess Fork (Notify)

Authoring guide

Patterns shared across the 4 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (7 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventType2eq 1, in 1Subscribe, exec, fork, start
c-uri2contains 2, match 1.ghostbin.co/paste/*/raw/, .hastebin.com/raw/, .paste.ee/r/, /pwndrop/
CommandLine1contains 1confirm=no_antivirus, drive.google.com, export=download
Provider_Name1eq 1sns.amazonaws.com
data_stream.dataset1eq 1aws.cloudtrail
event.outcome1eq 1success
process_name1eq 1brave.exe, browser.exe, chrome.exe

Top indicator values (38 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
CommandLinecontains
confirm=no_antivirus
1
CommandLinecontains
drive.google.com
1
CommandLinecontains
export=download
1
EventTypeeq
Subscribe
1
EventTypein
exec
1171
EventTypein
fork
15
EventTypein
start
1134
Provider_Nameeq
sns.amazonaws.com
13
c-uricontains
.hastebin.com/raw/
1
c-uricontains
.paste.ee/r/
1
c-uricontains
.pastebin.com/raw/
1
c-uricontains
/pwndrop/
1
c-uricontains
paste.ee/
1
c-uricontains
pastebin.pl/
1
c-uricontains
pastetext.net/
1
c-urimatch
.ghostbin.co/paste/*/raw/
1
data_stream.dataseteq
aws.cloudtrail
1141
event.outcomeeq
success
1251
process_nameeq
brave.exe
13
process_nameeq
browser.exe
13
process_nameeq
chrome.exe
17
process_nameeq
curl
118
process_nameeq
curl.exe
115
process_nameeq
dragon.exe
13
process_nameeq
firefox
1
process_nameeq
firefox.exe
12
process_nameeq
google chrome
1
process_nameeq
google-chrome
1
process_nameeq
google-chrome-beta
1
process_nameeq
google-chrome-stable
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 2 rules

Elastic 2 rules