1. Home
  2. Detection Strategies
  3. Detect Bidirectional Web Service C2 Channels via Process & Network Correlation

Detect Bidirectional Web Service C2 Channels via Process & Network Correlation

Technique Detected:  Bidirectional Communication | T1102.002

ID: DET0035
Domains: Enterprise
Analytics: AN0100, AN0101, AN0102
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0100

Suspicious processes initiating encrypted HTTPS connections to common web service domains, followed by abnormal data upload behavior or automated posting behavior indicative of C2 bidirectional traffic.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Process Creation (DC0032) WinEventLog:Sysmon Event ID 1
Network Traffic Content (DC0085) etw:Microsoft-Windows-WinINet HTTPS Inspection
Mutable Elements
Field Description
TimeWindow Timeframe for evaluating multiple network connections tied to the same process
DomainPattern Regex or string patterns used to identify common Web service infrastructure (e.g., *.googleapis.com)
PayloadSizeThreshold Minimum data upload size before flagging anomaly
ProcessNameExclusionList Known benign updaters or service processes to reduce false positives

AN0101

Non-interactive system processes making encrypted HTTPS connections to well-known web services followed by high outbound traffic volume or scripted upload patterns.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Flow (DC0078) NSM:Flow conn.log
Network Traffic Content (DC0085) NSM:Flow ssl.log
Mutable Elements
Field Description
UploadDirectionality Bias detection toward sessions with larger upload vs download volume
HostnameRegexList List of known public Web services used for dead drops or C2 (e.g., GitHub, Twitter)
ScriptParentName Shell interpreter or automated job parent used for filtering (e.g., /usr/bin/python)

AN0102

Scripting engines (e.g., osascript, Python) initiating HTTPS requests to social media or content-sharing platforms, paired with automated response handling indicative of two-way communication.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog log stream --info --predicate 'subsystem == "com.apple.cfprefsd"'
Network Connection Creation (DC0082) NSM:Connections web domain alerts
Mutable Elements
Field Description
ScriptEngineList Scripting interpreters to monitor for unusual HTTP traffic (e.g., osascript, ruby, bash)
SocialMediaDomainPatterns Patterns or domains used for C2 dead drops and responses (e.g., pastebin.com, twitter.com)
BurstConnectionRate Threshold for number of short-lived HTTPS connections in a short window