1. Home
  2. Detection Strategies
  3. Suspicious Use of Web Services for C2

Suspicious Use of Web Services for C2

Technique Detected:  Web Service | T1102

ID: DET0425
Domains: Enterprise
Analytics: AN1189, AN1190, AN1191, AN1192
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1189

Detects unusual outbound connections to web services from uncommon processes using SSL/TLS, particularly those exhibiting high outbound data volume or persistence.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Network Traffic Content (DC0085) NSM:Flow SSL/TLS Inspection or PCAP
Mutable Elements
Field Description
ProcessName To tune for unexpected or uncommon executables initiating network connections
DataTransferThreshold Volume of outbound data in short time window (e.g., >1MB in <5 min)
TimeWindow Look for connections persisting outside of normal business hours

AN1190

Detects command-line tools, agents, or scripts making outbound HTTPS connections to popular web services like Discord, Slack, Dropbox, or Graph API in an unusual context.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) auditd:SYSCALL connect/sendto
Network Traffic Content (DC0085) NSM:Flow conn.log, ssl.log
Mutable Elements
Field Description
ParentProcess Unusual parent-child process behavior initiating external comms (e.g., bash > curl)
HostnamePattern Destination hostnames (e.g., *.dropboxapi.com, *.graph.microsoft.com)
RequestFrequency Repeated requests at unusual intervals, suggesting beaconing

AN1191

Detects user agents or background services making unauthorized or unscheduled web API calls to cloud/web services over HTTPS.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) macos:unifiedlog process + network activity
Network Connection Creation (DC0082) macos:osquery process_events, socket_events
Mutable Elements
Field Description
ProcessSignature Unsigned or user-modified apps communicating with cloud services
ConnectionInterval Beacon-like pattern of regular outbound communication

AN1192

Detects guest VMs or management agents issuing HTTP(S) traffic to external services without a valid patch management or backup justification.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) esxi:vmkernel network activity
Network Traffic Flow (DC0078) vpxd.log API communication
Mutable Elements
Field Description
RemoteIPRange Filter to detect only external/public destinations
VMContext Exclude known backup or patch automation services