1. Home
  2. Detection Strategies
  3. Detect One-Way Web Service Command Channels

Detect One-Way Web Service Command Channels

Technique Detected:  One-Way Communication | T1102.003

ID: DET0581
Domains: Enterprise
Analytics: AN1599, AN1600, AN1601, AN1602
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1599

Suspicious process initiating outbound connections to web services without corresponding response or return traffic, indicative of one-way command channels.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Network Traffic Content (DC0085) etw:Microsoft-Windows-WinINet WinINet API telemetry
Mutable Elements
Field Description
DestinationDomain Can tune for popular web services (e.g., googleapis.com, github.com) based on threat actor tooling
TimeWindow May adjust temporal window to catch beaconing patterns (e.g., every 10-30 mins)
ProcessName Environment-specific tuning to exclude expected update or telemetry tools

AN1600

Curl, wget, or custom HTTP clients initiated by uncommon user accounts or cron jobs to popular web services, with no observed response parsing logic.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Flow (DC0078) iptables:LOG OUTBOUND
Mutable Elements
Field Description
ParentProcess May tune to detect unknown parents like custom scripts or reverse shells
CommandLineArgs May adjust based on known curl/wget C2 behaviors

AN1601

Process using URLSession or similar API to fetch from web services without any response handling, indicative of one-way C2 channels.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) macos:unifiedlog process, network
Process Creation (DC0032) macos:endpointsecurity exec events
Mutable Elements
Field Description
UserContext Flag unexpected outbound activity from non-admin or system users
EntropyScore Optional if script-based obfuscation is seen in web requests

AN1602

ESXi shell or scheduled tasks initiating outbound HTTPS to known public services without inbound return or loggable response, used to fetch instructions.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) esxi:hostd CLI network calls
Mutable Elements
Field Description
ScheduledTaskName Can tune for task names used to execute curl-based outbound requests
DestinationIP Scoped by environment to exclude known legitimate CDNs