Elastic Security Detection Rules

Connection to Commonly Abused Web Services

Last updated 5 days ago on 2026-02-02
Created 5 years ago on 2020-11-04

About

Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendData Source: SentinelOneLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Web Service (T1102)(external, opens in a new tab or window)

Dynamic Resolution (T1568)(external, opens in a new tab or window)

Proxy (T1090)(external, opens in a new tab or window)

Exfiltration (TA0010)(external, opens in a new tab or window)

Exfiltration Over Web Service (T1567)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.network-*logs-sentinel_one_cloud_funnel.*
Related Integrations

endpoint(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

Query
text code block:
network where host.os.type == "windows" and
    dns.question.name != null and process.name != null and
    not (?user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") or user.domain == "NT AUTHORITY") and
    /* Add new WebSvc domains here */
    dns.question.name :
       (
        "raw.githubusercontent.*",
        "pastebin.*",
        "paste4btc.com",
        "paste.ee",
        "ghostbin.com",
        "drive.google.com",
        "?.docs.live.net",
        "api.dropboxapi.*",
        "content.dropboxapi.*",
        "dl.dropboxusercontent.*",
        "api.onedrive.com",
        "*.onedrive.org",
        "onedrive.live.com",
        "filebin.net",
        "*.ngrok.io",
        "ngrok.com",
        "*.portmap.*",
        "*serveo.net",
        "*localtunnel.me",
        "*pagekite.me",
        "*localxpose.io",
        "*notabug.org",
        "rawcdn.githack.*",
        "paste.nrecom.net",
        "zerobin.net",
        "controlc.com",
        "requestbin.net",
        "slack.com",
        "api.slack.com",
        "slack-redir.net",
        "slack-files.com",
        "cdn.discordapp.com",
        "discordapp.com",
        "discord.com",
        "apis.azureedge.net",
        "cdn.sql.gg",
        "?.top4top.io",
        "top4top.io",
        "www.uplooder.net",
        "*.cdnmegafiles.com",
        "transfer.sh",
        "gofile.io",
        "updates.peer2profit.com",
        "api.telegram.org",
        "t.me",
        "meacz.gq",
        "rwrd.org",
        "*.publicvm.com",
        "*.blogspot.com",
        "api.mylnikov.org",
        "file.io",
        "stackoverflow.com",
        "*files.1drv.com",
        "api.anonfile.com",
        "*hosting-profi.de",
        "ipbase.com",
        "ipfs.io",
        "*up.freeo*.space",
        "api.mylnikov.org",
        "script.google.com",
        "script.googleusercontent.com",
        "api.notion.com",
        "graph.microsoft.com",
        "*.sharepoint.com",
        "mbasic.facebook.com",
        "login.live.com",
        "api.gofile.io",
        "api.anonfiles.com",
        "api.notion.com",
        "api.trello.com",
        "gist.githubusercontent.com",
        "files.pythonhosted.org",
        "g.live.com",
        "*.zulipchat.com",
        "webhook.site",
        "run.mocky.io",
        "mockbin.org", 
        "www.googleapis.com", 
        "googleapis.com",
        "global.rel.tunnels.api.visualstudio.com",
        "*.devtunnels.ms",
        "api.github.com",
        "*.blob.core.windows.net",
        "*.blob.storage.azure.net") and
        
    /* Insert noisy false positives here */
    not (
      (
        process.executable : (
          "?:\\Program Files\\*.exe",
          "?:\\Program Files (x86)\\*.exe",
          "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
          "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe",
          "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
          "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
          "?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe",
          "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
          "?:\\Users\\*\\AppData\\Local\\PowerToys\\PowerToys.exe",
          "?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe",
          "?:\\Users\\*\\AppData\\Local\\Zen Browser\\zen.exe",
          "?:\\Users\\*\\Wavesor Software\\WaveBrowser\\wavebrowser.exe",
          "?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
          "?:\\Windows\\system32\\mobsync.exe",
          "?:\\Windows\\SysWOW64\\mobsync.exe", 
          "?:\\Windows\\system32\\svchost.exe",
          "?:\\Windows\\System32\\smartscreen.exe",
          "?:\\Windows\\System32\\wsl.exe", 
          "?:\\Windows\\System32\\WWAHost.exe"
        )
      ) or
    
      /* Discord App */
      (process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and
       process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com")
      ) or 

      /* MS Sharepoint / OneDrive */
      (process.name : ("Microsoft.SharePoint.exe", "OneDrive.Sync.Service.exe") and dns.question.name : "onedrive.live.com" and
       (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
      ) or 

      /* Obsidian - Plugins are stored on raw.githubusercontent.com */
      (process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and
       process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com"
      ) or 

      /* WebExperienceHostApp */
      (process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and
       process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com")
      ) or

      /* IntelliJ IDEA connecting to raw.githubusercontent.com */
      (process.code_signature.subject_name : "JetBrains s.r.o." and
       process.code_signature.trusted == true and dns.question.name : ("api.github.com", "raw.githubusercontent.com")
      ) or 

      (process.code_signature.subject_name : "Microsoft *" and process.code_signature.trusted == true and
       dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com",
                            "*.blob.core.windows.net", "*.blob.storage.azure.net")
      ) or

      (process.code_signature.subject_name : ("Python Software Foundation", "Anaconda, Inc.") and
       process.code_signature.trusted == true and dns.question.name : "files.pythonhosted.org"
      ) or

      /* Zoom */
      (process.name : "Zoom.exe" and (
       process.code_signature.subject_name : ("Zoom Video Communications, Inc.", "Zoom Communications, Inc.") and
       process.code_signature.trusted == true) and dns.question.name : ("www.googleapis.com", "graph.microsoft.com")
      ) or

      /* VSCode */
      (process.name : "Code.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and
       process.code_signature.trusted == true) and dns.question.name : ("api.github.com", "raw.githubusercontent.com")
      ) or

      /* Terraform */
      (process.name : "terraform-provider*.exe" and (process.code_signature.subject_name : "HashiCorp, Inc." and
       process.code_signature.trusted == true) and dns.question.name : "graph.microsoft.com"
      ) or

      (
        process.code_signature.trusted == true and
        process.code_signature.subject_name : (
                              "Johannes Schindelin",
                              "Redis Inc.",
                              "Slack Technologies, LLC",
                              "Cisco Systems, Inc.",
                              "Dropbox, Inc",
                              "Amazon.com Services LLC", 
                              "Island Technology Inc.", 
                              "GitHub, Inc.", 
                              "Red Hat, Inc",
                              "Mozilla Corporation"
        )
      )
    )

Install detection rules in Elastic Security

Detect Connection to Commonly Abused Web Services in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).