Elastic Security Detection Rules

Connection to Commonly Abused Web Services

Last updated a month ago on 2025-04-30
Created 5 years ago on 2020-11-04

About

Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

Web Service (T1102)(opens in a new tab or window)

Dynamic Resolution (T1568)(opens in a new tab or window)

Exfiltration (TA0010)(opens in a new tab or window)

Exfiltration Over Web Service (T1567)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.network-*
Related Integrations

endpoint(opens in a new tab or window)

Query
network where host.os.type == "windows" and network.protocol == "dns" and
    process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
    /* Add new WebSvc domains here */
    dns.question.name :
       (
        "raw.githubusercontent.*",
        "pastebin.*",
        "paste4btc.com",
        "paste.ee",
        "ghostbin.com",
        "drive.google.com",
        "?.docs.live.net",
        "api.dropboxapi.*",
        "content.dropboxapi.*",
        "dl.dropboxusercontent.*",
        "api.onedrive.com",
        "*.onedrive.org",
        "onedrive.live.com",
        "filebin.net",
        "*.ngrok.io",
        "ngrok.com",
        "*.portmap.*",
        "*serveo.net",
        "*localtunnel.me",
        "*pagekite.me",
        "*localxpose.io",
        "*notabug.org",
        "rawcdn.githack.*",
        "paste.nrecom.net",
        "zerobin.net",
        "controlc.com",
        "requestbin.net",
        "slack.com",
        "api.slack.com",
        "slack-redir.net",
        "slack-files.com",
        "cdn.discordapp.com",
        "discordapp.com",
        "discord.com",
        "apis.azureedge.net",
        "cdn.sql.gg",
        "?.top4top.io",
        "top4top.io",
        "www.uplooder.net",
        "*.cdnmegafiles.com",
        "transfer.sh",
        "gofile.io",
        "updates.peer2profit.com",
        "api.telegram.org",
        "t.me",
        "meacz.gq",
        "rwrd.org",
        "*.publicvm.com",
        "*.blogspot.com",
        "api.mylnikov.org",
        "file.io",
        "stackoverflow.com",
        "*files.1drv.com",
        "api.anonfile.com",
        "*hosting-profi.de",
        "ipbase.com",
        "ipfs.io",
        "*up.freeo*.space",
        "api.mylnikov.org",
        "script.google.com",
        "script.googleusercontent.com",
        "api.notion.com",
        "graph.microsoft.com",
        "*.sharepoint.com",
        "mbasic.facebook.com",
        "login.live.com",
        "api.gofile.io",
        "api.anonfiles.com",
        "api.notion.com",
        "api.trello.com",
        "gist.githubusercontent.com",
        "files.pythonhosted.org",
        "g.live.com",
        "*.zulipchat.com",
        "webhook.site",
        "run.mocky.io",
        "mockbin.org", 
        "www.googleapis.com", 
        "googleapis.com",
        "global.rel.tunnels.api.visualstudio.com",
        "*.devtunnels.ms", 
        "api.github.com") and
        
    /* Insert noisy false positives here */
    not (
      (
        process.executable : (
          "?:\\Program Files\\*.exe",
          "?:\\Program Files (x86)\\*.exe",
          "?:\\Windows\\system32\\svchost.exe",
          "?:\\Windows\\System32\\WWAHost.exe",
          "?:\\Windows\\System32\\smartscreen.exe",
          "?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
          "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
          "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
          "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe",
          "?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe",
          "?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe",
          "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
          "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
          "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
          "?:\\Users\\*\\AppData\\Local\\PowerToys\\PowerToys.exe",
          "?:\\Windows\\system32\\mobsync.exe",
          "?:\\Windows\\SysWOW64\\mobsync.exe", 
          "?:\\Windows\\System32\\wsl.exe", 
          "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe"
        )
      ) or
    
      /* Discord App */
      (process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and
       process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com")
      ) or 

      /* MS Sharepoint */
      (process.name : "Microsoft.SharePoint.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and
       process.code_signature.trusted == true) and dns.question.name : "onedrive.live.com"
      ) or 

      /* Firefox */
      (process.name : "firefox.exe" and (process.code_signature.subject_name : "Mozilla Corporation" and
       process.code_signature.trusted == true)
      ) or 

      /* Dropbox */
      (process.name : "Dropbox.exe" and (process.code_signature.subject_name : "Dropbox, Inc" and
       process.code_signature.trusted == true) and dns.question.name : ("api.dropboxapi.com", "*.dropboxusercontent.com")
      ) or 

      /* Obsidian - Plugins are stored on raw.githubusercontent.com */
      (process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and
       process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com"
      ) or 

      /* WebExperienceHostApp */
      (process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and
       process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com")
      ) or

      (process.code_signature.subject_name : "Microsoft *" and process.code_signature.trusted == true and
       dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com", "login.live.com")) or

      (process.code_signature.trusted == true and
       process.code_signature.subject_name :
                             ("Johannes Schindelin",
                              "Redis Inc.",
                              "Slack Technologies, LLC",
                              "Cisco Systems, Inc.",
                              "Dropbox, Inc",
                              "Amazon.com Services LLC", 
                              "Island Technology Inc.", 
                              "GitHub, Inc.", 
                              "Red Hat, Inc"))
    )

Install detection rules in Elastic Security

Detect Connection to Commonly Abused Web Services in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).