EXPLORE
Sign In
← Back to Explore
T1102.002

Bidirectional Communication

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For examp...

LinuxmacOSWindowsESXi
14
Detections
3
Sources
16
Threat Actors

BY SOURCE

9elastic3sigma2splunk_escu

PROCEDURES (13)

Dns2 detections

Auto-extracted: 2 detections for dns

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

C21 detections

Auto-extracted: 1 detections for c2

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Persist1 detections

Auto-extracted: 1 detections for persist

Beacon1 detections

Auto-extracted: 1 detections for beacon

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Beacon1 detections

Auto-extracted: 1 detections for beacon

Dns1 detections

Auto-extracted: 1 detections for dns

THREAT ACTORS (16)

APT12APT28APT37APT39CarbanakFIN7Gamaredon GroupHEXANEKimsukyLazarus GroupMagic HoundMuddyWaterPOLONIUMSandworm TeamTurlaZIRCONIUM

DETECTIONS (14)

AWS CLI Command with Custom Endpoint URL
elasticmedium
Connection to Common Large Language Model Endpoints
elasticmedium
Connection to Commonly Abused Web Services
elasticlow
Github Self-Hosted Runner Execution
sigmamedium
Google Calendar C2 via Script Interpreter
elastichigh
Linux Telegram API Request
elasticmedium
Potential Etherhiding C2 via Blockchain Connection
elastichigh
Potential Telegram API Request Via CommandLine
splunk_escu
Statistical Model Detected C2 Beaconing Activity
elasticlow
Statistical Model Detected C2 Beaconing Activity with High Confidence
elasticlow
Suspicious Curl to Google App Script Endpoint
elastichigh
Telegram API Access
sigmamedium
Telegram Bot API Request
sigmamedium
Windows DNS Query Request by Telegram Bot API
splunk_escu