DET0581 Detect One-Way Web Service Command Channels
| Item |
Value |
| ID |
DET0581 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1102.003 (One-Way Communication)
Analytics
Windows
AN1599
Suspicious process initiating outbound connections to web services without corresponding response or return traffic, indicative of one-way command channels.
Log Sources
Mutable Elements
| Field |
Description |
| DestinationDomain |
Can tune for popular web services (e.g., googleapis.com, github.com) based on threat actor tooling |
| TimeWindow |
May adjust temporal window to catch beaconing patterns (e.g., every 10-30 mins) |
| ProcessName |
Environment-specific tuning to exclude expected update or telemetry tools |
Linux
AN1600
Curl, wget, or custom HTTP clients initiated by uncommon user accounts or cron jobs to popular web services, with no observed response parsing logic.
Log Sources
Mutable Elements
| Field |
Description |
| ParentProcess |
May tune to detect unknown parents like custom scripts or reverse shells |
| CommandLineArgs |
May adjust based on known curl/wget C2 behaviors |
macOS
AN1601
Process using URLSession or similar API to fetch from web services without any response handling, indicative of one-way C2 channels.
Log Sources
Mutable Elements
| Field |
Description |
| UserContext |
Flag unexpected outbound activity from non-admin or system users |
| EntropyScore |
Optional if script-based obfuscation is seen in web requests |
ESXi
AN1602
ESXi shell or scheduled tasks initiating outbound HTTPS to known public services without inbound return or loggable response, used to fetch instructions.
Log Sources
Mutable Elements
| Field |
Description |
| ScheduledTaskName |
Can tune for task names used to execute curl-based outbound requests |
| DestinationIP |
Scoped by environment to exclude known legitimate CDNs |