Netskope - LOTL C2 via Legitimate Services (GitHub/Pastebin/Google Docs)
47 NK LOTL C2 Legitimate Services
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let LotLDomains = dynamic([
"raw.githubusercontent.com", "gist.githubusercontent.com", "gist.github.com",
"pastebin.com", "paste.ee", "hastebin.com", "ghostbin.com", "rentry.co",
"docs.google.com", "drive.google.com",
"cdn.discordapp.com", "media.discordapp.net",
"onedrive.live.com", "1drv.ms", "transfer.sh",
"anonfiles.com", "gofile.io", "file.io"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(domain_s)
| where domain_s has_any (LotLDomains)
| where isnotempty(user_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| summarize
RequestCount = count(),
TotalBytesRecv = sum(todouble(bytes_downloaded_d)),
TotalBytesSent = sum(todouble(bytes_uploaded_d)),
UniqueURLs = dcount(url_s),
URLSamples = make_set(url_s, 10),
FileTypes = make_set(file_type_s, 5),
SourceIPs = make_set(srcip_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s, domain_s
| extend TotalMBReceived = round(toreal(TotalBytesRecv) / 1048576, 2)
| where TotalMBReceived > 20 or RequestCount > 100
| project
user_s, domain_s,
RequestCount, TotalMBReceived, TotalBytesSent,
URLSamples, FileTypes,
FirstSeen, LastSeen
| order by TotalMBReceived desc, RequestCount descExplanation
This query is designed to detect suspicious activity that might indicate the use of legitimate online services for malicious purposes, specifically for command-and-control (C2) operations. Here's a simplified breakdown:
-
Purpose: The query identifies potential misuse of popular online platforms like GitHub, Pastebin, Google Docs, Discord, and others for malicious activities, often referred to as "Living-Off-The-Land" (LOTL) techniques. These platforms are used by attackers to communicate with compromised systems without raising suspicion.
-
Data Source: It uses data from Netskope Web Transactions to analyze web traffic.
-
Detection Criteria:
- It looks for web traffic to a list of known domains associated with these platforms.
- It excludes any traffic that was blocked.
- It focuses on users who have downloaded more than 20 MB of data or made more than 100 requests to these domains within the last day.
-
Output:
- The query summarizes the activity by user and domain, including the number of requests, total data downloaded, unique URLs accessed, and other details.
- It highlights users and domains with significant data transfer or request counts.
-
Alerting:
- If the criteria are met, an alert is generated with details about the user, domain, and amount of data transferred.
- The alert is configured to create an incident in the security system for further investigation.
-
Severity and Techniques:
- The severity of the alert is set to medium.
- It maps to MITRE ATT&CK techniques T1102 (Web Service) and T1105 (Ingress Tool Transfer), which are related to using web services for malicious purposes.
Overall, this query helps security teams identify and investigate potential misuse of legitimate services for malicious command-and-control activities.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P1D