Query Details

Netskope - LOTL C2 via Legitimate Services (GitHub/Pastebin/Google Docs)

47 NK LOTL C2 Legitimate Services

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let LotLDomains = dynamic([
    "raw.githubusercontent.com", "gist.githubusercontent.com", "gist.github.com",
    "pastebin.com", "paste.ee", "hastebin.com", "ghostbin.com", "rentry.co",
    "docs.google.com", "drive.google.com",
    "cdn.discordapp.com", "media.discordapp.net",
    "onedrive.live.com", "1drv.ms", "transfer.sh",
    "anonfiles.com", "gofile.io", "file.io"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(domain_s)
| where domain_s has_any (LotLDomains)
| where isnotempty(user_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| summarize
    RequestCount     = count(),
    TotalBytesRecv   = sum(todouble(bytes_downloaded_d)),
    TotalBytesSent   = sum(todouble(bytes_uploaded_d)),
    UniqueURLs       = dcount(url_s),
    URLSamples       = make_set(url_s, 10),
    FileTypes        = make_set(file_type_s, 5),
    SourceIPs        = make_set(srcip_s, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by user_s, domain_s
| extend TotalMBReceived = round(toreal(TotalBytesRecv) / 1048576, 2)
| where TotalMBReceived > 20 or RequestCount > 100
| project
    user_s, domain_s,
    RequestCount, TotalMBReceived, TotalBytesSent,
    URLSamples, FileTypes,
    FirstSeen, LastSeen
| order by TotalMBReceived desc, RequestCount desc

Explanation

This query is designed to detect suspicious activity that might indicate the use of legitimate online services for malicious purposes, specifically for command-and-control (C2) operations. Here's a simplified breakdown:

  1. Purpose: The query identifies potential misuse of popular online platforms like GitHub, Pastebin, Google Docs, Discord, and others for malicious activities, often referred to as "Living-Off-The-Land" (LOTL) techniques. These platforms are used by attackers to communicate with compromised systems without raising suspicion.

  2. Data Source: It uses data from Netskope Web Transactions to analyze web traffic.

  3. Detection Criteria:

    • It looks for web traffic to a list of known domains associated with these platforms.
    • It excludes any traffic that was blocked.
    • It focuses on users who have downloaded more than 20 MB of data or made more than 100 requests to these domains within the last day.
  4. Output:

    • The query summarizes the activity by user and domain, including the number of requests, total data downloaded, unique URLs accessed, and other details.
    • It highlights users and domains with significant data transfer or request counts.
  5. Alerting:

    • If the criteria are met, an alert is generated with details about the user, domain, and amount of data transferred.
    • The alert is configured to create an incident in the security system for further investigation.
  6. Severity and Techniques:

    • The severity of the alert is set to medium.
    • It maps to MITRE ATT&CK techniques T1102 (Web Service) and T1105 (Ingress Tool Transfer), which are related to using web services for malicious purposes.

Overall, this query helps security teams identify and investigate potential misuse of legitimate services for malicious command-and-control activities.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebTransactionsUserDomainSourceIPURLFileTypeAccountDNS

Operators

letdatatabledynamicunionisfuzzyagoisnotemptyhas_any!insummarizecountsumtodoubledcountmake_setminmaxextendroundtoreal/>orprojectorder bydesc

Severity

Medium

Tactics

CommandAndControl

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub