Query Details

Netskope (Built-in) - LOTL C2 via Legitimate Services (GitHub/Pastebin/Google Docs)

61 NK BI LOTL C2 Legitimate Services

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let LotLDomains = dynamic([
    "raw.githubusercontent.com", "gist.githubusercontent.com", "gist.github.com",
    "pastebin.com", "paste.ee", "hastebin.com", "ghostbin.com", "rentry.co",
    "docs.google.com", "drive.google.com",
    "cdn.discordapp.com", "media.discordapp.net",
    "onedrive.live.com", "1drv.ms", "transfer.sh",
    "anonfiles.com", "gofile.io", "file.io"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(domain_s)
| where domain_s has_any (LotLDomains)
| where isnotempty(user_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| summarize
    RequestCount     = count(),
    TotalBytesRecv   = sum(todouble(bytes_downloaded_d)),
    TotalBytesSent   = sum(todouble(bytes_uploaded_d)),
    UniqueURLs       = dcount(url_s),
    URLSamples       = make_set(url_s, 10),
    FileTypes        = make_set(file_type_s, 5),
    SourceIPs        = make_set(srcip_s, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by user_s, domain_s
| extend TotalMBReceived = round(toreal(TotalBytesRecv) / 1048576, 2)
| where TotalMBReceived > 20 or RequestCount > 100
| order by TotalMBReceived desc, RequestCount desc

Explanation

This query is designed to detect potential malicious activity, specifically "Living-Off-The-Land" (LOTL) command and control (C2) operations using legitimate online services like GitHub, Pastebin, Discord, and Google Docs. Here's a simplified breakdown:

  1. Purpose: The query identifies unusual or high-volume usage of certain legitimate services that might indicate C2 activity, which is a tactic where attackers use legitimate services to communicate with compromised systems.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which logs events related to network activity.

  3. Detection Logic:

    • It checks for events in the last 24 hours (P1D).
    • It looks for network traffic involving specific domains associated with legitimate services (e.g., GitHub, Pastebin, Google Docs).
    • It excludes events where the action was blocked.
    • It aggregates data by user and domain, calculating metrics like the number of requests, total data received, and unique URLs accessed.
  4. Alert Criteria:

    • An alert is triggered if a user receives more than 20 MB of data or makes more than 100 requests to these domains.
    • The results are sorted by the amount of data received and the number of requests.
  5. Alert Details:

    • Alerts include details like the user involved, the domain accessed, the total data received, and the number of requests.
    • Alerts are formatted to display the user, domain, and data volume.
  6. Incident Management:

    • Incidents are created for detected activities.
    • Incidents are grouped by user accounts to manage related alerts together.

Overall, this query helps security teams monitor for potential misuse of legitimate services for malicious purposes, allowing them to respond to potential threats more effectively.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsUserDomainAccountDNSFileTypesSourceIPsURLsTimeGeneratedBytesReceivedSentRequestCountTotalMB

Operators

letdatatabledynamicunionisfuzzyagoisnotemptyhas_any!insummarizecountsumtodoubledcountmake_setminmaxextendroundtoreal/order bydesc

Severity

Medium

Tactics

CommandAndControl

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub