Netskope (Built-in) - LOTL C2 via Legitimate Services (GitHub/Pastebin/Google Docs)
61 NK BI LOTL C2 Legitimate Services
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let LotLDomains = dynamic([
"raw.githubusercontent.com", "gist.githubusercontent.com", "gist.github.com",
"pastebin.com", "paste.ee", "hastebin.com", "ghostbin.com", "rentry.co",
"docs.google.com", "drive.google.com",
"cdn.discordapp.com", "media.discordapp.net",
"onedrive.live.com", "1drv.ms", "transfer.sh",
"anonfiles.com", "gofile.io", "file.io"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(domain_s)
| where domain_s has_any (LotLDomains)
| where isnotempty(user_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| summarize
RequestCount = count(),
TotalBytesRecv = sum(todouble(bytes_downloaded_d)),
TotalBytesSent = sum(todouble(bytes_uploaded_d)),
UniqueURLs = dcount(url_s),
URLSamples = make_set(url_s, 10),
FileTypes = make_set(file_type_s, 5),
SourceIPs = make_set(srcip_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s, domain_s
| extend TotalMBReceived = round(toreal(TotalBytesRecv) / 1048576, 2)
| where TotalMBReceived > 20 or RequestCount > 100
| order by TotalMBReceived desc, RequestCount descExplanation
This query is designed to detect potential malicious activity, specifically "Living-Off-The-Land" (LOTL) command and control (C2) operations using legitimate online services like GitHub, Pastebin, Discord, and Google Docs. Here's a simplified breakdown:
-
Purpose: The query identifies unusual or high-volume usage of certain legitimate services that might indicate C2 activity, which is a tactic where attackers use legitimate services to communicate with compromised systems.
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which logs events related to network activity. -
Detection Logic:
- It checks for events in the last 24 hours (
P1D). - It looks for network traffic involving specific domains associated with legitimate services (e.g., GitHub, Pastebin, Google Docs).
- It excludes events where the action was blocked.
- It aggregates data by user and domain, calculating metrics like the number of requests, total data received, and unique URLs accessed.
- It checks for events in the last 24 hours (
-
Alert Criteria:
- An alert is triggered if a user receives more than 20 MB of data or makes more than 100 requests to these domains.
- The results are sorted by the amount of data received and the number of requests.
-
Alert Details:
- Alerts include details like the user involved, the domain accessed, the total data received, and the number of requests.
- Alerts are formatted to display the user, domain, and data volume.
-
Incident Management:
- Incidents are created for detected activities.
- Incidents are grouped by user accounts to manage related alerts together.
Overall, this query helps security teams monitor for potential misuse of legitimate services for malicious purposes, allowing them to respond to potential threats more effectively.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P1D