This rule identifies potential command and control (C2) communications initiated by processes connecting to commonly abused web services, which adversaries may exploit for exfiltration or data transfer. Such activities often blend in with legitimate traffic patterns, especially for organizations already using these services. The EQL query monitors network traffic on Windows machines, filtering for DNS requests made by non-system accounts to known service domains (e.g., Dropbox, Google Drive), while excluding trusted processes or those from expected program directories. It also includes multiple investigative steps via Elastic Defend and Osquery to validate the presence of potentially malicious processes and their network activity. The rule is aimed at enhancing detection of C2 activities that may otherwise evade standard detection mechanisms due to their reliance on legitimate web services.