1. Home
  2. ATT&CK Techniques
  3. T1102 Web Service

T1102 Web Service Mappings

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1102 Web Service
CA-7 Continuous Monitoring Protects T1102 Web Service
CM-2 Baseline Configuration Protects T1102 Web Service
CM-6 Configuration Settings Protects T1102 Web Service
CM-7 Least Functionality Protects T1102 Web Service
SC-7 Boundary Protection Protects T1102 Web Service
SI-3 Malicious Code Protection Protects T1102 Web Service
SI-4 System Monitoring Protects T1102 Web Service
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1102 Web Service
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1102 Web Service
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1102 Web Service
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102 Web Service

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1102.003 One-Way Communication 10
T1102.002 Bidirectional Communication 10
T1102.001 Dead Drop Resolver 10