Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CA-07 | Continuous Monitoring | mitigates | T1102 | Web Service | |
CM-06 | Configuration Settings | mitigates | T1102 | Web Service | |
SI-03 | Malicious Code Protection | mitigates | T1102 | Web Service | |
CM-02 | Baseline Configuration | mitigates | T1102 | Web Service | |
CM-07 | Least Functionality | mitigates | T1102 | Web Service | |
SI-04 | System Monitoring | mitigates | T1102 | Web Service | |
AC-04 | Information Flow Enforcement | mitigates | T1102 | Web Service | |
SC-07 | Boundary Protection | mitigates | T1102 | Web Service |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1102 | Web Service | |
action.hacking.vector.Other network service | Network service that is not remote access or a web application. | related-to | T1102 | Web Service | |
action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1102 | Web Service |
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1102.003 | One-Way Communication | 8 |
T1102.002 | Bidirectional Communication | 8 |
T1102.001 | Dead Drop Resolver | 10 |