Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement provides protection from Web Service by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1102 | Web Service |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate malicious activity and identify adversaries that can relay data from a compromised systems through websites, cloud service, or social media.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement protects against Web Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1102 | Web Service | |
| CM-06 | Configuration Settings | mitigates | T1102 | Web Service | |
| SI-03 | Malicious Code Protection | mitigates | T1102 | Web Service | |
| CM-02 | Baseline Configuration | mitigates | T1102 | Web Service | |
| CM-07 | Least Functionality | mitigates | T1102 | Web Service | |
| SI-04 | System Monitoring | mitigates | T1102 | Web Service | |
| AC-04 | Information Flow Enforcement | mitigates | T1102 | Web Service | |
| SC-07 | Boundary Protection | mitigates | T1102 | Web Service |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1102 | Web Service | |
| action.hacking.vector.Other network service | Network service that is not remote access or a web application. | related-to | T1102 | Web Service | |
| action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1102 | Web Service |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1102.003 | One-Way Communication | 12 |
| T1102.002 | Bidirectional Communication | 12 |
| T1102.001 | Dead Drop Resolver | 14 |