T1102 Web Service Mappings

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1102 Web Service
CM-06 Configuration Settings mitigates T1102 Web Service
SI-03 Malicious Code Protection mitigates T1102 Web Service
CM-02 Baseline Configuration mitigates T1102 Web Service
CM-07 Least Functionality mitigates T1102 Web Service
SI-04 System Monitoring mitigates T1102 Web Service
AC-04 Information Flow Enforcement mitigates T1102 Web Service
SC-07 Boundary Protection mitigates T1102 Web Service

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1102 Web Service
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1102 Web Service
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102 Web Service

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1102.003 One-Way Communication 8
T1102.002 Bidirectional Communication 8
T1102.001 Dead Drop Resolver 10