1. Home
  2. ATT&CK Techniques
  3. T1102 Web Service

T1102 Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1102 Web Service
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    DE.CM-01.03 Unauthorized network connections and data transfers Mitigates T1102 Web Service
    Comments
    This diagnostic statement provides protection from Web Service by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
    References
      DE.CM-01.01 Intrusion detection and prevention Mitigates T1102 Web Service
      Comments
      Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate malicious activity and identify adversaries that can relay data from a compromised systems through websites, cloud service, or social media.
      References
        DE.CM-01.05 Website and service blocking Mitigates T1102 Web Service
        Comments
        This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services.
        References
          PR.IR-04.01 Utilization monitoring Mitigates T1102 Web Service
          Comments
          This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
          References
            PR.IR-01.03 Network communications integrity and availability Mitigates T1102 Web Service
            Comments
            This diagnostic statement protects against Web Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CA-07 Continuous Monitoring mitigates T1102 Web Service
              CM-06 Configuration Settings mitigates T1102 Web Service
              SI-03 Malicious Code Protection mitigates T1102 Web Service
              CM-02 Baseline Configuration mitigates T1102 Web Service
              CM-07 Least Functionality mitigates T1102 Web Service
              SI-04 System Monitoring mitigates T1102 Web Service
              AC-04 Information Flow Enforcement mitigates T1102 Web Service
              SC-07 Boundary Protection mitigates T1102 Web Service

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1102 Web Service
              action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1102 Web Service
              action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102 Web Service

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              microsoft_sentinel Microsoft Sentinel technique_scores T1102 Web Service
              Comments
              This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
              References
              1. https://learn.microsoft.com/en-us/azure/sentinel/overview
              2. https://learn.microsoft.com/en-us/azure/sentinel/hunting

              ATT&CK Subtechniques

              Technique ID Technique Name Number of Mappings
              T1102.003 One-Way Communication 12
              T1102.002 Bidirectional Communication 13
              T1102.001 Dead Drop Resolver 14