T1102 Web Service Mappings

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1102 Web Service
CA-7 Continuous Monitoring Protects T1102 Web Service
CM-2 Baseline Configuration Protects T1102 Web Service
CM-6 Configuration Settings Protects T1102 Web Service
CM-7 Least Functionality Protects T1102 Web Service
SC-7 Boundary Protection Protects T1102 Web Service
SI-3 Malicious Code Protection Protects T1102 Web Service
SI-4 System Monitoring Protects T1102 Web Service
azure_sentinel Azure Sentinel technique_scores T1102 Web Service

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1102.002 Bidirectional Communication 9
T1102.001 Dead Drop Resolver 8
T1102.003 One-Way Communication 8