Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1102 | Web Service |
| CA-7 | Continuous Monitoring | Protects | T1102 | Web Service |
| CM-2 | Baseline Configuration | Protects | T1102 | Web Service |
| CM-6 | Configuration Settings | Protects | T1102 | Web Service |
| CM-7 | Least Functionality | Protects | T1102 | Web Service |
| SC-7 | Boundary Protection | Protects | T1102 | Web Service |
| SI-3 | Malicious Code Protection | Protects | T1102 | Web Service |
| SI-4 | System Monitoring | Protects | T1102 | Web Service |
| action.hacking.variety.Use of backdoor or C2 | Use of Backdoor or C2 channel | related-to | T1102 | Web Service |
| action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1102 | Web Service |
| action.malware.variety.C2 | Command and control (C2) | related-to | T1102 | Web Service |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1102.002 | Bidirectional Communication | 9 |
| T1102.001 | Dead Drop Resolver | 9 |
| T1102.003 | One-Way Communication | 9 |