Web Service (T1102)
Tactic: Command and Control · Platforms: ESXi, Linux, macOS, Windows
The interactive view maps 1 detection strategy, 2 mitigations, 15 threat groups, 30 software entries, 4 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
Sub-techniques
- Dead Drop Resolver (T1102.001)
- Bidirectional Communication (T1102.002)
- One-Way Communication (T1102.003)