T1481 Web Service
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).
| Item | Value |
|---|---|
| ID | T1481 |
| Sub-techniques | T1481.001, T1481.002, T1481.003 |
| Tactics | TA0037 |
| Platforms | Android, iOS |
| Version | 1.2 |
| Created | 01 February 2019 |
| Last Modified | 20 March 2023 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | Network Communication |