- Tactics
- Command and Control
- Platforms
- ESXi, Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1102
Description
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Command and Control tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1001 - Data Obfuscation
- T1008 - Fallback Channels
- T1071 - Application Layer Protocol
- T1090 - Proxy
- T1092 - Communication Through Removable Media
- T1095 - Non-Application Layer Protocol
- T1104 - Multi-Stage Channels
- T1105 - Ingress Tool Transfer
- T1132 - Data Encoding
- T1205 - Traffic Signaling
- T1219 - Remote Access Tools
- T1568 - Dynamic Resolution