Description
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
Platforms
Sub-Techniques (3)
Mitigations (2)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Restrict Web-Based ContentM1021
Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.
Threat Groups (15)
| ID | Group | Context |
|---|---|---|
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used web services to download malicious files.(Citation: group-ib_redcurl1)(Citation: group-ib_re... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has incorporated at least five different cloud service providers into their C2 infrastructure inclu... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized Telegram API for C2.(Citation: DOJ FBI Handala Hack March 2026)(Citation: FBI IC3... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has used Pastebin, Gitee, and GitLab for Command and Control.(Citation: Anomali Rocke March 2019)(Citat... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used Pastebin and Google Storage to host content for their operations.(Citation: FireEye FIN6 Apr 20... |
| G0140 | LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used GitHub to host its payloads to operate spam campaigns.(Citation: MalwareBytes LazyScrip... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used <code>sslip.io</code>, a free IP to domain mapping service that also makes SSL certificate gene... |
| G1011 | EXOTIC LILY | [EXOTIC LILY](https://attack.mitre.org/groups/G1011) has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payload... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used various links, such as links with typo-squatted domains, links to Dropbox files and links to f... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used Amazon Web Services to host C2.(Citation: ClearSky Pay2Kitten December 2020) |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.(Citatio... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used DropBox URLs to deliver variants of [PlugX](https://attack.mitre.org/software/S0013).(... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used GitHub repositories for downloaders which will be obtained by the group's .NET execu... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.(Citation: Volexity Ocean Lot... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has leveraged iplogger.org to send collected data back to C2.(Citation: Aqua TeamTNT August 2020)(Cit... |
Associated Software (30)
| ID | Name | Type | Context |
|---|---|---|---|
| S1147 | Nightdoor | Malware | [Nightdoor](https://attack.mitre.org/software/S1147) can utilize Microsoft OneDrive or Google Drive for command and control purposes.(Citation: ESET E... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has used Google Firebase to download malicious installation scripts.(Citation: Palo Alto Latrod... |
| S1086 | Snip3 | Malware | [Snip3](https://attack.mitre.org/software/S1086) can download additional payloads from web services including Pastebin and top4top.(Citation: Morphise... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Di... |
| S0335 | Carbon | Malware | [Carbon](https://attack.mitre.org/software/S0335) can use Pastebin to receive C2 commands.(Citation: Accenture HyperStack October 2020) |
| S9019 | PureCrypter | Malware | [PureCrypter](https://attack.mitre.org/software/S9019) can use Telegram or Discord to send infection status messages.(Citation: Zscaler PureCrypter JU... |
| S9031 | AshTag | Malware | [AshTag](https://attack.mitre.org/software/S9031) can download malicious payloads from file sharing services.(Citation: Palo Alto Ashen Lepus DEC 2025... |
| S0635 | BoomBox | Malware | [BoomBox](https://attack.mitre.org/software/S0635) can download files from Dropbox using a hardcoded access token.(Citation: MSTIC Nobelium Toolset Ma... |
| S0546 | SharpStage | Malware | [SharpStage](https://attack.mitre.org/software/S0546) has used a legitimate web service for evading detection.(Citation: Cybereason Molerats Dec 2020)... |
| S0649 | SMOKEDHAM | Malware | [SMOKEDHAM](https://attack.mitre.org/software/S0649) has used Google Drive and Dropbox to host files downloaded by victims via malicious links.(Citati... |
| S0547 | DropBook | Malware | [DropBook](https://attack.mitre.org/software/S0547) can communicate with its operators by exploiting the Simplenote, DropBox, and the social media pla... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) has been downloaded to victim's machines from OneDrive.(Citation: Proofpoint Bumblebee April 2022... |
| S1178 | ShrinkLocker | Malware | [ShrinkLocker](https://attack.mitre.org/software/S1178) uses a subdomain on the legitimate Cloudflare resource "trycloudflare[.]com" to obfuscate the ... |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has downloaded scripts from GitHub.(Citation: Unit 42 Hildegard Malware) |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has leveraged legitimate file sharing web services to host malicious payloads.(Citation: Pr... |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can be utilized to abuse `sslip.io`, a free IP to domain mapping service, as part of actor-control... |
| S0589 | Sibot | Malware | [Sibot](https://attack.mitre.org/software/S0589) has used a legitimate compromised website to download DLLs to the victim's machine.(Citation: MSTIC N... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) has used web services including Paste.ee to host payloads.(Citation: FireEye NETWIRE March 2019) |
| S0674 | CharmPower | Malware | [CharmPower](https://attack.mitre.org/software/S0674) can download additional modules from actor-controlled Amazon S3 buckets.(Citation: Check Point A... |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689) can download additional payloads hosted on a Discord channel.(Citation: Crowdstrike WhisperGate... |
References
- Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft Graph API for C&C communication. Retrieved July 1, 2024.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
Frequently Asked Questions
What is T1102 (Web Service)?
T1102 is a MITRE ATT&CK technique named 'Web Service'. It belongs to the Command and Control tactic(s). Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for...
How can T1102 be detected?
Detection of T1102 (Web Service) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1102?
There are 2 documented mitigations for T1102. Key mitigations include: Network Intrusion Prevention, Restrict Web-Based Content.
Which threat groups use T1102?
Known threat groups using T1102 include: RedCurl, Inception, VOID MANTICORE, Rocke, FIN6, LazyScripter, FIN8, EXOTIC LILY.