Common Information
| Type | Value |
|---|---|
| Value |
Web Service - T1102 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system. These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed). Detection: Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Platforms: Linux, macOS, Windows Data Sources: Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection Defense Bypassed: Binary Analysis, Log analysis, Firewall Permissions Required: User Requires Network: Yes Contributors: Anastasios Pingios |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-07-29 | 20 | Attackers (Crowd)Strike with Infostealer Malware - Perception Point | ||
| Details | Website | 2024-07-25 | 835 | Mid-year Doppelgänger information operations in Europe and the US | ||
| Details | Website | 2024-07-11 | 26 | MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2 | ||
| Details | Website | 2024-07-03 | 1 | HackTheBox Certified Bug Bounty Hunter Review | ||
| Details | Website | 2024-07-01 | 62 | Kimsuky deploys TRANSLATEXT to target South Korean academia | ||
| Details | Website | 2024-06-17 | 0 | Nighthawk 0.3 - Automate All the Things - MDSec | ||
| Details | Website | 2024-06-13 | 89 | Arid Viper poisons Android apps with AridSpy | ||
| Details | Website | 2024-05-31 | 11 | WASM Smuggling for Initial Access and W.A.L.K. Tool Release | JUMPSEC LABS | ||
| Details | Website | 2024-05-15 | 4 | HP Wolf Security Threat Insights Report Q1 2024 | HP Wolf Security | ||
| Details | Website | 2024-04-09 | 7 | Raspberry Robin Now Spreading Through Windows Script Files | HP Wolf Security | ||
| Details | Website | 2024-03-28 | 9 | Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability | ||
| Details | Website | 2024-02-01 | 47 | VajraSpy: A Patchwork of espionage apps | ||
| Details | Website | 2023-12-06 | 198 | Russia/Ukraine Update - December 2023 | ||
| Details | Website | 2023-11-23 | 18 | ParaSiteSnatcher How Malicious Chrome Extensions Target Brazil | ||
| Details | Website | 2023-11-20 | 37 | Cryptojacking Attack Campaign Against Apache Web Servers Using Cobalt Strike - ASEC BLOG | ||
| Details | Website | 2023-11-19 | 117 | LitterDrifter: a new USB worm used by the Gamaredon group | ||
| Details | Website | 2023-11-18 | 1 | Kubernetes Security on AWS: A Practical Guide | ||
| Details | Website | 2023-11-17 | 2 | Metasploit Weekly Wrap-Up | Rapid7 Blog | ||
| Details | Website | 2023-11-16 | 6 | Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability | ||
| Details | Website | 2023-11-15 | 0 | How to stay protected on the web this holiday season | ||
| Details | Website | 2023-11-13 | 15 | 13th November – Threat Intelligence Report - Check Point Research | ||
| Details | Website | 2023-11-13 | 8 | Rewterz Threat Alert – Clop Ransomware Deployed Using SysAid Zero-Day Vulnerability – Active IOCs | ||
| Details | Website | 2023-11-10 | 6 | SysAid Zero-Day Vulnerability Exploited by Threat Actors | ||
| Details | Website | 2023-11-10 | 14 | SysAid IT Service Software 0-day Exploited to Deploy Cl0p Ransomware | ||
| Details | Website | 2023-11-10 | 7 | Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks - RedPacket Security |