Acquire Infrastructure: Web Services

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

ID: T1583.006
Sub-technique of:  T1583
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 17 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
G0025 APT17

APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.[1]

G0016 APT29

APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS.[2][3]

G0050 APT32

APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.[4]

G0125 HAFNIUM

HAFNIUM has acquired web services for use in C2 and exfiltration.[5]

G0136 IndigoZebra

IndigoZebra created Dropbox accounts for their operations.[6][7]

G0032 Lazarus Group

Lazarus Group has hosted malicious downloads on Github.[8]

G0069 MuddyWater

MuddyWater has used file sharing services including OneHub to distribute tools.[9][10]

G0010 Turla

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.[11]

G0128 ZIRCONIUM

ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.[12][13]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component
DS0035 Internet Scan Response Content

Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[14]

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.

References