EXPLORE

← Back to Explore

T1102

Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: ...

ESXiLinuxmacOSWindows

34

Detections

3

Sources

15

Threat Actors

BY SOURCE

17elastic13sigma4splunk_escu

PROCEDURES (24)

Bypass3 detections

Auto-extracted: 3 detections for bypass

Api3 detections

Auto-extracted: 3 detections for api

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Phish2 detections

Auto-extracted: 2 detections for phish

Download2 detections

Auto-extracted: 2 detections for download

Dns2 detections

Auto-extracted: 2 detections for dns

Cloud1 detections

Auto-extracted: 1 detections for cloud

Remote1 detections

Auto-extracted: 1 detections for remote

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

C21 detections

Auto-extracted: 1 detections for c2

Service1 detections

Auto-extracted: 1 detections for service

Beacon1 detections

Auto-extracted: 1 detections for beacon

Beacon1 detections

Auto-extracted: 1 detections for beacon

Cloud1 detections

Auto-extracted: 1 detections for cloud

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Unusual1 detections

Auto-extracted: 1 detections for unusual

Dns1 detections

Auto-extracted: 1 detections for dns

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Bypass1 detections

Auto-extracted: 1 detections for bypass

Email1 detections

Auto-extracted: 1 detections for email

THREAT ACTORS (15)

APT32 APT42 EXOTIC LILY FIN6 FIN8 Fox Kitten Gamaredon Group Inception LazyScripter Mustang Panda RedCurl Rocke TeamTNT Turla VOID MANTICORE

DETECTIONS (34)

AWS CLI Command with Custom Endpoint URL

AWS SNS Rare Protocol Subscription by User

AWS SNS Topic Message Publish by Rare User

Cloudflared Tunnel Connections Cleanup

Cloudflared Tunnel Execution

Communication To LocaltoNet Tunneling Service Initiated

Communication To LocaltoNet Tunneling Service Initiated - Linux

Communication To Ngrok Tunneling Service - Linux

Communication To Ngrok Tunneling Service Initiated

Connection to Common Large Language Model Endpoints

Connection to Commonly Abused Web Services

Google Calendar C2 via Script Interpreter

Linux Ngrok Reverse Proxy Usage

Linux Telegram API Request

Network Connection Initiated To AzureWebsites.NET By Non-Browser Process

Network Connection to OAST Domain via Script Interpreter

New Connection Initiated To Potential Dead Drop Resolver Domain

Ngrok Reverse Proxy on Network

Potential Etherhiding C2 via Blockchain Connection

Potentially Suspicious Network Connection To Notion API

Process Initiated Network Connection To Ngrok Domain

Statistical Model Detected C2 Beaconing Activity

Statistical Model Detected C2 Beaconing Activity with High Confidence

Suspicious AWS S3 Connection via Script Interpreter

Suspicious Child Process Of Manage Engine ServiceDesk

Suspicious Curl to Google App Script Endpoint

Suspicious File Downloaded from Google Drive

Suspicious Non-Browser Network Communication With Google API

Suspicious Non-Browser Network Communication With Telegram API

Uncommon DNS Request via Bun or Node.js

Unusual Network Connection to Suspicious Web Service

Unusual Web Request

Windows Abused Web Services

Windows Ngrok Reverse Proxy Usage