EXPLORE

← Back to Explore

T1102

Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: ...

ESXiLinuxWindowsmacOS

33

Detections

3

Sources

14

Threat Actors

BY SOURCE

16elastic13sigma4splunk_escu

PROCEDURES (24)

Download3 detections

Auto-extracted: 3 detections for download

Api3 detections

Auto-extracted: 3 detections for api

Phish2 detections

Auto-extracted: 2 detections for phish

Bypass2 detections

Auto-extracted: 2 detections for bypass

Dns2 detections

Auto-extracted: 2 detections for dns

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Bypass2 detections

Auto-extracted: 2 detections for bypass

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Beacon1 detections

Auto-extracted: 1 detections for beacon

Beacon1 detections

Auto-extracted: 1 detections for beacon

Cloud1 detections

Auto-extracted: 1 detections for cloud

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Remote1 detections

Auto-extracted: 1 detections for remote

Aws1 detections

Auto-extracted: 1 detections for aws

Dns1 detections

Auto-extracted: 1 detections for dns

Email1 detections

Auto-extracted: 1 detections for email

Cloud1 detections

Auto-extracted: 1 detections for cloud

Remote1 detections

Auto-extracted: 1 detections for remote

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

C21 detections

Auto-extracted: 1 detections for c2

Command And Control1 detections

Auto-extracted: 1 detections for command and control

THREAT ACTORS (14)

APT32 APT42 EXOTIC LILY FIN6 FIN8 Fox Kitten Gamaredon Group Inception LazyScripter Mustang Panda RedCurl Rocke TeamTNT Turla

DETECTIONS (33)

AWS CLI Command with Custom Endpoint URL

AWS SNS Rare Protocol Subscription by User

AWS SNS Topic Message Publish by Rare User

Cloudflared Tunnel Connections Cleanup

Cloudflared Tunnel Execution

Communication To LocaltoNet Tunneling Service Initiated

Communication To LocaltoNet Tunneling Service Initiated - Linux

Communication To Ngrok Tunneling Service - Linux

Communication To Ngrok Tunneling Service Initiated

Connection to Common Large Language Model Endpoints

Connection to Commonly Abused Web Services

Google Calendar C2 via Script Interpreter

Linux Ngrok Reverse Proxy Usage

Linux Telegram API Request

Network Connection Initiated To AzureWebsites.NET By Non-Browser Process

Network Connection to OAST Domain via Script Interpreter

New Connection Initiated To Potential Dead Drop Resolver Domain

Ngrok Reverse Proxy on Network

Potential Etherhiding C2 via Blockchain Connection

Potentially Suspicious Network Connection To Notion API

Process Initiated Network Connection To Ngrok Domain

Statistical Model Detected C2 Beaconing Activity

Statistical Model Detected C2 Beaconing Activity with High Confidence

Suspicious AWS S3 Connection via Script Interpreter

Suspicious Child Process Of Manage Engine ServiceDesk

Suspicious Curl to Google App Script Endpoint

Suspicious File Downloaded from Google Drive

Suspicious Non-Browser Network Communication With Google API

Suspicious Non-Browser Network Communication With Telegram API

Unusual Network Connection to Suspicious Web Service

Unusual Web Request

Windows Abused Web Services

Windows Ngrok Reverse Proxy Usage