T1102 · command-and-control · 15 actors · 8 correlated reports

Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.

Observed actors

EXOTIC LILY
G1011 APT32
G0050 FIN6
G0037 Gamaredon Group
G0047 TeamTNT
G0139 Mustang Panda
G0129 Rocke
G0106 Turla
G0010 RedCurl
G1039 Chimera
G0114 Ember Bear
G1003 LazyScripter
G0140 Fox Kitten
G0117 Inception
G0100 FIN8
G0061

Correlated CTI and IR reports

APT42 G1044
MITRE ATT&CK · direct source mapping 1. Executive Summary
Israel Threat Actors CTI · explicit report mention ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mention CTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mention CTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mention OilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mention ATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mention CTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research