Register to stream ATT&CKcon 2.0 October 29-30


WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server. [1][2]

ID: S0109
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface WEBC2 can open an interactive command shell. [2]
Enterprise T1038 DLL Search Order Hijacking Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll). [1]
Enterprise T1105 Remote File Copy WEBC2 can download and execute a file. [2]

Groups That Use This Software

ID Name References
G0006 APT1 [2]