Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).
| ID | Name | Description |
|---|---|---|
| S1214 | Android/SpyAgent |
Android/SpyAgent’s payload has obtained the C2 address via Twitter accounts.[1] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | Network Communication |
Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. |
| DS0029 | Network Traffic | Network Connection Creation |
Many properly configured firewalls may naturally block command and control traffic. |