|T1583.003||Virtual Private Server|
Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.
APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.
APT28 has used newly-created Blogspot pages for credential harvesting operations.
APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS. APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.
APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.
Confucius has obtained cloud storage service accounts to host stolen data.
Earth Lusca has established GitHub accounts to host their malware.
HAFNIUM has acquired web services for use in C2 and exfiltration.
IndigoZebra created Dropbox accounts for their operations.
Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.
Lazarus Group has hosted malicious downloads on Github.
LazyScripter has established GitHub accounts to host its toolsets.
Magic Hound has acquired Amazon S3 buckets to use in C2.
MuddyWater has used file sharing services including OneHub to distribute tools.
|C0022||Operation Dream Job||
During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.
For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.
POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.
Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.
ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
|ID||Data Source||Data Component||Detects|
|DS0035||Internet Scan||Response Content||
Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.