1. Home
  2. Techniques
  3. Enterprise
  4. Compromise Infrastructure
  5. Web Services

Compromise Infrastructure: Web Services

ID Name
T1584.001 Domains
T1584.002 DNS Server
T1584.003 Virtual Private Server
T1584.004 Server
T1584.005 Botnet
T1584.006 Web Services
T1584.007 Serverless
T1584.008 Network Devices

Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing.[1] Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.

ID: T1584.006
Sub-technique of:  T1584
Tactic: Resource Development
Platforms: PRE
Contributors: Dor Edry, Microsoft
Version: 1.2
Created: 01 October 2020
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
G1012 CURIUM

CURIUM has compromised legitimate websites to enable strategic website compromise attacks.[2]
G1006 Earth Lusca

Earth Lusca has compromised Google Drive repositories.[3]
S1138 Gootloader

Gootloader can insert malicious scripts to compromise vulnerable content management systems (CMS).[4]
G0010 Turla

Turla has frequently used compromised WordPress sites for C2 infrastructure.[1]
G1035 Winter Vivern

Winter Vivern has used compromised WordPress sites to host malicious payloads for download.[5]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[6]Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control Web Service or Exfiltration Over Web Service .

References

  1. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved September 16, 2024.
  2. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  3. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  1. Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
  2. Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
  3. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.