Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Command And Control
  4. >ATTACK-T1102
ATTACK-T1102Active

Web Service

Statement

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

Location

Tactic
Command and Control

Technique Details

Identifier
ATTACK-T1102
ATT&CK Page
View on MITRE

Tactics

Command And Control

Platforms

ESXiLinuxWindowsmacOS

Detection

Suspicious Use of Web Services for C2

Mitigations

Network Intrusion Prevention: Use intrusion detection signatures to block traffic at network boundaries.

Restrict Web-Based Content: Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

  • Use solutions to filter web traffic based on categories, reputation, and content types.
  • Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

  • Implement tools to restrict access to domains associated with malware or phishing campaigns.
  • Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

  • Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

  • Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
  • Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

  • Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
  • Configure alerts for access attempts to blocked domains or repeated file download failures.
SP 800-53
SP800-53-AC-4relatedvia ctid-attack-to-sp800-53
SP800-53-CA-7relatedvia ctid-attack-to-sp800-53
SP800-53-CM-2relatedvia ctid-attack-to-sp800-53
SP800-53-CM-6relatedvia ctid-attack-to-sp800-53
SP800-53-CM-7relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Command and Control
Command and Control41 controls
ATTACK-T1001Data ObfuscationATTACK-T1001.001Junk DataATTACK-T1001.002SteganographyATTACK-T1001.003Protocol or Service ImpersonationATTACK-T1008Fallback ChannelsATTACK-T1071Application Layer ProtocolATTACK-T1071.001Web ProtocolsATTACK-T1071.002File Transfer ProtocolsATTACK-T1071.003Mail ProtocolsATTACK-T1071.004DNSATTACK-T1071.005Publish/Subscribe ProtocolsATTACK-T1090ProxyATTACK-T1090.001Internal ProxyATTACK-T1090.002External ProxyATTACK-T1090.003Multi-hop ProxyATTACK-T1090.004Domain FrontingATTACK-T1092Communication Through Removable MediaATTACK-T1095Non-Application Layer ProtocolATTACK-T1102Web ServiceATTACK-T1102.001Dead Drop ResolverATTACK-T1102.002Bidirectional CommunicationATTACK-T1102.003One-Way CommunicationATTACK-T1104Multi-Stage ChannelsATTACK-T1105Ingress Tool TransferATTACK-T1132Data EncodingATTACK-T1132.001Standard EncodingATTACK-T1132.002Non-Standard EncodingATTACK-T1219Remote Access ToolsATTACK-T1219.001IDE TunnelingATTACK-T1219.002Remote Desktop SoftwareATTACK-T1219.003Remote Access HardwareATTACK-T1568Dynamic ResolutionATTACK-T1568.001Fast Flux DNSATTACK-T1568.002Domain Generation AlgorithmsATTACK-T1568.003DNS CalculationATTACK-T1571Non-Standard PortATTACK-T1572Protocol TunnelingATTACK-T1573Encrypted ChannelATTACK-T1573.001Symmetric CryptographyATTACK-T1573.002Asymmetric CryptographyATTACK-T1665Hide Infrastructure