# T1102 Web Service

-----------------------------------------------------------------------

## Technique Description

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

## Technique Detection

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Network Traffic:** Network Traffic Flow

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Connection Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used GitHub to host its payloads to operate spam campaigns.(Citation: MalwareBytes LazyScripter Feb 2021) | 
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has leveraged iplogger.org to send collected data back to C2.(Citation: Aqua TeamTNT August 2020) | 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used DropBox URLs to deliver variants of [PlugX](https://attack.mitre.org/software/S0013).(Citation: Proofpoint TA416 Europe March 2022)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used Amazon Web Services to host C2.(Citation: ClearSky Pay2Kitten December 2020)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has used Pastebin, Gitee, and GitLab for Command and Control.(Citation: Anomali Rocke March 2019)(Citation: Talos Rocke August 2018)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used <code>sslip.io</code>, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.(Citation: Bitdefender FIN8 July 2021)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.(Citation: Volexity Ocean Lotus November 2020)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.(Citation: ESET Gamaredon June 2020)	| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used Pastebin and Google Storage to host content for their operations.(Citation: FireEye FIN6 Apr 2019)	
| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.(Citation: Accenture HyperStack October 2020)(Citation: ESET Crutch December 2020)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1102)

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 7 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use an existing, legitimate external Web service as a means for relaying data to/from a compromised system.
- APT 29 will attempt to use common services such as Twitter to communicate with command and control servers. Domains that are generated by DGA (Domain Generation Algorithm) have been identified in the past as being used to reach out to specific URLs based on the malware. Cloud service providers may also be used as this is harder for defenders to detect and make determinations beyond "suspicious" and low reputation URLs.


## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### APT29	
- APT29 has used social media platforms to hide communications to C2 servers.

#### Turla	
- A Turla JavaScript backdoor has used Google Apps Script as its C2 server.

## Detection Blindspots

- Incorrect sensor placement will not allow for this TTP to be identified if specific traffic in not seen.
- Encrypted traffic may make detecting this TTP difficult. Some fields will not be available to be viewed if connections occur with TLS.

## Analytical References

  * [ESET Operation Ghost Dukes 2019 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf)
  * [ESET Turla Mosquito 2018 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf)
  * [Turla Mosquito - Shift Towards Generic Tools 2018 (welivesecurity)](https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/)
  * [Paper 1408.1136 - FTP (arxiv.org](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf)
  * [APT29 Hammertoss (fireeye)](https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf)
  * [APT29 WellMess malware](https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html)
  * [Mitre ATT&CK - Web Service](https://attack.mitre.org/techniques/T1102/)
  * [Detecting Host artifacts of common web shells](https://github.com/nsacyber/Mitigating-Web-Shells#detecting-host-artifacts-of-common-web-shells)
  * [How to Detect & Prevent Cyberattackers from Exploitng Web Servers via Web Shell Malware](https://www.securitymagazine.com/articles/92284-how-to-detect-prevent-cyberattackers-from-exploiting-web-servers-via-web-shell-malware)



-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption.
- Packet capture analysis will require SSL/TLS inspection if data is encrypted.
- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- User behavior monitoring may help to detect abnormal patterns of activity
- Yara Rules or Snort provide the best results from a host perspective

#### Analytic 1

  * **Information:** Check for unusual processes using network connections. Correlate with DNS queries.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.code : 3 AND destinationPort : 80 or 8080 or 443 image : *```
  * **Query:** ```event.code : 22```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- C2 communications may be identified after a specific host has displayed characteristic that need further investigating to allow for further investigation on its network connections.
- Command and control communications may look like a conversation back and forth between client and server.
- Encrypted traffic will make identifying suspicious traffic difficult, use metadata surrounding the connection and certificate information to assist the investigation.
- An Arkime hunt using regex will also assist in identifying host with hardcoded IP addresses instead of domains. Approval from CCL or Network Lead is required to run Arkime Hunts.

#### Analytic 1 (APT 29)

  * **Information:** Detect HTTP methods (GET, POST, PUT, HEAD, etc.) and responses

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** Adjust method to known TTPs and what is identified on the network. You can filter by byte size if there is any related intel.

  * **Query:** ```http.method == [method] && entropy.http == [6,7,8]```

#### Analytic 2 (APT 29)

  * **Information:** Identifying suspicious ASN providers (low count, unique, etc).

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** 
  
  * **Query:** ```asn.dst == EXISTS!```
  
#### Analytic 3 (APT 29)

  * **Information:** Hardcoded IPs for domains should be investigated 

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** You may be able to export unique host.http and sort alphabetically to push IPs to the top

  * **Query Pseudo:** ```host.http == [regex for IPs]```

#### Analytic 4 (APT 29)

  * **Information:** Possible to associate byte size with http method being used 

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** 

  * **Query Pseudo:** ```bytes == [specific size if known from TTPs provided by Intel]```

#### Analytic 5 (APT 29)

  * **Information:** Http connections may be sent to an internal proxy and then continued on externally using https. 

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** Verify connection metadata to gather further information. Possible correlation with host.http and a corresponding host.dns request should be investigated if no host.dns request was identified with the host.http connection.

  * **Query Pseudo:** ```protocols == tls && cert.issuer.on == [ ] && cert.subject.cn == [ ] && host.http == [ ]```



