MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1102: Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_command_and_control: PT-CR-2413: Connect_Suspicious_File_to_API_Telegram: Suspicious connection of a file to the api.telegram.org service

Detection

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Mitigation

IDM1031NameNetwork Intrusion PreventionDescription

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

IDM1021NameRestrict Web-Based ContentDescription

Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.