Web服务

攻击者可以使用现有的合法外部Web服务作为将命令中继到受感染系统的手段。

这些命令还可以包括指向命令和控制（C2）基础结构的指针。攻击者可能会在具有嵌入式（通常是经过混淆/编码）域或IP地址的Web服务上发布内容，称为死点解析器。一旦感染，受害者将与这些解决者联系并重定向。

流行的网站和充当C2机制的社交媒体可能会提供大量掩盖，这是因为网络内的主机在入侵之前已经在与它们进行通信的可能性。使用常见服务（例如Google或Twitter提供的服务）可使对手更容易隐藏在预期的噪音中。Web服务提供商通常使用SSL / TLS加密，从而为攻击者提供了额外的保护。

使用Web服务还可以保护后端C2基础结构免受恶意软件二进制分析的发现，同时还可以实现操作弹性（因为该基础结构可以动态更改）。

Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.

These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

标签

ID编号： T1481

战术类型： 事后访问设备

策略： 命令与控制

平台： Android，iOS

程序示例

名称	描述
ANDROIDOS_ANSERVER.A(S0310)	ANDROIDOS_ANSERVER.A(S0310) 使用博客站点中的加密内容作为其命令和控制的一部分。具体地说，加密内容包含用于其他服务器的URL，这些URL用于命令和控制的其他方面。

Name	Description
ANDROIDOS_ANSERVER.A(S0310)	ANDROIDOS_ANSERVER.A(S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.