Home/ MITRE Matrix/ Command and Control/ T1102

T1102Web Service

T1102 — Web Service is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 17 detection use cases covering it and 13 threat-intel articles citing it.

Command and Control

View on the matrix → Filter Detection Library MITRE official spec ↗

17Use cases

13Articles

3Sub-techniques

1Tactic

Sub-techniques (3)

T1102.002 · Bidirectional Communication T1102.001 · Dead Drop Resolver T1102.003 · One-Way Communication

Use cases covering this technique (17)

Linux Ngrok Reverse Proxy Usage ESCU actions · hunting P Windows Ngrok Reverse Proxy Usage ESCU actions · hunting P Ngrok Reverse Proxy on Network ESCU actions · hunting P Windows Abused Web Services ESCU actions · hunting P [LLM] Shai-Hulud worm exfil — outbound to webhook.site/bb8ca5f6 from developer or CI process Bespoke c2 · alerting DSΣPDDCS [LLM] GIFTEDCROOK / Gamaredon C2 callback to article IOCs (IPs + workers.dev / trycloudflare / .ru domains) Bespoke c2 · hunting DSΣPDDCS [LLM] Phishing redirect chain via awstrack.me / Rebrandly into AI-themed landing path Bespoke delivery · hunting DSPDDCS [LLM] Privnote[.]com self-destructing-note URL access from corporate endpoint Bespoke delivery · hunting DSΣPDDCS [LLM] Shai-Hulud exfiltration: node.exe POSTs to api.github.com creating public repo Bespoke actions · hunting DSPDDCS [LLM] Cloudflare-tunnel curl-piped Python stager (kamikaze.sh / kube.py) Bespoke delivery · alerting DSΣPDDCS [LLM] CI runner anomalous outbound to raw.githubusercontent.com / gist.githubusercontent.com Bespoke c2 · alerting DSPDDCS [LLM] APT28 MacroMaze: Edge launched off-screen or headless to webhook.site by non-browser parent Bespoke c2 · alerting DSΣP [LLM] APT28 MacroMaze: Office or Edge HTTP traffic to webhook.site (INCLUDEPICTURE tracker + exfil) Bespoke c2 · hunting DSP [LLM] Aikido campaign: jsDelivr CDN fetch of weaponised flockiali/opresc/prndn/oprnm/operni npm package Bespoke delivery · alerting DSΣPDDCS [LLM] Outbound exfiltration to webhook.site from npm / node / bun process tree Bespoke c2 · alerting DSΣPDDCS [LLM] ScoringMathTea C2 beacon to compromised WordPress hosts (Lazarus DreamJob IOCs) Bespoke c2 · hunting DSΣPDDCS [LLM] Browser load of Beamglea redirect-* or mad-* package script from unpkg.com Bespoke exploit · alerting DSΣPDDCS

Articles citing this technique (13)

crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27

crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86

crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102

crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108

crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193

high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444

crit Sednit reloaded: Back in the trenches art-477

high 10,000 Open-Source Projects Now Secured by Harden-Runner Community-Tier: A Milestone Three Years in the Making art-536

crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542

high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605

high SHA1-Hulud, npm supply chain incident art-686

crit Gotta fly: Lazarus targets the UAV sector art-734

crit Phishing Campaign Leveraging the NPM Ecosystem art-754