cti/mobile-attack/attack-pattern/attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380.json

{
    "type": "bundle",
    "id": "bundle--a33fd0a3-9271-4f4f-94d7-ea4927b5c087",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_version": "1.0",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "created": "2019-02-01T17:29:43.503Z",
            "modified": "2019-02-01T17:29:43.503Z",
            "kill_chain_phases": [
                {
                    "phase_name": "command-and-control",
                    "kill_chain_name": "mitre-mobile-attack"
                }
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
            "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.\n\nThese commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
            "name": "Web Service",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "external_references": [
                {
                    "url": "https://attack.mitre.org/techniques/T1481",
                    "source_name": "mitre-mobile-attack",
                    "external_id": "T1481"
                }
            ]
        }
    ]
}