Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2014: Analytic 2014

Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control Web Service or Exfiltration Over Web Service .

EnterpriseAN2014AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic highlights a hard business problem: adversaries may use legitimate or abused web services as part of their infrastructure, and much of the relevant activity can occur outside the target organization’s direct visibility. For leaders, the value is not expecting a single internal alert to solve it, but ensuring teams can combine threat intelligence, external infrastructure research, and later-stage network evidence when command-and-control or exfiltration over web services becomes visible.

Executive priority

Prioritize this as a coverage and readiness question rather than a standalone detection promise. Executives should ask whether the organization has a process to consume infrastructure intelligence, correlate it with internal web-service communications, and preserve evidence for incident response. Because ATT&CK notes detection is difficult and often external to the victim environment, budget and control decisions should focus on visibility, triage workflow, and escalation paths for related behaviors such as Web Service command and control and Exfiltration Over Web Service.

Technical view

ATT&CK provides no specific detection logic for AN2014. SOC and detection teams should validate whether they can pivot from external indicators or unique adversary software characteristics, when known, into internal telemetry around connections to web services. The practical validation point is whether related lifecycle stages can be investigated: command-and-control over web services and exfiltration over web services. Treat this analytic as threat-informed hunting guidance, especially for PRE-context infrastructure activity where the target organization may have limited direct observation.

Likely telemetry

  • Threat intelligence and infrastructure research outputs, including domains, URLs, hosting patterns, or other externally observed characteristics when available
  • Network connection metadata involving web services
  • Proxy, secure web gateway, DNS, and firewall logs that can show access to relevant web-service infrastructure
  • Endpoint or network evidence that can support investigation of Web Service command-and-control or Exfiltration Over Web Service activity
  • Incident response case notes linking external infrastructure findings to internal observations

Detection direction

  • Do not rely on this analytic as a self-contained detection rule; ATT&CK does not provide official detection logic for AN2014.
  • Validate whether the SOC can correlate external infrastructure intelligence with internal network and web access telemetry.
  • Tune hunts around known or suspected unique characteristics of adversary software only when those characteristics are available from trusted intelligence or case evidence.
  • Account for blind spots: ATT&CK explicitly notes much activity may occur outside the target organization’s visibility.
  • Use related behavior context from Web Service command-and-control and Exfiltration Over Web Service to guide internal detection and triage.

Mitigation priorities

  • Strengthen collection and retention for DNS, proxy, firewall, and network metadata related to web-service communications.
  • Establish a repeatable process for ingesting and reviewing infrastructure intelligence from trusted sources.
  • Define incident response playbooks for cases where external infrastructure findings must be correlated with internal telemetry.
  • Review controls and monitoring for web-service based command-and-control and exfiltration paths.
  • Document visibility limits so risk owners and auditors understand where detection depends on external intelligence or later-stage activity.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and it has no supplied tactic, relationship context, aliases, labels, or official detection block. Its key decision value is the warning that abused web-service infrastructure may be largely outside the victim’s visibility, shifting emphasis toward intelligence correlation and related-stage detection.

This take is limited to the official STIX fields, references, and description supplied. It does not assert active exploitation, attribution, affected industries, specific tools, or guaranteed detection coverage. Local telemetry, threat intelligence quality, and environment-specific web-service usage patterns are required to operationalize it.

Official MITRE ATT&CK definition

Analytic 2014

Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control Web Service or Exfiltration Over Web Service .

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3da71cedea307789...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3da71cedea30…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ThreatConnect Infrastructure Dec 2020

    ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.

    Open source URL
  2. [2]
    mitre-attack AN2014
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use