Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2028: Analytic 2028

Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.

EnterpriseAN2028AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about recognizing adversary use of public web services as infrastructure by looking for distinctive characteristics of the adversary’s software or infrastructure patterns. Its business value is mostly in threat intelligence and proactive hunting, because ATT&CK notes much of the activity may occur outside the target organization’s visibility. Leaders should treat it as a way to enrich risk decisions around command-and-control and web-service-based exfiltration, not as a standalone internal detection guarantee.

Executive priority

Prioritize this where the organization depends on early warning, external attack-surface visibility, managed detection, or threat intelligence to reduce dwell time. The key decision is whether the security program has enough external infrastructure intelligence and internal follow-on telemetry to connect suspicious web-service infrastructure to actual enterprise exposure. This analytic can support incident scoping and control validation, but it should not be counted as compliance or SOC coverage by itself without evidence from local telemetry.

Technical view

The supplied ATT&CK object places this analytic on the PRE platform and states that detection is difficult because activity often happens outside the target organization’s visibility. SOC, detection engineering, and threat intelligence teams should validate whether they can identify unique adversary software or infrastructure characteristics from external research, then pivot internally for related activity involving Web Service command-and-control or Exfiltration Over Web Service. Because no official detection logic is provided, implementation should focus on documented hypotheses, enrichment sources, and correlation with internal network, proxy, DNS, and cloud/SaaS access evidence where available.

Likely telemetry

  • External infrastructure intelligence and threat research findings
  • Domain, URL, and web-service reputation or enrichment data
  • DNS resolution and passive DNS context where available
  • Proxy, secure web gateway, or network egress logs
  • Cloud/SaaS access logs involving web services

Detection direction

  • Do not treat this as a simple signature; validate whether the organization has reliable sources for unique adversary software or infrastructure characteristics.
  • Correlate external infrastructure indicators with internal egress, DNS, proxy, and SaaS activity before escalating as enterprise impact.
  • Tune for false positives because legitimate web services, shared hosting, and common cloud infrastructure can resemble adversary infrastructure without additional context.
  • Use this analytic as a hunting and enrichment layer for related ATT&CK behaviors: Web Service command-and-control and Exfiltration Over Web Service.
  • Document blind spots explicitly, especially where activity occurs outside organizational visibility or where external infrastructure telemetry is not collected.

Mitigation priorities

  • Establish a threat intelligence process for tracking suspicious web-service infrastructure and documenting confidence levels.
  • Ensure internal egress, DNS, proxy, and relevant cloud/SaaS logs are retained and searchable for correlation.
  • Define incident response playbooks for when external infrastructure intelligence intersects with internal traffic or account activity.
  • Review web-service egress governance and monitoring assumptions, especially for services commonly used for command-and-control or exfiltration paths.
  • Use findings to prioritize control validation rather than assuming the analytic alone proves prevention or detection coverage.
Analyst notes and limits

ATT&CK provides a concise description and one external reference, but no official detection logic and no relationship context in the supplied data. The most useful application is as a threat-intelligence-led hunting concept that becomes actionable only when combined with local telemetry and related lifecycle activity.

The object has platform PRE, no specified tactics, no official detection field, and no supplied relationships. The take cannot infer active exploitation, attribution, specific tools, affected customers, or guaranteed detectability. Local logging, enrichment sources, and investigative evidence are required to determine practical coverage.

Official MITRE ATT&CK definition

Analytic 2028

Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a65f2ca1d8ce3ec6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a65f2ca1d8ce…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ThreatConnect Infrastructure Dec 2020

    ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.

    Open source URL
  2. [2]
    mitre-attack AN2028
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use