Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0425: Suspicious Use of Web Services for C2

This detection strategy is about spotting suspicious command-and-control activity that hides inside legitimate web services. The business issue is not the...

EnterpriseDET0425Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about spotting suspicious command-and-control activity that hides inside legitimate web services. The business issue is not the web service itself; it is that trusted cloud, social, or popular web platforms can make malicious outbound communication look normal. Leaders should treat this as a visibility and decision-quality problem: can the organization distinguish routine use of common web services from compromised systems relaying data through them?

Executive priority

Prioritize this where business operations depend on broad internet and cloud access, because blocking every popular service is usually impractical. The key executive question is whether SOC, incident response, and network teams have enough evidence to investigate suspicious use of legitimate web services without disrupting normal operations. This also supports audit and resilience discussions around outbound traffic governance, cloud service visibility, and command-and-control detection readiness.

Technical view

DET0425 detects ATT&CK technique T1102 Web Service under command-and-control. The related technique applies to ESXi, Linux, macOS, and Windows. SOC and detection teams should validate whether they can identify unusual or unauthorized use of legitimate external web services from endpoints and servers, especially where those services are common enough to blend into baseline traffic. Because the detection strategy object has no official detection text, implementation should be grounded in local baselines, relationship context to T1102, and available network, endpoint, DNS, proxy, and authentication telemetry.

Likely telemetry

  • Proxy, secure web gateway, or firewall logs showing outbound web connections
  • DNS query and resolution logs for external web services
  • Endpoint network connection telemetry from Windows, macOS, Linux, and ESXi where available
  • TLS/HTTP metadata such as destination domain, URL category, user agent, request volume, and timing where collected
  • Cloud or SaaS access logs for legitimate external services used by the organization

Detection direction

  • Establish baselines for legitimate web service usage by host role, user population, and business function before alerting on anomalies.
  • Look for hosts communicating with popular external services in ways inconsistent with normal user or server behavior, such as unusual timing, volume, frequency, or source systems.
  • Correlate web service access with endpoint process and network telemetry to reduce false positives from normal browser, collaboration, or cloud productivity use.
  • Pay special attention to servers, appliances, and ESXi/Linux/macOS/Windows systems that should not normally interact with consumer or broad web services.
  • Tune detections to avoid treating all access to major cloud or social platforms as suspicious; the material signal is unexpected context, not the presence of a well-known service alone.

Mitigation priorities

  • Confirm which external web services are business-approved and where their use is expected.
  • Strengthen outbound traffic governance with egress controls, proxying, DNS visibility, and logging appropriate to the environment.
  • Improve endpoint and network telemetry coverage across Windows, macOS, Linux, and ESXi assets where command-and-control visibility is required.
  • Use allowlisting or tighter access policies for systems with limited business need for broad internet access, especially servers and infrastructure platforms.
  • Integrate suspicious web-service usage playbooks into incident response so analysts can quickly determine whether activity is user-driven, application-driven, or potentially compromised-host driven.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description or detection text. The practical value comes from its relationship to T1102 Web Service, which describes adversaries using legitimate external web services to relay data to or from compromised systems. Local service inventories, traffic baselines, and telemetry depth will decide whether this can be detected reliably.

This take does not assert active exploitation, attribution, guaranteed detection coverage, or specific vendor controls. Platforms are inferred only from the related T1102 technique. Because the detection strategy lacks official detection guidance, organizations must validate detection logic against their own approved web services, endpoint mix, logging architecture, and acceptable-use patterns.

Official MITRE ATT&CK definition

Suspicious Use of Web Services for C2

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1102 Web Service This object detects Web Service.
Relationship explorer

All related ATT&CK context

detects · Technique T1102: Web Service Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b70725548fbea472...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b70725548fbe…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0425
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use