Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0581: Detect One-Way Web Service Command Channels

DET0581 is a MITRE detection strategy for identifying one-way command channels that use legitimate external web services. The business issue is not the web...

EnterpriseDET0581Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0581 is a MITRE detection strategy for identifying one-way command channels that use legitimate external web services. The business issue is not the web service itself, but the loss of visibility when a compromised system can receive instructions from public sites or social platforms while sending little or no response on the same channel. This can make command-and-control activity look like ordinary web traffic unless teams validate outbound web telemetry and context around unusual service use.

Executive priority

Prioritize this as a command-and-control visibility question: can the organization distinguish normal access to legitimate web services from compromised hosts retrieving instructions from them? Leaders should ask whether SOC, incident response, and compliance evidence cover outbound web activity from Windows, Linux, macOS, and ESXi environments where applicable, and whether monitoring accounts for attackers using trusted third-party services rather than obviously malicious infrastructure.

Technical view

This detection strategy is associated with ATT&CK technique T1102.003, One-Way Communication, under command-and-control. Because the official detection strategy object does not provide its own detection text or platforms, teams should anchor validation to the related technique: compromised systems may retrieve commands from legitimate external web services and may return output through a separate channel or not return output at all. SOC teams should test whether detections depend too heavily on bidirectional C2 patterns, known bad domains, or obvious beacon responses.

Likely telemetry

  • Outbound web proxy, secure web gateway, or firewall logs showing access to external web services
  • DNS resolution logs for externally hosted web services and associated domains
  • Endpoint network connection telemetry from relevant enterprise systems
  • Process-to-network correlation where available to identify unusual applications contacting web services
  • Authentication or access logs for sanctioned web services, where organizationally available

Detection direction

  • Validate coverage for one-way command retrieval patterns, not only interactive or bidirectional C2 sessions.
  • Review unusual or newly observed external web service access by endpoints, especially when the calling process or host role does not match expected business use.
  • Tune carefully because popular websites and social media can generate high false-positive volume; prioritize context such as host role, process lineage, frequency, destination novelty, and user expectation.
  • Look for separation of channels: command retrieval from one web service with possible output over another channel, or no obvious output channel at all.
  • Avoid assuming malicious infrastructure reputation will be sufficient, since the related technique explicitly involves legitimate external web services.

Mitigation priorities

  • Establish baseline and policy for permitted use of external web services from servers, workstations, and virtualization infrastructure where applicable.
  • Ensure outbound web access is logged and reviewable by SOC and incident response teams.
  • Apply egress controls and proxy enforcement where business operations allow, especially for systems that should not browse public web services.
  • Correlate web, DNS, endpoint process, and network telemetry to reduce false positives and support investigation decisions.
  • Document monitoring coverage and exceptions as compliance and incident readiness evidence.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description, detection text, tactics, or platforms of its own. The practical guidance here is therefore derived from the explicit relationship showing DET0581 detects T1102.003 One-Way Communication, including its command-and-control context and listed platforms of Linux, macOS, Windows, and ESXi.

This take does not establish that any organization is exposed or that this behavior is actively exploited. Local conclusions require environment-specific evidence: allowed web services, endpoint roles, available proxy/DNS/EDR logging, egress architecture, and SOC tuning history. ATT&CK did not provide detailed analytics for this detection strategy in the supplied fields.

Official MITRE ATT&CK definition

Detect One-Way Web Service Command Channels

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1102.003 One-Way Communication Sub-technique This object detects One-Way Communication.
Relationship explorer

All related ATT&CK context

detects · Technique T1102.003: One-Way Communication Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b13469fcd7de2223...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b13469fcd7de…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0581
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use