Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0896: Detection of Web Services

DET0896 is a MITRE detection strategy for identifying adversary use of registered web services as part of resource development. The business issue is not t...

EnterpriseDET0896Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0896 is a MITRE detection strategy for identifying adversary use of registered web services as part of resource development. The business issue is not the registration itself in isolation; it is that ordinary web services can later support phishing, command and control, or exfiltration workflows, making malicious preparation blend into normal internet activity.

Executive priority

Security leaders should treat this as an early-warning and readiness question: can the organization recognize web-service infrastructure that is being prepared for later operations against it, and can SOC, email, proxy, threat intelligence, and incident response teams connect that preparation to later phishing, C2, or exfiltration evidence? Because the ATT&CK object provides no official detection logic or platform scope, investment decisions should focus on validating data availability and response process rather than assuming a specific analytic is already defined.

Technical view

The supplied relationship shows this detection strategy detects T1583.006 Web Services, a PRE-platform resource-development technique. SOC and detection teams should validate whether they can observe or enrich suspicious use of common web services when those services appear in phishing reports, network traffic, exfiltration investigations, or command-and-control leads. Since ATT&CK does not provide official detection text for DET0896, local analytics should be built around environment-specific baselines, external intelligence, and correlation with later-stage behaviors such as Web Service, Exfiltration Over Web Service, and Phishing referenced in the related technique description.

Likely telemetry

  • Threat intelligence or external monitoring for web-service accounts, pages, URLs, or hosted content relevant to the organization
  • Email security and phishing-report telemetry containing links to common web services
  • Web proxy, DNS, and network logs showing user or system interaction with web-service URLs
  • Incident response artifacts that identify web-service accounts or URLs used in phishing, command and control, or exfiltration investigations
  • Case management or SOC alert context linking suspicious web-service usage to later intrusion activity

Detection direction

  • Do not rely on generic blocking of popular web services; tune for suspicious context, such as unexpected business use, links reported in phishing, or web-service URLs recurring across incidents.
  • Validate whether detections can correlate early resource-development indicators with later phishing, C2, or exfiltration evidence.
  • Account for high false-positive potential because legitimate employees and partners commonly use public web services.
  • Identify blind spots where TLS inspection limits, short log retention, unmanaged devices, or lack of phishing-report enrichment prevent analysts from seeing web-service usage clearly.
  • Use the related ATT&CK context to prioritize correlation with T1583.006 rather than treating every web-service interaction as malicious.

Mitigation priorities

  • Establish ownership for monitoring and triaging suspicious web-service infrastructure relevant to the organization.
  • Ensure email, web, DNS, and incident response telemetry is retained and searchable enough to investigate web-service URLs or accounts.
  • Define response playbooks for suspected phishing, C2, or exfiltration over web services, including evidence preservation and escalation paths.
  • Use acceptable-use policy, security awareness, and web access controls to reduce unnecessary exposure while preserving legitimate business use.
  • Feed confirmed suspicious web-service indicators into detection engineering and threat intelligence processes, with expiration and validation to avoid stale blocking.
Analyst notes and limits

This object is a detection strategy, not a technique. The only supplied behavioral context is its relationship to T1583.006 Web Services, which sits under resource development and applies to PRE. The official object has no description, no detection text, and no specified platforms or tactics, so any operational analytic must be derived and validated locally.

The ATT&CK fields supplied for DET0896 are sparse. This take does not assert active exploitation, attribution, platform coverage, or guaranteed detection. Specific detection logic, service lists, thresholds, and response actions require local telemetry, business context, and risk tolerance.

Official MITRE ATT&CK definition

Detection of Web Services

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1583.006 Web Services Sub-technique This object detects Web Services.
Relationship explorer

All related ATT&CK context

detects · Technique T1583.006: Web Services Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1fbc121ed463d5d3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1fbc121ed463…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0896
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use