T1481.003: One-Way Communication
Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Analyst context for executives and security teams
One-Way Communication is a mobile command-and-control pattern where a compromised Android or iOS device retrieves instructions from a legitimate external web service, such as a popular website or social media service, without necessarily sending results back on the same channel. The business issue is not the novelty of the channel; it is that the traffic can look like normal mobile app or web activity and may be protected by SSL/TLS, making simple blocking or domain allow-list assumptions less reliable.
Executive priority
Security leaders should treat this as a visibility and policy-validation problem for mobile environments. If business-owned or managed mobile devices can freely reach common web and social platforms, adversary instructions may blend into expected traffic. Priority decisions should focus on whether the organization has defensible evidence for mobile network activity, managed mobile device behavior, and incident response workflows when command activity uses legitimate third-party services rather than obvious malicious infrastructure.
Technical view
For SOC, detection engineering, and IR teams, the key validation point is whether Android and iOS telemetry can distinguish ordinary use of legitimate web services from suspicious one-way command retrieval patterns. ATT&CK does not provide official detection text for this object, but the relationship to DET0610 indicates a detection strategy exists for One-Way Communication. Teams should also consider the parent technique, Web Service, because this sub-technique depends on legitimate external services for C2 relay. Twitoor is listed as Android software using this behavior, so Android coverage should be explicitly validated where Android devices are in scope.
Likely telemetry
- Mobile device network connection metadata to external web services and social media platforms
- DNS and proxy logs for mobile-originated traffic where available
- TLS/SSL connection metadata, acknowledging payload visibility may be limited by encryption
- Mobile device management or endpoint security telemetry for app behavior on Android and iOS
- Web service access patterns showing unusual polling, timing, or destination use by mobile devices
Detection direction
- Validate whether DET0610 or equivalent analytics are implemented and mapped to T1481.003 rather than assuming generic web filtering covers this behavior.
- Baseline expected mobile access to popular web and social media services, then look for unusual polling, newly observed service use, abnormal frequency, or access inconsistent with the device role or user context.
- Account for SSL/TLS blind spots: detection may depend on metadata, destination reputation/context, device posture, and behavioral patterns rather than content inspection.
- Correlate network observations with mobile management or endpoint telemetry to reduce false positives from legitimate social media, browser, and business app usage.
- Review Android-specific coverage in light of the Twitoor relationship; do not generalize Android evidence to iOS without confirming comparable telemetry exists.
Mitigation priorities
- Establish policy and monitoring for mobile access to external web and social media services based on business need, device ownership, and risk tolerance.
- Ensure managed Android and iOS devices provide sufficient network and app telemetry for SOC and IR review.
- Apply mobile device management and application control practices where appropriate to reduce unauthorized or unnecessary apps that can communicate with external services.
- Prioritize response playbooks that can investigate legitimate-service C2 scenarios without relying solely on domain blocking.
- Maintain audit evidence showing which mobile platforms are monitored, what external service traffic is logged, and where encryption limits inspection.
Analyst notes and limits
This object is a mobile sub-technique of T1481 Web Service and applies to Android and iOS. The supplied relationship to Twitoor supports Android-relevant validation, but it does not establish broader prevalence or active exploitation. The ATT&CK object has no specified tactics and no official detection text, so recommendations focus on defensible telemetry and validation rather than prescribed detections.
This take is limited to the supplied ATT&CK fields, external reference, and relationships. It does not assert active campaigns, specific web services in use, impact, attribution, or guaranteed detection. Local device ownership model, mobile management coverage, allowed web services, and available network telemetry are required to determine actual exposure and control effectiveness.
One-Way Communication
Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1481 | Web Service | This object subtechnique of Web Service. |
Groups, software, and campaigns
S0302: Twitoor
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 286705d54217… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1481.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.