T1584.006: Web Services
Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing.[1] Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.
Analyst context for executives and security teams
This technique matters because adversaries can take over legitimate third-party web service accounts and repurpose them as attack infrastructure. For leaders, the risk is not just “bad traffic from the internet”; it is abuse of trusted services such as webmail, code hosting, storage, social media, or messaging providers that may blend into normal business activity and complicate attribution, blocking, and incident scoping.
Executive priority
Prioritize this as a pre-compromise and resilience issue: if the organization cannot distinguish expected use of major web services from suspicious use, later phishing, command-and-control, or exfiltration activity may be harder to detect and contain. Executives should ask whether security teams have visibility into approved third-party service usage, whether exceptions are documented for audit evidence, and whether incident response playbooks cover abuse of legitimate cloud/web services rather than only attacker-owned domains or IPs.
Technical view
ATT&CK places this sub-technique under Resource Development and Compromise Infrastructure on the PRE platform. The key defensive validation is whether SOC and threat hunting teams can identify abnormal use of common web services before or during later activity such as Web Service command and control, Exfiltration Over Web Service, or Phishing. Because MITRE provides no official detection text for this object, detection engineering should use the related DET0882 strategy as a prompt to validate local telemetry, baselines, and allow-list assumptions rather than assume coverage.
Likely telemetry
- Proxy, secure web gateway, firewall, and DNS logs showing access to third-party web services
- Cloud access security broker or SaaS audit logs where available for sanctioned web services
- Email security telemetry for web-based email or trusted-domain phishing patterns
- Endpoint and network telemetry showing unusual processes or hosts communicating with common web platforms
- Identity and access logs tied to organizational accounts on third-party services, where those services are managed by the organization
Detection direction
- Validate that common services are not over-trusted simply because they are popular providers; focus on anomalous destination patterns, unusual user-agent/process context, rare service use by host or user, and unexpected data transfer behavior.
- Tune detections around approved versus unapproved web services, recognizing that broad blocking may be impractical and that legitimate business use can create false positives.
- Correlate suspected web service abuse with later ATT&CK behaviors referenced by MITRE: Web Service command and control, Exfiltration Over Web Service, and Phishing.
- Use relationship context cautiously: ATT&CK associates this technique with multiple groups, a campaign, and software, but local detections should be behavior-based rather than attribution-led.
- Review gaps where TLS inspection, SaaS logging, DNS retention, proxy coverage for remote users, or unmanaged accounts may prevent analysts from proving whether service use was benign or malicious.
Mitigation priorities
- Apply pre-compromise controls consistent with M1056: reduce exposed information and attack surface that helps adversaries prepare operations.
- Maintain an inventory of sanctioned third-party web services and expected business use cases so SOC teams can distinguish normal from suspicious activity.
- Require strong identity protections for organizational accounts on external web services, especially services used for code, storage, communications, email, or publishing.
- Establish policy and monitoring for unsanctioned web service use where business risk justifies it, while documenting exceptions for compliance and incident review.
- Prepare incident response procedures for phishing, exfiltration, or command-and-control scenarios that involve legitimate third-party services and may require provider coordination.
Analyst notes and limits
The supplied ATT&CK relationships indicate detection strategy DET0882 and mitigation M1056, plus use by Operation MidnightEclipse, Turla, Earth Lusca, CURIUM, Winter Vivern, and Gootloader. These relationships support prioritizing the behavior for threat-informed defense, but they do not prove current activity in any specific environment. Treat this as a visibility and control validation problem around trusted web services.
MITRE’s official detection field is not provided for this object, and the platform is PRE, so host- or network-specific analytics must be derived from local architecture and telemetry. The supplied data does not justify claims of active exploitation, guaranteed detection, or customer exposure.
Web Services
Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing.[1] Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1584 | Compromise Infrastructure | This object subtechnique of Compromise Infrastructure. |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
G1006: Earth Lusca
Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[1]
Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[1]
G1012: CURIUM
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.[1] CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[2]
G1035: Winter Vivern
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.[1][2][3][4][5]
S1138: Gootloader
Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an "Initial Access as a Service" model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.[1][2]
C0048: Operation MidnightEclipse
Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | bf3165dbf683… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Recorded Future Turla Infra 2020
Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved September 16, 2024.
Open source URL -
[2]
ThreatConnect Infrastructure Dec 2020
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
Open source URL -
[3]
mitre-attack T1584.006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.