Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1102.003: One-Way Communication

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

EnterpriseT1102.003Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

One-Way Communication is a command-and-control behavior where a compromised system retrieves instructions from a legitimate external web service, such as a popular website or social media platform, without sending command output back through that same service. This matters because the traffic can blend into normal business web activity and may be protected by SSL/TLS, making simple domain blocking or perimeter monitoring insufficient.

Executive priority

Treat this as an egress visibility and web-governance issue, not only a malware issue. Leaders should ask whether the organization can distinguish approved business use of common web services from unusual command retrieval by servers, workstations, ESXi systems, or other in-scope platforms. Priority should go to validating web proxy controls, network intrusion prevention at boundaries, and audit-ready evidence that exceptions to popular external services are intentional and monitored.

Technical view

For SOC, detection engineering, and IR teams, the key validation is whether one-way command retrieval can be observed when no obvious response occurs on the same channel. ATT&CK provides no official detection text for this sub-technique, but the related detection strategy DET0581, Detect One-Way Web Service Command Channels, indicates that monitoring should focus on suspicious command-channel patterns over legitimate web services. Analysts should correlate web service access with endpoint process context, host role, timing, and whether any separate C2 or exfiltration path appears after command retrieval. Relationship context shows this behavior is used by multiple ATT&CK-listed groups, campaigns, and software families, so coverage should be threat-informed but locally tested.

Likely telemetry

  • Web proxy and URL filtering logs for access to common web services, social media, and cloud-hosted content
  • DNS queries and resolutions for external web services
  • Firewall, IDS, and IPS logs at network boundaries
  • TLS metadata such as SNI, certificate details, destination IPs, and connection timing where available
  • Endpoint process-to-network telemetry on Linux, macOS, Windows, and ESXi systems

Detection direction

  • Validate DET0581-style analytics against legitimate web service traffic rather than relying only on known-bad domains.
  • Baseline which hosts and users normally access popular web and social platforms; prioritize anomalies from servers, administrative systems, ESXi environments, or non-browser processes.
  • Look for periodic or scripted retrieval from external web content with little or no same-channel response traffic.
  • Correlate suspected one-way web-service access with later activity over a different network channel, since command output may be returned elsewhere or not at all.
  • Tune carefully for false positives from normal browser use, software updates, collaboration tools, and sanctioned cloud services.

Mitigation priorities

  • Use M1021 Restrict Web-Based Content as the primary control direction: enforce policy-driven access to web services, URL categories, downloads, scripts, and browser behaviors.
  • Document and review business exceptions for popular external services so defenders know which access is expected.
  • Use M1031 Network Intrusion Prevention to apply intrusion detection or blocking signatures at network boundaries where applicable.
  • Prioritize egress monitoring and control for high-value systems and platforms listed for this technique: Linux, macOS, Windows, and ESXi.
  • Ensure SOC runbooks include escalation paths for suspicious legitimate-service C2 patterns, especially when command output is absent or appears to use another channel.
Analyst notes and limits

The material risk is the abuse of trusted web services as cover for C2. The relationship set includes ATT&CK-listed campaigns, groups, and software that use this sub-technique, including ArcaneDoor, Gamaredon Group, Leviathan, HAMMERTOSS, OnionDuke, Metamorfo, EVILNUM, UPSTYLE, and Sagerunex; these relationships should inform threat modeling without implying current exposure in any specific environment.

ATT&CK does not provide official detection guidance for this object, and the supplied fields do not provide concrete indicators, signatures, or active exploitation claims. Local asset roles, approved web-service usage, proxy architecture, TLS inspection policy, and endpoint telemetry availability will determine practical coverage.

Official MITRE ATT&CK definition

One-Way Communication

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1102 Web Service This object subtechnique of Web Service.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0065: Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]

Group Enterprise

G0047: Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]

Malware Enterprise

S0455: Metamorfo

Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[1][2]

Windows
Malware Enterprise

S1164: UPSTYLE

UPSTYLE is a Python-based backdoor associated with exploitation of Palo Alto firewalls using CVE-2024-3400 in early 2024. UPSTYLE has only been observed in relation to this exploitation activity, which involved attempted install on compromised devices by the threat actor UTA0218.[1][2]

Network DevicesLinux
Campaign Enterprise

C0046: ArcaneDoor

ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.[1][2]

Relationship explorer

All related ATT&CK context

uses · Campaign C0046: ArcaneDoor Enterprise uses · Malware S0568: EVILNUM Enterprise uses · Group G0065: Leviathan Enterprise subtechnique of · Technique T1102: Web Service Enterprise detects · Detection Strategy DET0581: Detect One-Way Web Service Command Channels Enterprise uses · Group G0047: Gamaredon Group Enterprise uses · Malware S1210: Sagerunex Enterprise uses · Malware S0455: Metamorfo Enterprise uses · Malware S0052: OnionDuke Enterprise uses · Malware S1164: UPSTYLE Enterprise mitigates · Mitigation M1021: Restrict Web-Based Content Enterprise uses · Malware S0037: HAMMERTOSS Enterprise mitigates · Mitigation M1031: Network Intrusion Prevention Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1021: Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

- Use solutions to filter web traffic based on categories, reputation, and content types. - Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

- Implement tools to restrict access to domains associated with malware or phishing campaigns. - Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

- Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

- Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting. - Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

- Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity. - Configure alerts for access attempts to blocked domains or repeated file download failures.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
bd9ffaa6568dd365...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle bd9ffaa6568d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    University of Birmingham C2

    Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

    Open source URL
  2. [2]
    mitre-attack T1102.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use