ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary




流行的网站和充当C2机制的社交媒体可能会提供大量掩盖,这是因为网络内的主机在入侵之前已经在与它们进行通信的可能性。使用常见服务(例如Google或Twitter提供的服务)可使对手更容易隐藏在预期的噪音中。Web服务提供商通常使用SSL / TLS加密,从而为攻击者提供了额外的保护。


Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.

These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).


ID编号: T1481

战术类型: 事后访问设备

策略: 命令与控制

平台: Android,iOS


名称 描述
ANDROIDOS_ANSERVER.A(S0310) ANDROIDOS_ANSERVER.A(S0310) 使用博客站点中的加密内容作为其命令和控制的一部分。具体地说,加密内容包含用于其他服务器的URL,这些URL用于命令和控制的其他方面。
Name Description
ANDROIDOS_ANSERVER.A(S0310) ANDROIDOS_ANSERVER.A(S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.



This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.