MITRE ATT&CK Technique
Description
Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29)(Citation: Hacker News GitHub Abuse 2024) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T00:50:29.936Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may register for web services\xa0that can be used '
'during targeting. A variety of popular websites exist for '
'adversaries to register for a web-based service that can be '
'abused during later stages of the adversary lifecycle, such '
'as during Command and Control ([Web '
'Service](https://attack.mitre.org/techniques/T1102)), '
'[Exfiltration Over Web '
'Service](https://attack.mitre.org/techniques/T1567), or '
'[Phishing](https://attack.mitre.org/techniques/T1566). Using '
'common services, such as those offered by Google, GitHub, or '
'Twitter, makes it easier for adversaries to hide in expected '
'noise.(Citation: FireEye APT29)(Citation: Hacker News GitHub '
'Abuse 2024) By utilizing a web service, adversaries can make '
'it difficult to physically tie back operations to them.',
'external_references': [{'external_id': 'T1583.006',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1583/006'},
{'description': 'Dvir Sasson. (2024, May 13). GitHub '
"Abuse Flaw Shows Why We Can't Shrug "
'Off Abuse Vulnerabilities in '
'Security. Retrieved March 31, 2025.',
'source_name': 'Hacker News GitHub Abuse 2024',
'url': 'https://thehackernews.com/expert-insights/2024/05/github-abuse-flaw-shows-why-we-cant.html'},
{'description': 'FireEye Labs. (2015, July). '
'HAMMERTOSS: Stealthy Tactics Define '
'a Russian Cyber Threat Group. '
'Retrieved November 17, 2024.',
'source_name': 'FireEye APT29',
'url': 'https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf'},
{'description': 'ThreatConnect. (2020, December 15). '
'Infrastructure Research and Hunting: '
'Boiling the Domain Ocean. Retrieved '
'October 12, 2021.',
'source_name': 'ThreatConnect Infrastructure Dec '
'2020',
'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'}],
'id': 'attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:49:04.554Z',
'name': 'Web Services',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Dor Edry, Microsoft', 'Dvir Sasson, Reco'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.3'}