title: Web Services (T1583.006)
id: df00tech-t1583-006
status: experimental
description: "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services such as those offered by Google, GitHub, Discord, Telegram, or Dropbox makes it easier for adversaries to hide in expected noise. Real-world threat actors including APT29, Turla, Earth Lusca, Mustang Panda, Lazarus Group, HAFNIUM, MuddyWater, and Contagious Interview have all leveraged legitimate web platforms to host malware, stage C2 infrastructure, or receive exfiltrated data. Because the adversary's actual registration of these accounts occurs entirely outside the victim environment, detection pivots to identifying the operational use of these platforms by suspicious processes within monitored endpoints."
references:
  - https://attack.mitre.org/techniques/T1583/006/
  - https://df00tech.com/detections/T1583.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1583.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developer workstations running build pipelines, CI runners, or git clients that call api.github.com from powershell.exe or python.exe as part of automated workflows"
  - Security tooling and vulnerability scanners that use Python or Java to pull threat intelligence feeds from GitHub or Pastebin
  - "Legitimate Python or Java applications using the Dropbox, Google Drive, or OneDrive SDK for authorized file sync and backup"
  - IT automation scripts using curl.exe or PowerShell to post notifications to Teams/Discord/Slack webhooks as part of sanctioned alerting pipelines
  - "Software installers or package managers (pip, npm, maven) fetching packages from Google Storage or Firebase CDN during first-run or updates"
level: high