title: Web Services (T1584.006)
id: df00tech-t1584-006
status: experimental
description: "Adversaries may compromise access to third-party web services to use as infrastructure during cyber operations. Popular platforms such as GitHub, WordPress, Google Drive, Dropbox, Discord, and SendGrid are targeted because they offer high availability, trusted domain reputations, and blend into legitimate organizational traffic. Compromised web service accounts are leveraged for command and control (C2) via dead-drop resolvers, payload hosting, data exfiltration staging, and phishing campaign infrastructure. Real-world examples include Turla using compromised WordPress sites for C2, Earth Lusca abusing Google Drive repositories, Gootloader inserting malicious scripts into CMS installations, and Winter Vivern hosting malicious payloads on compromised WordPress instances. Detection pivots to observable network behavior: suspicious processes making connections to web service API domains, scripting engines or LOLBins fetching content from anonymous paste sites, and non-browser processes accessing WordPress-specific URL paths on external domains."
references:
  - https://attack.mitre.org/techniques/T1584/006/
  - https://df00tech.com/detections/T1584.006
author: df00tech
date: 2026/03/13
tags:
  - attack.t1584.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developer workstations where git.exe, the GitHub CLI (gh.exe), or IDE tools legitimately invoke curl.exe or PowerShell to call GitHub APIs for source code operations"
  - "IT automation scripts using curl.exe or PowerShell Invoke-WebRequest to download software packages or configuration files from authorized cloud storage (Dropbox, Google Drive)"
  - Backup agents with known process names connecting to Dropbox or Google Drive APIs as part of data protection workflows
  - CI/CD pipeline agents running as Windows services that use PowerShell or curl to interact with GitHub repositories for deployment operations
  - "Security tooling (threat intelligence platforms, SOAR connectors) that periodically calls external APIs to fetch threat feeds or submit samples"
level: medium