--- name: attack-ent-t1583-006-web-services description: "Analyze MITRE ATT&CK T1583.006 Web Services in the enterprise matrix. Use for TTP triage, detection engineering, hunting, defensive emulation planning, mitigations, incident response mapping, ATT&CK coverage, or questions mentioning T1583.006, Web Services, or enterprise ATT&CK. Adversaries may register for web services that can be used during targeting." license: MITRE ATT&CK Terms of Use apply to ATT&CK-derived content. See https://attack.mitre.org/resources/terms-of-use/ metadata: source: mitre-attack/attack-stix-data domain: enterprise attack_id: T1583.006 attack_stix_id: attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54 attack_version: "1.3" attack_modified: "2025-10-24T17:49:04.554Z" --- # MITRE ATT&CK T1583.006: Web Services ## When to use this skill Use this skill when the task involves T1583.006, Web Services, enterprise ATT&CK, TTP mapping, detection engineering, hunting, incident-response enrichment, control validation, or authorized adversary-emulation planning. Treat it as a defensive analysis aid: keep outputs focused on understanding, detecting, mitigating, and safely validating this ATT&CK sub-technique. ## Technique context - ATT&CK domain: enterprise - ATT&CK ID: T1583.006 - Technique name: Web Services - Type: sub-technique - ATT&CK URL: https://attack.mitre.org/techniques/T1583/006 - Tactics: resource-development - Platforms: PRE - Required permissions: Not specified - Effective permissions: Not specified - Defenses bypassed: Not specified ## ATT&CK description Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29)(Citation: Hacker News GitHub Abuse 2024) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them. ## Agent workflow 1. Clarify scope: identify the system, asset class, log sources, cloud or endpoint platform, and whether the user wants triage, detection, coverage assessment, or safe emulation planning. 2. Load bundled resources as needed: use `references/technique-profile.json` for structured metadata, `references/detection-and-mitigation.md` for triage and telemetry guidance, `references/known-threat-context.md` for ATT&CK relationship context, and `templates/` for repeatable outputs. 3. Map observations to ATT&CK: compare the user's evidence to the ATT&CK description, tactics, platforms, and known procedure patterns before asserting a match. 4. Produce defensive outputs: prioritize hypotheses, telemetry requirements, detection logic ideas, validation steps, containment guidance, and mitigations. 5. Preserve uncertainty: distinguish confirmed evidence, plausible indicators, assumptions, and gaps. Recommend what to collect next. 6. Stay safe: do not provide malware, credential theft, persistence, evasion, destructive automation, or unauthorized exploitation instructions. For adversary emulation, keep steps bounded to approved lab or control-validation contexts and omit operational abuse details. ## Bundled resources - `references/technique-profile.json`: machine-readable ATT&CK metadata for this technique. - `references/detection-and-mitigation.md`: detection notes, telemetry checklist, triage questions, mitigation candidates, and false-positive considerations. - `references/known-threat-context.md`: ATT&CK relationship context with attribution cautions. - `templates/detection-brief.md`: detection engineering brief template. - `templates/hunt-plan.md`: threat hunt plan template. - `templates/incident-response-note.md`: incident response note template. - `templates/coverage-assessment.md`: ATT&CK coverage assessment template. - `scripts/render_brief.py`: local helper that renders a Markdown defensive brief from `technique-profile.json`. - `assets/output-schema.json`: JSON schema for structured technique analysis outputs. To generate a quick brief, run `python scripts/render_brief.py --output brief.md` from inside this skill directory, or adapt the templates directly. ## Detection guidance No ATT&CK detection guidance was present in the source STIX object. ## Useful telemetry and data sources - Not specified in the STIX object. ## Mitigations to consider - Pre-compromise ## Known threat context Use these examples only as contextual leads, not as proof that an observed event is this technique: - 2025 Poland Wiper Attacks (campaign) - APT-C-36 (intrusion-set) - APT17 (intrusion-set) - APT28 (intrusion-set) - APT29 (intrusion-set) - APT32 (intrusion-set) - ArcaneDoor (campaign) - Confucius (intrusion-set) - Contagious Interview (intrusion-set) - Earth Lusca (intrusion-set) - FIN7 (intrusion-set) - Gamaredon Group (intrusion-set) - HAFNIUM (intrusion-set) - IndigoZebra (intrusion-set) - Kimsuky (intrusion-set) - Lazarus Group (intrusion-set) - LazyScripter (intrusion-set) - Magic Hound (intrusion-set) - Medusa Group (intrusion-set) - MuddyWater (intrusion-set) ## Recommended output pattern When responding with this skill, structure the answer as: - Assessment: whether the evidence supports this ATT&CK mapping and why. - Evidence: specific indicators, logs, behaviors, and assumptions. - Detection: telemetry sources, analytic logic, and tuning considerations. - Response: containment, eradication, recovery, and validation actions. - Coverage gaps: missing logs, sensors, controls, or environmental details. - References: include the ATT&CK URL and any user-provided evidence references. ## ATT&CK contributors - Dor Edry, Microsoft - Dvir Sasson, Reco