Skip to content

Commit 1f7176d

Browse files
feat(SAFE-T1901): add Outbound Webhook C2 technique
Signed-off-by: hackathons-saurabh <saurabh.ssy@gmail.com>
1 parent 431e03a commit 1f7176d

2 files changed

Lines changed: 99 additions & 1 deletion

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,7 @@ The SAFE-MCP framework defines 14 tactics that align with the MITRE ATT&CK metho
123123
| ATK-TA0009 | Collection | SAFE-T1803 | Database Dump | Use SQL tool to SELECT * from prod DB |
124124
| ATK-TA0009 | Collection | SAFE-T1804 | API Data Harvest | Loop over customer REST endpoints via HTTP tool |
125125
| ATK-TA0009 | Collection | SAFE-T1805 | Context Snapshot Capture | Query vector store embeddings wholesale |
126-
| **ATK-TA0011** | **Command and Control** | SAFE-T1901 | Outbound Webhook C2 | LLM calls "http.post" to attacker URL with commands/results |
126+
| **ATK-TA0011** | **Command and Control** | [SAFE-T1901](/techniques/SAFE-T1901/README.md) | Outbound Webhook C2 | Abuse of outbound HTTP webhooks for command and control |
127127
| ATK-TA0011 | Command and Control | SAFE-T1902 | Covert Channel in Responses | Encode data in whitespace or markdown links returned to chat |
128128
| ATK-TA0011 | Command and Control | SAFE-T1903 | Malicious Server Control Channel | Attacker operates rogue server; every tool call doubles as heartbeat |
129129
| ATK-TA0011 | Command and Control | SAFE-T1904 | Chat-Based Backchannel | LLM embeds base64 blobs in normal answers that another bot decodes |

techniques/SAFE-T1901/README.md

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
# SAFE-T1901 : Outbound Webhook C2
2+
3+
## Tactic
4+
**Command and Control (ATK-TA0011)**
5+
6+
---
7+
8+
## Description
9+
Outbound Webhook C2 is a technique where an adversary abuses legitimate outbound HTTP webhook mechanisms to establish covert command-and-control (C2) channels from a Model Context Protocol (MCP) environment.
10+
Because MCP agents and tools routinely use HTTPS for integration with external services (Slack, GitHub, Jira, etc.), malicious webhook calls blend with normal traffic, making detection difficult.
11+
12+
This mirrors MITRE ATT&CK technique [T1567.004 – Exfiltration Over Webhook](https://attack.mitre.org/techniques/T1567/004/) and expands it to AI agent ecosystems.
13+
14+
---
15+
16+
## How It Works
17+
1. **Initial Access** – Attacker gains code execution inside an MCP agent or server (e.g., through malicious tool registration or supply-chain package).
18+
2. **Webhook Setup** – They embed an attacker-controlled URL (`https://discord.com/api/webhooks/...`, `https://hooks.slack.com/services/...`, or custom endpoint) in configuration or environment variables.
19+
3. **Beaconing & Tasking** – The compromised component periodically issues small HTTPS POST requests to the webhook, sending status or encoded data and receiving instructions from the attacker’s channel.
20+
4. **Command Execution / Exfiltration** – Responses from the webhook or attacker messages drive additional actions or data uploads.
21+
5. **Persistence / Evasion** – Traffic appears as benign API usage; the attacker may rotate URLs or use trusted domains to avoid detection.
22+
23+
---
24+
25+
## Examples
26+
- **Malicious packages** in npm and PyPI (2025 reports) that exfiltrated developer tokens to Discord webhooks under benign names like “post-install analytics.”
27+
- **KurayStealer** and similar malware families use Slack and Discord webhooks as lightweight C2 channels to send logs and receive tasks.
28+
- In an enterprise MCP setup, a backdoored tool could POST conversation summaries to a remote webhook every hour, evading firewall rules because HTTPS egress is permitted.
29+
30+
---
31+
32+
## Impact
33+
| Property | Level | Explanation |
34+
|-----------|-------|-------------|
35+
| Confidentiality | **High** | Sensitive data or tokens can leave the organization undetected via legitimate HTTPS channels |
36+
| Integrity | **Medium** | External commands may alter agent behavior or workflow outputs |
37+
| Availability | **Low** | Usually stealthy and low-bandwidth; minor resource impact |
38+
39+
---
40+
41+
## Detection
42+
**Network Indicators**
43+
- Frequent small HTTPS POSTs to rare domains (e.g., `discord.com`, `webhook.site`, dynamic tunnels like `*.ngrok.io`) from MCP hosts not expected to communicate externally.
44+
- Unusual SNI or TLS fingerprints in outbound connections.
45+
46+
**Host Indicators**
47+
- Config files or .env entries containing webhook-like URLs.
48+
- Tools or scripts embedding HTTP client calls without documented purpose.
49+
50+
**Example SIEM rule (pseudo-Sigma)**
51+
```yaml
52+
title: Outbound Webhook C2 Detection
53+
logsource: network/proxy
54+
detection:
55+
selection:
56+
url|contains:
57+
- "discord.com/api/webhooks"
58+
- "hooks.slack.com/services"
59+
- "webhook.site"
60+
- "ngrok.io"
61+
method: POST
62+
condition: selection
63+
level: medium
64+
```
65+
66+
---
67+
68+
## Mitigation
69+
**Preventive**
70+
1. Restrict egress from MCP agents to approved domains (HTTP allow-listing).
71+
2. Proxy all outbound HTTP(S) traffic through a controlled gateway with inspection and rate limits.
72+
3. Disallow hard-coded webhook URLs in code; require secret stores with rotation and audit trails.
73+
4. Require manifest review for tools requesting network capabilities.
74+
5. Implement signed or authenticated webhook payloads and mutual TLS for approved integrations.
75+
76+
**Detective**
77+
1. Monitor and baseline outbound destinations per server.
78+
2. Scan source repos and pipelines for webhook URL patterns.
79+
3. Correlate proxy logs with MCP task timestamps to spot covert beaconing.
80+
81+
**Response**
82+
- Block or revoke the malicious webhook URL, rotate tokens, and collect forensic logs.
83+
84+
---
85+
86+
## References
87+
- MITRE ATT&CK – [T1567.004 Exfiltration Over Webhook](https://attack.mitre.org/techniques/T1567/004/)
88+
- CISA Advisory on Webhook Exfiltration (2024)
89+
- Invicti Research – *Securing Webhooks Against Abuse* (2023)
90+
- HackerOne – *Webhook Security Best Practices* (2023)
91+
- Reports on Malicious npm/PyPI Packages Exfiltrating to Discord (Oct 2025)
92+
- KurayStealer Analysis – Use of Discord Webhooks as C2 (2023)
93+
94+
---
95+
96+
## MITRE ATT&CK Mapping
97+
**ATT&CK Technique:** T1567.004 – Exfiltration Over Webhook
98+
**ATT&CK Tactic:** Command and Control (TA0011)**

0 commit comments

Comments
 (0)