|
| 1 | +# SAFE-T1901 : Outbound Webhook C2 |
| 2 | + |
| 3 | +## Tactic |
| 4 | +**Command and Control (ATK-TA0011)** |
| 5 | + |
| 6 | +--- |
| 7 | + |
| 8 | +## Description |
| 9 | +Outbound Webhook C2 is a technique where an adversary abuses legitimate outbound HTTP webhook mechanisms to establish covert command-and-control (C2) channels from a Model Context Protocol (MCP) environment. |
| 10 | +Because MCP agents and tools routinely use HTTPS for integration with external services (Slack, GitHub, Jira, etc.), malicious webhook calls blend with normal traffic, making detection difficult. |
| 11 | + |
| 12 | +This mirrors MITRE ATT&CK technique [T1567.004 – Exfiltration Over Webhook](https://attack.mitre.org/techniques/T1567/004/) and expands it to AI agent ecosystems. |
| 13 | + |
| 14 | +--- |
| 15 | + |
| 16 | +## How It Works |
| 17 | +1. **Initial Access** – Attacker gains code execution inside an MCP agent or server (e.g., through malicious tool registration or supply-chain package). |
| 18 | +2. **Webhook Setup** – They embed an attacker-controlled URL (`https://discord.com/api/webhooks/...`, `https://hooks.slack.com/services/...`, or custom endpoint) in configuration or environment variables. |
| 19 | +3. **Beaconing & Tasking** – The compromised component periodically issues small HTTPS POST requests to the webhook, sending status or encoded data and receiving instructions from the attacker’s channel. |
| 20 | +4. **Command Execution / Exfiltration** – Responses from the webhook or attacker messages drive additional actions or data uploads. |
| 21 | +5. **Persistence / Evasion** – Traffic appears as benign API usage; the attacker may rotate URLs or use trusted domains to avoid detection. |
| 22 | + |
| 23 | +--- |
| 24 | + |
| 25 | +## Examples |
| 26 | +- **Malicious packages** in npm and PyPI (2025 reports) that exfiltrated developer tokens to Discord webhooks under benign names like “post-install analytics.” |
| 27 | +- **KurayStealer** and similar malware families use Slack and Discord webhooks as lightweight C2 channels to send logs and receive tasks. |
| 28 | +- In an enterprise MCP setup, a backdoored tool could POST conversation summaries to a remote webhook every hour, evading firewall rules because HTTPS egress is permitted. |
| 29 | + |
| 30 | +--- |
| 31 | + |
| 32 | +## Impact |
| 33 | +| Property | Level | Explanation | |
| 34 | +|-----------|-------|-------------| |
| 35 | +| Confidentiality | **High** | Sensitive data or tokens can leave the organization undetected via legitimate HTTPS channels | |
| 36 | +| Integrity | **Medium** | External commands may alter agent behavior or workflow outputs | |
| 37 | +| Availability | **Low** | Usually stealthy and low-bandwidth; minor resource impact | |
| 38 | + |
| 39 | +--- |
| 40 | + |
| 41 | +## Detection |
| 42 | +**Network Indicators** |
| 43 | +- Frequent small HTTPS POSTs to rare domains (e.g., `discord.com`, `webhook.site`, dynamic tunnels like `*.ngrok.io`) from MCP hosts not expected to communicate externally. |
| 44 | +- Unusual SNI or TLS fingerprints in outbound connections. |
| 45 | + |
| 46 | +**Host Indicators** |
| 47 | +- Config files or .env entries containing webhook-like URLs. |
| 48 | +- Tools or scripts embedding HTTP client calls without documented purpose. |
| 49 | + |
| 50 | +**Example SIEM rule (pseudo-Sigma)** |
| 51 | +```yaml |
| 52 | +title: Outbound Webhook C2 Detection |
| 53 | +logsource: network/proxy |
| 54 | +detection: |
| 55 | + selection: |
| 56 | + url|contains: |
| 57 | + - "discord.com/api/webhooks" |
| 58 | + - "hooks.slack.com/services" |
| 59 | + - "webhook.site" |
| 60 | + - "ngrok.io" |
| 61 | + method: POST |
| 62 | + condition: selection |
| 63 | +level: medium |
| 64 | +``` |
| 65 | +
|
| 66 | +--- |
| 67 | +
|
| 68 | +## Mitigation |
| 69 | +**Preventive** |
| 70 | +1. Restrict egress from MCP agents to approved domains (HTTP allow-listing). |
| 71 | +2. Proxy all outbound HTTP(S) traffic through a controlled gateway with inspection and rate limits. |
| 72 | +3. Disallow hard-coded webhook URLs in code; require secret stores with rotation and audit trails. |
| 73 | +4. Require manifest review for tools requesting network capabilities. |
| 74 | +5. Implement signed or authenticated webhook payloads and mutual TLS for approved integrations. |
| 75 | +
|
| 76 | +**Detective** |
| 77 | +1. Monitor and baseline outbound destinations per server. |
| 78 | +2. Scan source repos and pipelines for webhook URL patterns. |
| 79 | +3. Correlate proxy logs with MCP task timestamps to spot covert beaconing. |
| 80 | +
|
| 81 | +**Response** |
| 82 | +- Block or revoke the malicious webhook URL, rotate tokens, and collect forensic logs. |
| 83 | +
|
| 84 | +--- |
| 85 | +
|
| 86 | +## References |
| 87 | +- MITRE ATT&CK – [T1567.004 Exfiltration Over Webhook](https://attack.mitre.org/techniques/T1567/004/) |
| 88 | +- CISA Advisory on Webhook Exfiltration (2024) |
| 89 | +- Invicti Research – *Securing Webhooks Against Abuse* (2023) |
| 90 | +- HackerOne – *Webhook Security Best Practices* (2023) |
| 91 | +- Reports on Malicious npm/PyPI Packages Exfiltrating to Discord (Oct 2025) |
| 92 | +- KurayStealer Analysis – Use of Discord Webhooks as C2 (2023) |
| 93 | +
|
| 94 | +--- |
| 95 | +
|
| 96 | +## MITRE ATT&CK Mapping |
| 97 | +**ATT&CK Technique:** T1567.004 – Exfiltration Over Webhook |
| 98 | +**ATT&CK Tactic:** Command and Control (TA0011)** |
0 commit comments