Service Standard API
Info
ID: AT-GA004
Tactic: Gain Access
Service Standard APIs
Adversaries may exploit legitimate APIs or application endpoints - those normally accessed by authorized users - to introduce malicious files or code. Instead of exploiting a vulnerability in the underlying service, attackers rely on existing upload or configuration interfaces, such as file submission fields, support ticket attachments, or plugin extensions. By conforming to the intended usage model, these actions can appear routine and evade basic intrusion detection.
In many cloud-native or microservice-driven environments, developers expose a range of APIs for administrative tasks, data import, or feature customization. If access controls are incomplete or default configurations allow broader permissions, adversaries can seamlessly insert malicious scripts, libraries, or binaries through these same APIs. The malicious content lies dormant in the system until triggered by a separate execution pathway, effectively setting the stage for deeper compromise.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1054 | Software Configuration | Enforce strict upload whitelists (MIME type, size) and server-side scanning for any API that accepts user content. |
| M1026 | Privileged Account Management | Require scoped tokens (e.g., presigned URLs) that grant only time-limited, path-limited upload permissions. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Application Log | Alert when upload endpoints receive executable files or archives where policy expects only images/docs. |
| DS0029 | Network Traffic Content | Detect high-entropy binaries posted to JSON APIs (base64) followed by 2xx status; correlate with token scope. |