1. Home
  2. Detection Strategies
  3. Detection of Command and Control Over Application Layer Protocols

Detection of Command and Control Over Application Layer Protocols

Technique Detected:  Application Layer Protocol | T1071

ID: DET0444
Domains: Enterprise
Analytics: AN1225, AN1226, AN1227, AN1228
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1225

Detects suspicious usage of common application-layer protocols (e.g., HTTP, HTTPS, DNS, SMB) by abnormal processes, with high outbound byte counts or irregular ports, possibly indicating command and control or data exfiltration.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow http, dns, smb, ssl logs
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Mutable Elements
Field Description
ProtocolList Limit detection to app-layer protocols of interest: HTTP, DNS, SSL, SMB, RDP
DataVolumeThreshold Detects asymmetric communication volume (e.g., >90% outbound)
UnusualProcessList Track processes not normally associated with network activity

AN1226

Detects suspicious curl, wget, or custom socket traffic that leverages DNS, HTTPS, or IRC-style protocols with unbalanced traffic or beacon-like intervals.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow dns, ssl, conn
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
KnownPortsToMonitor Uncommon ports for HTTPS, IRC, DNS (e.g., 8443, 5353)
BeaconTimingThreshold Detect intervals of outbound traffic within fixed timeframes

AN1227

Detects applications using abnormal protocols or high volume traffic not previously associated with the process image, such as Automator or AppleScript invoking curl or python sockets.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) macos:osquery socket_events
Command Execution (DC0064) macos:unifiedlog log stream
Mutable Elements
Field Description
SocketParentProcessMatch Non-browser processes opening sockets to external IPs
DataFlowImbalanceRatio High outbound/inbound ratio indicating C2 beacon

AN1228

Detects application-layer tunneling or unauthorized app protocols like DNS-over-HTTPS, embedded C2 in TLS/HTTP headers, or misused SMB traffic crossing VLANs.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow conn.log, http.log, dns.log, ssl.log
Mutable Elements
Field Description
AppProtocolAbusePattern Detects DNS tunneling, encrypted HTTP C2, or malformed headers
NorthSouthEgressFilter Monitor internal hosts talking externally using internal protocols (e.g., SMB)