Application Layer Protocol

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.

ID: T1071
Sub-techniques:  T1071.001, T1071.002, T1071.003, T1071.004
Platforms: Linux, Windows, macOS
Contributors: Duane Michael
Version: 2.1
Created: 31 May 2017
Last Modified: 11 April 2023

Procedure Examples

ID Name Description
S0660 Clambling

Clambling has the ability to use Telnet for communication.[1]

S0038 Duqu

Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.[2]

S0601 Hildegard

Hildegard has used an IRC channel for C2 communications.[3]

S0532 Lucifer

Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.[4]

G0059 Magic Hound

Magic Hound malware has used IRC for C2.[5][6]

S0034 NETEAGLE

Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.

S1084 QUIETEXIT

QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.[7]

G0106 Rocke

Rocke issued wget requests from infected systems to the C2.[8]

S0623 Siloscape

Siloscape connects to an IRC server for C2.[9]

G0139 TeamTNT

TeamTNT has used an IRC bot for C2 communications.[10]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References