Standard Application Layer Protocol

From ATT&CK
Jump to: navigation, search
Standard Application Layer Protocol
Technique
ID T1071
Tactic Command and Control
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Data Sources Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Requires Network Yes

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.

Examples

  • APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.1
  • FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.2
  • Stealth Falcon malware communicates with its C2 server via HTTPS.3
  • APT12 has used RIPTIDE, a RAT that uses HTTP to communicate.4
  • PlugX can be configured to use HTTP or DNS for command and control.5
  • The Regin malware platform supports many standard protocols, including HTTP, HTTPS, and SMB.6
  • Various implementations of CHOPSTICK communicate with C2 over HTTP, SMTP, and POP3.7
  • The Carbanak malware communicates to its command server using HTTP with an encrypted payload.8
  • BACKSPACE uses HTTP as a transport to communicate with its command server.9
  • NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2. Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.9
  • The "Uploader" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.10
  • Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.11
  • LOWBALL command and control occurs via HTTPS over port 443.12
  • BUBBLEWRAP can communicate using HTTP or HTTPS.12
  • JHUHUGIT communicates with its C2 server over HTTP.13
  • ADVSTORESHELL connects to port 80 of a C2 server using Wininet API.14
  • CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.15
  • PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.16
  • GeminiDuke uses HTTP and HTTPS for command and control.16
  • CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.1617
  • MiniDuke uses HTTP and HTTPS for command and control.16
  • OnionDuke uses HTTP and HTTPS for C2.16
  • SeaDuke uses HTTP and HTTPS for C2.16
  • One variant of CloudDuke uses HTTP and HTTPS for C2.16
  • RARSTONE uses SSL to encrypt its communication with its C2 server.18
  • WinMM uses HTTP for C2.19
  • Sys10 uses HTTP for C2.19
  • DustySky has used both HTTP and HTTPS for C2.20
  • ELMER uses HTTP for command and control.21
  • 4H RAT uses HTTP for command and control.22
  • 3PARA RAT uses HTTP for command and control.22
  • pngdowner uses HTTP for command and control.22
  • httpclient uses HTTP for command and control.22
  • HTTPBrowser has used HTTP, HTTPS, and DNS for command and control.235
  • OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.5
  • Sakula uses HTTP for C2.24
  • Some variants of FakeM use SSL to communicate with C2 servers.25
  • Psylo uses HTTPS for C2.25
  • Elise communicates over HTTP or HTTPS for C2.26
  • Emissary uses HTTP or HTTPS for C2.27
  • Mis-Type network traffic can communicate over HTTP.28
  • S-Type uses HTTP for C2.28
  • ZLib communicates over HTTP for C2.28
  • Hi-Zor communicates with its C2 server over HTTPS.29
  • BlackEnergy communicates with its C2 server over HTTP.30
  • Epic implements a command and control protocol over HTTP.31
  • Pisloader uses DNS as its C2 protocol.32
  • Remsec is capable of using HTTP, HTTPS, SMTP, and DNS for C2.333435
  • ComRAT has used HTTP requests for command and control.36
  • BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.37
  • ... further results

Mitigation

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way to avoid detection by common defensive tools.38

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.38

References

  1. ^  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  2. ^  FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  3. ^  Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  4. ^  Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  5. a b c  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  6. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  7. ^  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  8. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 3, 2015.
  9. a b  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  10. ^  FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  11. ^  Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  12. a b  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  13. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  14. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  15. ^  F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  16. a b c d e f g  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  17. ^  F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  18. ^  Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  19. a b  Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  1. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  2. ^  Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  3. a b c d  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  4. ^  Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  5. ^  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  6. a b  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  7. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  8. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  9. a b c  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved February 25, 2016.
  10. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  11. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  12. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  13. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  14. ^  Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  15. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  16. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  17. ^  Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
  18. ^  Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  19. a b  Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.