Standard Application Layer Protocol

From enterprise
Jump to: navigation, search
Standard Application Layer Protocol
ID T1071
Tactic Command and Control
Platform Linux, macOS, Windows
Data Sources Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Requires Network Yes

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.


  • APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.1
  • APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks.2
  • APT34 malware often uses HTTP and DNS for C2. The group has also used the Plink utility and other tools to create tunnels to C2 servers.3
  • BRONZE BUTLER malware has used HTTP for C2.4
  • FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.5
  • A Gamaredon Group file stealer can communicate over HTTP for C2.6
  • Magic Hound malware has used HTTP and IRC for C2.7
  • OilRig has used HTTP and DNS for C2.8
  • Stealth Falcon malware communicates with its C2 server via HTTPS.9
  • 3PARA RAT uses HTTP for command and control.10
  • 4H RAT uses HTTP for command and control.10
  • ADVSTORESHELL connects to port 80 of a C2 server using Wininet API.11
  • BACKSPACE uses HTTP as a transport to communicate with its command server.12
  • BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.13
  • BUBBLEWRAP can communicate using HTTP or HTTPS.14
  • BlackEnergy communicates with its C2 server over HTTP.15
  • Various implementations of CHOPSTICK communicate with C2 over HTTP, SMTP, and POP3.16
  • CORESHELL can communicate over HTTP, SMTP, and POP3 for C2.117
  • The Carbanak malware communicates to its command server using HTTP with an encrypted payload.18
  • ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.1920
  • One variant of CloudDuke uses HTTP and HTTPS for C2.21
  • Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.22
  • ComRAT has used HTTP requests for command and control.23
  • CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.2124
  • CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.25
  • Daserf uses HTTP for C2.4
  • DownPaper communicates to its C2 server over HTTP.26
  • Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.27
  • DustySky has used both HTTP and HTTPS for C2.28
  • ELMER uses HTTP for command and control.29
  • Elise communicates over HTTP or HTTPS for C2.30
  • Emissary uses HTTP or HTTPS for C2.31
  • Epic implements a command and control protocol over HTTP.32
  • FLIPSIDE uses RDP to tunnel traffic from a victim environment.33
  • Some variants of FakeM use SSL to communicate with C2 servers.34
  • Felismus uses HTTP for C2.35
  • Gazer communicates with its C2 servers over HTTP.36
  • GeminiDuke uses HTTP and HTTPS for command and control.21
  • The "Uploader" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.37
  • HTTPBrowser has used HTTP, HTTPS, and DNS for command and control.3839
  • Helminth can use HTTP or DNS for C2.40
  • Hi-Zor communicates with its C2 server over HTTPS.41
  • JHUHUGIT communicates with its C2 server over HTTP.42
  • The Komplex C2 channel uses HTTP POST requests.43
  • LOWBALL command and control occurs via HTTPS over port 443.14
  • Matroyshka uses DNS for C2.4445
  • MiniDuke uses HTTP and HTTPS for command and control.21
  • Mis-Type network traffic can communicate over HTTP.46
  • NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2. Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.12
  • OLDBAIT can use HTTP or SMTP for C2.1
  • ... further results


Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way to avoid detection by common defensive tools.47


Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.47


  1. a b c  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  2. ^  Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  3. ^  Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  4. a b  Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  5. ^  FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  6. ^  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  7. ^  Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  8. ^  Unit 42. (2017, December 15). Unit 42 Playbook Viewer - Oil Rig. Retrieved December 20, 2017.
  9. ^  Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  10. a b  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  11. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  12. a b  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  13. ^  Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  14. a b  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  15. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  16. ^  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  17. ^  Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  18. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 3, 2015.
  19. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  20. ^  Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  21. a b c d  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  22. ^  Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  23. ^  Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
  24. ^  F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  1. ^  F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  2. ^  ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  3. ^  Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  4. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  5. ^  Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  6. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  7. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  8. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  9. ^  Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  10. ^  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  11. ^  Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  12. ^  ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  13. ^  FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  14. ^  Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  15. ^  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  16. ^  Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  17. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  18. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  19. ^  Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  20. ^  ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  21. ^  Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  22. ^  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  23. a b  Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.