Application Layer Protocol, Technique T1071 - Enterprise | MITRE ATT&CK®
  1. Home
  2. Techniques
  3. Enterprise
  4. Application Layer Protocol

Application Layer Protocol

ID Name
T1071.001 Web Protocols
T1071.002 File Transfer Protocols
T1071.003 Mail Protocols
T1071.004 DNS
T1071.005 Publish/Subscribe Protocols

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.[1]

ID: T1071
Sub-techniques:  T1071.001, T1071.002, T1071.003, T1071.004, T1071.005
Tactic: Command and Control
Platforms: Linux, Network, Windows, macOS
Contributors: Duane Michael
Version: 2.3
Created: 31 May 2017
Last Modified: 28 August 2024
Version Permalink

Procedure Examples

ID Name Description
S0660 Clambling

Clambling has the ability to use Telnet for communication.[2]
S0038 Duqu

Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.[3]
S0601 Hildegard

Hildegard has used an IRC channel for C2 communications.[4]
G1032 INC Ransom

INC Ransom has used valid accounts over RDP to connect to targeted systems.[5]
S0532 Lucifer

Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.[6]
G0059 Magic Hound

Magic Hound malware has used IRC for C2.[7][8]
S0034 NETEAGLE

Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.
S1147 Nightdoor

Nightdoor uses TCP and UDP communication for command and control traffic.[9][10]
S1084 QUIETEXIT

QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.[1]
S1130 Raspberry Robin

Raspberry Robin is capable of contacting the TOR network for delivering second-stage payloads.[11][12][13]
G0106 Rocke

Rocke issued wget requests from infected systems to the C2.[14]
S0623 Siloscape

Siloscape connects to an IRC server for C2.[15]
G0139 TeamTNT

TeamTNT has used an IRC bot for C2 communications.[16]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References

  1. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  2. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  3. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  4. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  5. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  6. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  7. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  8. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  1. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  2. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  3. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  4. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  5. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  6. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  7. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  8. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.