Description
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Platforms
Mitigations (2)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Filter Network TrafficM1037
Restrict and monitor outbound web traffic (HTTP/HTTPS) from critical servers to only approved destinations. Limiting the ability to initiate outbound HTTP/HTTPS connections, especially from public-facing servers, can prevent attackers from using tools like curl or wget to communicate with external C2 servers or download malicious payloads.
Threat Groups (57)
| ID | Group | Context |
|---|---|---|
| G0075 | Rancor | [Rancor](https://attack.mitre.org/groups/G0075) has used HTTP for C2.(Citation: Rancor Unit42 June 2018) |
| G1013 | Metador | [Metador](https://attack.mitre.org/groups/G1013) has used HTTP for C2.(Citation: SentinelLabs Metador Sept 2022) |
| G1042 | RedEcho | [RedEcho](https://attack.mitre.org/groups/G1042) network activity is associated with SSL traffic via TCP 443 and proxied HTTP traffic over non-standar... |
| G1002 | BITTER | [BITTER](https://attack.mitre.org/groups/G1002) has used HTTP POST requests for C2.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcep... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used HTTP for C2.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)... |
| G0071 | Orangeworm | [Orangeworm](https://attack.mitre.org/groups/G0071) has used HTTP for C2.(Citation: Symantec Orangeworm IOCs April 2018) |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) uses HTTPS to conceal C2 communications.(Citation: Talos Group123) |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) uses HTTP and HTTPS protocols for exfiltration and command and control activity.(Citation: Sent... |
| G0070 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070)'s version of [Bandook](https://attack.mitre.org/software/S0234) communicates with their server o... |
| G1034 | Daggerfly | [Daggerfly](https://attack.mitre.org/groups/G1034) uses HTTP for command and control communication.(Citation: ESET EvasivePanda 2024) |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used HTTP for C2.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxySh... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used HTTP in communication with the C2.(Citation: Anomali Pirate Panda April 2020)(Citatio... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used HTTPS for C2 communications.(Citation: NCC Group Chimera January 2021) |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has used HTTP for C2.(Citation: Kaspersky LuminousMoth July 2021) |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) used HTTP for C2 communications. [APT19](https://attack.mitre.org/groups/G0073) also used an HTTP malwa... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.(Citation: FireEye APT41 ... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has communicated with its C2 via HTTP POST requests.(Citation: Anomali MUSTANG PANDA October 20... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has communicated through reverse or bind shells over port 443 (HTTPS).(Citation: CISA Medusa Gro... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.(Citation: FireEye APT3... |
Associated Software (341)
| ID | Name | Type | Context |
|---|---|---|---|
| S1047 | Mori | Malware | [Mori](https://attack.mitre.org/software/S1047) can communicate using HTTP over IPv4 or IPv6 depending on a flag set.(Citation: DHS CISA AA22-055A Mud... |
| S0275 | UPPERCUT | Malware | [UPPERCUT](https://attack.mitre.org/software/S0275) has used HTTP for C2, including sending error codes in cookie headers.(Citation: FireEye APT10 Sep... |
| S0495 | RDAT | Malware | [RDAT](https://attack.mitre.org/software/S0495) can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Excha... |
| S1108 | PULSECHECK | Malware | [PULSECHECK](https://attack.mitre.org/software/S1108) can check HTTP request headers for a specific backdoor key and if found will output the result o... |
| S0207 | Vasport | Malware | [Vasport](https://attack.mitre.org/software/S0207) creates a backdoor by making a connection using a HTTP POST.(Citation: Symantec Vasport May 2012) |
| S0502 | Drovorub | Malware | [Drovorub](https://attack.mitre.org/software/S0502) can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrad... |
| S0144 | ChChes | Malware | [ChChes](https://attack.mitre.org/software/S0144) communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.(Citation: Pal... |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has used HTTP GET request to download malicious payloads to include [InvisibleFerret](https://at... |
| S1023 | CreepyDrive | Malware | [CreepyDrive](https://attack.mitre.org/software/S1023) can use HTTPS for C2 using the Microsoft Graph API.(Citation: Microsoft POLONIUM June 2022) |
| S0091 | Epic | Malware | [Epic](https://attack.mitre.org/software/S0091) uses HTTP and HTTPS for C2 communications.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 20... |
| S1026 | Mongall | Malware | [Mongall](https://attack.mitre.org/software/S1026) can use HTTP for C2 communication.(Citation: SentinelOne Aoqin Dragon June 2022) |
| S0341 | Xbash | Malware | [Xbash](https://attack.mitre.org/software/S0341) uses HTTP for C2 communications.(Citation: Unit42 Xbash Sept 2018) |
| S0578 | SUPERNOVA | Malware | [SUPERNOVA](https://attack.mitre.org/software/S0578) had to receive an HTTP GET request containing a specific set of parameters in order to execute.(C... |
| S1119 | LIGHTWIRE | Malware | [LIGHTWIRE](https://attack.mitre.org/software/S1119) can use HTTP for C2 communications.(Citation: Mandiant Cutting Edge Part 2 January 2024) |
| S0653 | xCaon | Malware | [xCaon](https://attack.mitre.org/software/S0653) has communicated with the C2 server by sending POST requests over HTTP.(Citation: Checkpoint IndigoZe... |
| S1051 | KEYPLUG | Malware | [KEYPLUG](https://attack.mitre.org/software/S1051) has the ability to communicate over HTTP and WebSocket Protocol (WSS) for C2.(Citation: Mandiant AP... |
| S0269 | QUADAGENT | Malware | [QUADAGENT](https://attack.mitre.org/software/S0269) uses HTTPS and HTTP for C2 communications.(Citation: Unit 42 QUADAGENT July 2018) |
| S0599 | Kinsing | Malware | [Kinsing](https://attack.mitre.org/software/S0599) has communicated with C2 over HTTP.(Citation: Aqua Kinsing April 2020) |
| S0128 | BADNEWS | Malware | [BADNEWS](https://attack.mitre.org/software/S0128) establishes a backdoor over HTTP.(Citation: PaloAlto Patchwork Mar 2018) |
| S0239 | Bankshot | Malware | [Bankshot](https://attack.mitre.org/software/S0239) uses HTTP for command and control communication.(Citation: McAfee Bankshot) |
Related CWE Weaknesses
References
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Shahar Tavor. (n.d.). BrazKing Android Malware Upgraded and Targeting Brazilian Banks. Retrieved March 24, 2023.
Frequently Asked Questions
What is T1071.001 (Web Protocols)?
T1071.001 is a MITRE ATT&CK technique named 'Web Protocols'. It belongs to the Command and Control tactic(s). Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and...
How can T1071.001 be detected?
Detection of T1071.001 (Web Protocols) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1071.001?
There are 2 documented mitigations for T1071.001. Key mitigations include: Network Intrusion Prevention, Filter Network Traffic.
Which threat groups use T1071.001?
Known threat groups using T1071.001 include: Rancor, Metador, RedEcho, BITTER, Moonstone Sleet, OilRig, Orangeworm, APT37.