Description
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
Platforms
Sub-Techniques (5)
Web Protocols
T1071.002File Transfer Protocols
T1071.003Mail Protocols
T1071.004DNS
T1071.005Publish/Subscribe Protocols
Mitigations (2)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Filter Network TrafficM1037
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has used IRC for C2.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus No... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) issued wget requests from infected systems to the C2.(Citation: Talos Rocke August 2018) |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used valid accounts over RDP to connect to targeted systems.(Citation: Huntress INC Ransom Gro... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) has used reverse SSH tunnels to communicate to victim devices.(Citation: Sygnia VelvetAnt 2024A) |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used an IRC bot for C2 communications.(Citation: Trend Micro TeamTNT) |
Associated Software (10)
| ID | Name | Type | Context |
|---|---|---|---|
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has used an IRC channel for C2 communications.(Citation: Unit 42 Hildegard Malware) |
| S0034 | NETEAGLE | Malware | Adversaries can also use [NETEAGLE](https://attack.mitre.org/software/S0034) to establish an RDP connection with a controller over TCP/7519. |
| S0623 | Siloscape | Malware | [Siloscape](https://attack.mitre.org/software/S0623) connects to an IRC server for C2.(Citation: Unit 42 Siloscape Jun 2021) |
| S1084 | QUIETEXIT | Malware | [QUIETEXIT](https://attack.mitre.org/software/S1084) can use an inverse negotiated SSH connection as part of its C2.(Citation: Mandiant APT29 Eye Spy ... |
| S0038 | Duqu | Malware | [Duqu](https://attack.mitre.org/software/S0038) uses a custom command and control protocol that communicates over commonly used ports, and is frequent... |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) has the ability to use Telnet for communication.(Citation: Trend Micro DRBControl February 2020) |
| S0633 | Sliver | Tool | [Sliver](https://attack.mitre.org/software/S0633) can utilize the Wireguard VPN protocol for command and control.(Citation: Cybereason Sliver Undated) |
| S0532 | Lucifer | Malware | [Lucifer](https://attack.mitre.org/software/S0532) can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the ... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) is capable of contacting the TOR network for delivering second-stage payloads.(Citation: Re... |
| S1147 | Nightdoor | Malware | [Nightdoor](https://attack.mitre.org/software/S1147) uses TCP and UDP communication for command and control traffic.(Citation: ESET EvasivePanda 2024)... |
Related CWE Weaknesses
References
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
Frequently Asked Questions
What is T1071 (Application Layer Protocol)?
T1071 is a MITRE ATT&CK technique named 'Application Layer Protocol'. It belongs to the Command and Control tactic(s). Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of tho...
How can T1071 be detected?
Detection of T1071 (Application Layer Protocol) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1071?
There are 2 documented mitigations for T1071. Key mitigations include: Network Intrusion Prevention, Filter Network Traffic.
Which threat groups use T1071?
Known threat groups using T1071 include: Magic Hound, Rocke, INC Ransom, Velvet Ant, TeamTNT.