T1071 Application Layer Protocol Mappings

Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Application Layer Protocol (ALP) attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Application Layer Protocol (ALP) attacks exploit vulnerabilities in protocols like HTTP, HTTPS, DNS, or SMB to manipulate network traffic or gain unauthorized access to systems. Intel TDT plays a crucial role in identifying these attacks by providing real-time telemetry on program execution, memory access, and control flow, enabling quick detection of abnormal behaviors within application protocols that could signal an ongoing attack. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster, more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, including code execution that targets application layer protocols or masquerades as legitimate processes.

This remote command execution vulnerability is exploited by an unauthenticated, remote adversary via the DDNS function in ncc2 binary file. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode and IZ1H9 to cause a distributed denial of service attack. In the IZ1H9 attack, once the attackers took advantage of the vulnerability, they injected the IZ1H9 payload into the device. This program included instructions to download another script from a specific web address. When this script ran, it erased records to cover up the malicious actions and then downloaded additional software designed for different types of devices. The script also changed the device's settings to block certain network connections, making it more difficult to remove the malware. After these steps, the infected device connected to a control server, waiting for instructions on which type of denial-of-service attack to carry out, such as disrupting services using various internet protocols. In the Beastmode attack, exploiting the vulnerability led to the download and execution of a script called "ddns.sh." This script then fetched the Beastmode program, which was saved and run with specific settings. These settings allowed the infected device to join a subgroup within the larger botnet, helping the attackers manage and assess the effectiveness of their exploits. Once devices were compromised by Beastmode, the botnet could be used to launch various types of denial-of-service attacks, similar to those seen in other Mirai-based botnets.