1. Home
  2. ATT&CK Techniques
  3. T1071 Application Layer Protocol

T1071 Application Layer Protocol Mappings

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology CrowdStrike AMS T1071 Application Layer Protocol
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Application Layer Protocol (ALP) attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Application Layer Protocol (ALP) attacks exploit vulnerabilities in protocols like HTTP, HTTPS, DNS, or SMB to manipulate network traffic or gain unauthorized access to systems. Intel TDT plays a crucial role in identifying these attacks by providing real-time telemetry on program execution, memory access, and control flow, enabling quick detection of abnormal behaviors within application protocols that could signal an ongoing attack. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster, more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, including code execution that targets application layer protocols or masquerades as legitimate processes.
References
  1. https://attack.mitre.org/techniques/T1204/002/
  2. https://www.crowdstrike.com/en-us/blog/falcon-enhances-fileless-attack-detection-with-accelerated-memory-scanning/
  3. https://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/advancing-intels-security-posture-with-crowdstrike.html
  4. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-09/intel-crowdstrike-solution-brief.pdf