Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.001 | Web Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1071.001 | Web Protocols |
Comments
This diagnostic statement protects against adversaries that may try to utilize different protocols, such as HTTPS and web socket, to blend in with existing traffic. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1071.001 | Web Protocols |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1071.001 | Web Protocols |
Comments
This diagnostic statement protects against Web Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Other | Other | related-to | T1071.001 | Web Protocols | |
| action.hacking.vector.Command shell | Remote shell | related-to | T1071.001 | Web Protocols | |
| action.malware.vector.Email attachment | Email via user-executed attachment. Child of 'Email' | related-to | T1071.001 | Web Protocols |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_azure_network_layer | Alerts for Azure Network Layer | technique_scores | T1071.001 | Web Protocols |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
| azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1071.001 | Web Protocols |
Comments
This control can detect protocol attacks targeting web applications that may be indicative of adversary activity.
References
|
| azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1071.001 | Web Protocols |
Comments
This control can protect web applications from protocol attacks that may be indicative of adversary activity.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1071.001 | Web Protocols |
Comments
Chrome Enterprise Premium provides checks for sensitive data and protection from content that may contain malware. This also enables certain files to be sent for analysis, and in return the admin can then choose to allow or block uploads and downloads for those scanned and unscanned files. End users can also be prevented from accessing pages specified by a list of URL patterns.
References
|
| google_secops | Google Security Operations | technique_scores | T1071.001 | Web Protocols |
Comments
Google Security Ops is able to trigger an alert based on system events of interest, for example: detection of the Sunburst C2 channel used as backdoor access in the SolarWinds compromise.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/dns/solarwinds_backdoor_c2_host_name_detected___via_dns.yaral
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1071.001 | Web Protocols |
Comments
GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1071.001 | Web Protocols |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.
References
|
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1071.001 | Web Protocols |
Comments
AWS WAF protects against this by inspecting incoming requests and blocking malicious traffic. AWS WAF uses the following rule sets to provide this protection.
AWSManagedRulesCommonRuleSet AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet AWSManagedRulesBotControlRuleSet
This is scored as Minimal because the rule sets only protect against the web protocols sub-technique.
References
|