Home
ATT&CK Techniques
T1071.001 Web Protocols

T1071.001 Web Protocols Mappings

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1071.001	Web Protocols
CM-06	Configuration Settings	mitigates	T1071.001	Web Protocols
SC-10	Network Disconnect	mitigates	T1071.001	Web Protocols
SC-37	Out-of-band Channels	mitigates	T1071.001	Web Protocols
SC-31	Covert Channel Analysis	mitigates	T1071.001	Web Protocols
SC-21	Secure Name/Address Resolution Service (Recursive or Caching Resolver)	mitigates	T1071.001	Web Protocols
SC-22	Architecture and Provisioning for Name/Address Resolution Service	mitigates	T1071.001	Web Protocols
SC-20	Secure Name/Address Resolution Service (Authoritative Source)	mitigates	T1071.001	Web Protocols
SC-23	Session Authenticity	mitigates	T1071.001	Web Protocols
SI-03	Malicious Code Protection	mitigates	T1071.001	Web Protocols
CM-02	Baseline Configuration	mitigates	T1071.001	Web Protocols
CM-07	Least Functionality	mitigates	T1071.001	Web Protocols
SI-04	System Monitoring	mitigates	T1071.001	Web Protocols
AC-04	Information Flow Enforcement	mitigates	T1071.001	Web Protocols
SC-07	Boundary Protection	mitigates	T1071.001	Web Protocols

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.hacking.variety.Other	Other	related-to	T1071.001	Web Protocols
action.hacking.vector.Command shell	Remote shell	related-to	T1071.001	Web Protocols
action.malware.vector.Email attachment	Email via user-executed attachment. Child of 'Email'	related-to	T1071.001	Web Protocols

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
chrome_enterprise_premium	Chrome Enterprise Premium	technique_scores	T1071.001	Web Protocols	Comments Chrome Enterprise Premium provides checks for sensitive data and protection from content that may contain malware. This also enables certain files to be sent for analysis, and in return the admin can then choose to allow or block uploads and downloads for those scanned and unscanned files. End users can also be prevented from accessing pages specified by a list of URL patterns. References ['https://cloud.google.com/beyondcorp-enterprise/docs/overview']
google_secops	Google Security Operations	technique_scores	T1071.001	Web Protocols	Comments Google Security Ops is able to trigger an alert based on system events of interest, for example: detection of the Sunburst C2 channel used as backdoor access in the SolarWinds compromise. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/dns/solarwinds_backdoor_c2_host_name_detected___via_dns.yaral References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
amazon_guardduty	Amazon GuardDuty	technique_scores	T1071.001	Web Protocols	Comments GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation References
aws_network_firewall	AWS Network Firewall	technique_scores	T1071.001	Web Protocols	Comments AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant. References
aws_web_application_firewall	AWS Web Application Firewall	technique_scores	T1071.001	Web Protocols	Comments AWS WAF protects against this by inspecting incoming requests and blocking malicious traffic. AWS WAF uses the following rule sets to provide this protection. AWSManagedRulesCommonRuleSet AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet AWSManagedRulesBotControlRuleSet This is scored as Minimal because the rule sets only protect against the web protocols sub-technique. References