Home
ATT&CK Techniques
T1071 Application Layer Protocol

T1071 Application Layer Protocol Mappings

Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
AC-4	Information Flow Enforcement	Protects	T1071	Application Layer Protocol
CA-7	Continuous Monitoring	Protects	T1071	Application Layer Protocol
CM-2	Baseline Configuration	Protects	T1071	Application Layer Protocol
CM-6	Configuration Settings	Protects	T1071	Application Layer Protocol
CM-7	Least Functionality	Protects	T1071	Application Layer Protocol
SC-10	Network Disconnect	Protects	T1071	Application Layer Protocol
SC-20	Secure Name/address Resolution Service (authoritative Source)	Protects	T1071	Application Layer Protocol
SC-21	Secure Name/address Resolution Service (recursive or Caching Resolver)	Protects	T1071	Application Layer Protocol
SC-22	Architecture and Provisioning for Name/address Resolution Service	Protects	T1071	Application Layer Protocol
SC-23	Session Authenticity	Protects	T1071	Application Layer Protocol
SC-31	Covert Channel Analysis	Protects	T1071	Application Layer Protocol
SC-37	Out-of-band Channels	Protects	T1071	Application Layer Protocol
SC-7	Boundary Protection	Protects	T1071	Application Layer Protocol
SI-3	Malicious Code Protection	Protects	T1071	Application Layer Protocol
SI-4	System Monitoring	Protects	T1071	Application Layer Protocol
azure_sentinel	Azure Sentinel	technique_scores	T1071	Application Layer Protocol	Comments The Azure Sentinel Analytics "Malformed user agent" query can detect potential C2 or C2 agent activity. This control provides minimal to partial coverage for a minority of this technique's sub-techniques and only some of its procedure examples, resulting in an overall score of Minimal. References https://docs.microsoft.com/en-us/azure/sentinel/overview https://docs.microsoft.com/en-us/azure/sentinel/hunting
microsoft_defender_for_identity	Microsoft Defender for Identity	technique_scores	T1071	Application Layer Protocol	Comments This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. References https://docs.microsoft.com/en-us/defender-for-identity/what-is
azure_policy	Azure Policy	technique_scores	T1071	Application Layer Protocol	Comments References https://docs.microsoft.com/en-us/azure/governance/policy/overview https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir
azure_alerts_for_network_layer	Azure Alerts for Network Layer	technique_scores	T1071	Application Layer Protocol	Comments This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on block list. References https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer
cloud_app_security_policies	Cloud App Security Policies	technique_scores	T1071	Application Layer Protocol	Comments This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" and "Suspicious inbox manipulation rule". References https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
azure_web_application_firewall	Azure Web Application Firewall	technique_scores	T1071	Application Layer Protocol	Comments This control can protect against one of the sub-techniques of this technique while not providing protection for the remaining, resulting in a Minimal overall score. References https://docs.microsoft.com/en-us/azure/web-application-firewall/overview
azure_web_application_firewall	Azure Web Application Firewall	technique_scores	T1071	Application Layer Protocol	Comments This control can detect one of the sub-techniques of this technique while not providing detection for the remaining, resulting in a Minimal overall score. References https://docs.microsoft.com/en-us/azure/web-application-firewall/overview
azure_dns_analytics	Azure DNS Analytics	technique_scores	T1071	Application Layer Protocol	Comments This control can be used forensically to identify clients that communicated with identified C2 hosts via DNS. References https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics
alerts_for_dns	Alerts for DNS	technique_scores	T1071	Application Layer Protocol	Comments Can detect potential DNS protocol misuse/anomalies. Technique coverage is restricted to DNS and therefore results in a Minimal score. References https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns
azure_network_traffic_analytics	Azure Network Traffic Analytics	technique_scores	T1071	Application Layer Protocol	Comments This control can identify anomalous traffic with respect to NSG and application layer protocols. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1071.004	DNS	25
T1071.002	File Transfer Protocols	17
T1071.003	Mail Protocols	18
T1071.001	Web Protocols	19