Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-4 | Information Flow Enforcement | Protects | T1071.001 | Web Protocols | |
CA-7 | Continuous Monitoring | Protects | T1071.001 | Web Protocols | |
CM-2 | Baseline Configuration | Protects | T1071.001 | Web Protocols | |
CM-6 | Configuration Settings | Protects | T1071.001 | Web Protocols | |
CM-7 | Least Functionality | Protects | T1071.001 | Web Protocols | |
SC-10 | Network Disconnect | Protects | T1071.001 | Web Protocols | |
SC-20 | Secure Name/address Resolution Service (authoritative Source) | Protects | T1071.001 | Web Protocols | |
SC-21 | Secure Name/address Resolution Service (recursive or Caching Resolver) | Protects | T1071.001 | Web Protocols | |
SC-22 | Architecture and Provisioning for Name/address Resolution Service | Protects | T1071.001 | Web Protocols | |
SC-23 | Session Authenticity | Protects | T1071.001 | Web Protocols | |
SC-31 | Covert Channel Analysis | Protects | T1071.001 | Web Protocols | |
SC-37 | Out-of-band Channels | Protects | T1071.001 | Web Protocols | |
SC-7 | Boundary Protection | Protects | T1071.001 | Web Protocols | |
SI-3 | Malicious Code Protection | Protects | T1071.001 | Web Protocols | |
SI-4 | System Monitoring | Protects | T1071.001 | Web Protocols | |
azure_sentinel | Azure Sentinel | technique_scores | T1071.001 | Web Protocols |
Comments
The following Azure Sentinel Analytics queries can identify potentially malicious use of web protocols: "Powershell Empire cmdlets seen in command line" can identify use of Empire, which can perform command and control over protocols like HTTP and HTTPS. "Request for single resource on domain" can identify patterns that suggest possible command and control beaconing. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
azure_alerts_for_network_layer | Azure Alerts for Network Layer | technique_scores | T1071.001 | Web Protocols |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1071.001 | Web Protocols |
Comments
This control can protect web applications from protocol attacks that may be indicative of adversary activity.
References
|
azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1071.001 | Web Protocols |
Comments
This control can detect protocol attacks targeting web applications that may be indicative of adversary activity.
References
|