T1071.001 — Web Protocols

Technique

T1071.001

Tactics

Command and Control

MISP citations

0

KEV CVEs mapped

10

Community rules

41

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1071/001

MITRE description

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2024-4978
• CVE-2024-4577
• CVE-2023-38035
• CVE-2023-26360
• CVE-2022-42475
• CVE-2021-40449
• CVE-2021-35394
• CVE-2015-5119
• CVE-2015-3113
• CVE-2009-4324

Detection coverage

SigmaHQ community rules

• Chafer Malware URL Pattern (emerging-threats)
• Ursnif Malware C2 URL Pattern (emerging-threats)
• Ursnif Malware Download URL Pattern (emerging-threats)
• APT40 Dropbox Tool User Agent (emerging-threats)
• ComRAT Network Communication (emerging-threats)
• Katz Stealer Suspicious User-Agent (emerging-threats)
• Kalambur Backdoor Curl TOR SOCKS Proxy Execution (emerging-threats)
• Axios NPM Compromise Malicious C2 Domain DNS Query (emerging-threats)
• Curl.EXE Execution With Custom UserAgent (threat-hunting)
• Tunneling Tool Execution (threat-hunting)
• Suspicious Curl Change User Agents - Linux (core)
• Suspicious Installer Package Child Process (core)
• Wannacry Killswitch Domain (core)
• Windows WebDAV User Agent (core)
• HackTool - BabyShark Agent Default URL Pattern (core)
• HackTool - CobaltStrike Malleable Profile Patterns - Proxy (core)
• HackTool - Empire UserAgent URI Combo (core)
• PwnDrp Access (core)
• Raw Paste Service Access (core)
• Telegram API Access (core)
• APT User Agent (core)
• Suspicious Base64 Encoded User-Agent (core)
• Bitsadmin to Uncommon IP Server Address (core)
• Bitsadmin to Uncommon TLD (core)
• Crypto Miner User Agent (core)

Showing 25 of 41 community rules — the full set is tagged attack.t1071.001 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.