Applied Cybernetics Group
T1071 — Application Layer Protocol
- Technique
T1071- Tactics
- Command and Control
- MISP citations
- 0
- KEV CVEs mapped
- 1
- Community rules
- 7
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1071
MITRE description
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- GALLIUM IOCs (emerging-threats)
- GALLIUM Artefacts - Builtin (emerging-threats)
- Suspicious Installer Package Child Process (core)
- HackTool - SILENTTRINITY Stager DLL Load (core)
- Github Self-Hosted Runner Execution (core)
- HackTool - SILENTTRINITY Stager Execution (core)
- Potentially Suspicious Rundll32.EXE Execution of UDL File (core)