Application Layer Protocol: Web Protocols T1071.001
Tactic: Command & Control
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Events covered
13 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 3 | Network connection |
| Sysmon | Event ID 12 | RegistryEvent (Object create and delete) |
| Sysmon | Event ID 13 | RegistryEvent (Value Set) |
| Sysmon | Event ID 14 | RegistryEvent (Key and Value Rename) |
| Sysmon | Event ID 15 | FileCreateStreamHash |
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Security-Auditing | Event ID 5156 | The Windows Filtering Platform has permitted a connection. |
| Defender-DeviceEvents | any | Defender event (any) |
| ESF | exec | Process Execution (Notify) |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
| Sysmon-for-Linux | Event ID 1 | Process Create |
Authoring guide
Patterns shared across the 107 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (97 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1293 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (316 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 42 rules
- APT User Agent
- APT40 Dropbox Tool User Agent
- Axios NPM Compromise Malicious C2 Domain DNS Query
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Chafer Malware URL Pattern
- Change User Agents with WebRequest
- Cloudflared Tunnels Related DNS Requests
- ComRAT Network Communication
- Crypto Miner User Agent
- Curl.EXE Execution With Custom UserAgent
- DNS Query Request By QuickAssist.EXE
- DNS Query To Devtunnels Domain
- DNS Query To Visual Studio Code Tunnels Domain
- Exploit Framework User Agent
- HackTool - BabyShark Agent Default URL Pattern
- HackTool - CobaltStrike Malleable Profile Patterns - Proxy
- HackTool - Empire UserAgent URI Combo
- HTTP Request With Empty User Agent
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution
- Katz Stealer Suspicious User-Agent
- macOS HTTP Tools with Protocol Indicators
- Malware User Agent
- Outbound Network Connection Initiated By Microsoft Dialer
- Potential Base64 Encoded User-Agent
- PwnDrp Access
- Raw Paste Service Access
- Renamed Visual Studio Code Tunnel Execution
- Suspicious Base64 Encoded User-Agent
- Suspicious Curl Change User Agents - Linux
- Suspicious Installer Package Child Process
- Suspicious User Agent
- Telegram API Access
- Tunneling Tool Execution
- Ursnif Malware C2 URL Pattern
- Ursnif Malware Download URL Pattern
- Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Service Installation
- Visual Studio Code Tunnel Shell Execution
- Wannacry Killswitch Domain
- Windows PowerShell User Agent
- Windows WebDAV User Agent
Elastic 30 rules
- Cobalt Strike Command and Control Beacon
- Connection to Commonly Abused Web Services
- Curl or Wget Spawned via Node.js
- Default Cobalt Strike Team Server Certificate
- Deprecated - SUNBURST Command and Control Activity
- DNS to Commonly Abused Web Services
- Execution via OpenClaw Agent
- File Download Detected via Defend for Containers
- GenAI Process Connection to Unusual Domain
- Git Repository or File Download to Suspicious Directory
- Halfbaked Command and Control Beacon
- Linux Telegram API Request
- Outlook Home Page Registry Modification
- Perl Outbound Network Connection
- Possible FIN7 DGA Command and Control Behavior
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
- Simple HTTP Web Server Connection
- Simple HTTP Web Server Creation
- Suspicious Curl from macOS Application
- Suspicious Curl to Google App Script Endpoint
- Suspicious Execution from a WebDav Share
- Suspicious Installer Package Spawns Network Event
- Suspicious Interpreter Execution Detected via Defend for Containers
- Unusual Network Connection to Suspicious Top Level Domain
- Unusual Network Connection to Suspicious Web Service
- Unusual Network Connection via RunDLL32
- Unusual Network Destination Domain Name
- Unusual Web Request
- Unusual Web User Agent
Splunk 18 rules
- Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
- Cisco Secure Firewall - Connection to File Sharing Domain
- Cisco Secure Firewall - High EVE Threat Confidence
- Cisco Secure Firewall - Wget or Curl Download
- Command and Control Detection (Windows Event Log)
- HTTP C2 Framework User Agent
- HTTP Duplicated Header
- HTTP Malware User Agent
- HTTP Possible Request Smuggling
- HTTP PUA User Agent
- HTTP Rapid POST with Mixed Status Codes
- HTTP Request to Reserved Name on IIS Server
- HTTP RMM User Agent
- HTTP Scripting Tool User Agent
- Unusual HTTP Download (Sysmon)
- Visual Studio Code Tunnel Execution (Sysmon)
- Visual Studio Code Tunnel Execution (Windows Event Log)
- Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
Kusto 17 rules
- Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains
- Cisco Cloud Security - Connection to Unpopular Website Detected
- Cisco Cloud Security - Crypto Miner User-Agent Detected
- Cisco Cloud Security - Rare User Agent Detected
- Cisco Cloud Security - Request Allowed to harmful/malicious URI category
- CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses
- Detect presence of private IP addresses in URLs (ASIM Web Session)
- Discord CDN Risky File Download
- Discord CDN Risky File Download (ASIM Web Session Schema)
- IP address of Windows host encoded in web request
- Palo Alto Threat signatures from Unusual IP addresses
- Powershell Empire Cmdlets Executed in Command Line
- RunningRAT request parameters
- SlackAudit - Unknown User Agent
- The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session)
- Web sites blocked by Eset
- Windows host username encoded in base64 web request