detection.wiki

Application Layer Protocol T1071

Tactic: Command & Control

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Events covered

30 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 15FileCreateStreamHash
SysmonEvent ID 17PipeEvent (Pipe Created)
SysmonEvent ID 18PipeEvent (Pipe Connected)
SysmonEvent ID 22DNSEvent (DNS query)
Security-AuditingEvent ID 4662An operation was performed on an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4698A scheduled task was created.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5137A directory service object was created.
Security-AuditingEvent ID 5152The Windows Filtering Platform blocked a packet.
Security-AuditingEvent ID 5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-AuditingEvent ID 5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Security-AuditingEvent ID 5157The Windows Filtering Platform has blocked a connection.
Security-AuditingEvent ID 5158The Windows Filtering Platform has permitted a bind to a local port.
Security-AuditingEvent ID 5159The Windows Filtering Platform has blocked a bind to a local port.
Defender-DeviceEventsanyDefender event (any)
ESFexecProcess Execution (Notify)
DNS-ClientEvent ID 3008DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
PowerShellEvent ID 800Event ID 800
Service-Control-ManagerEvent ID 7045A service was installed in the system.
Sysmon-for-LinuxEvent ID 1Process Create

Authoring guide

Patterns shared across the 388 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (336 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventType66eq 49, in 21, ne 1exec, connection_attempted, ProcessRollup2, connection_accepted, exec_event
process_name59eq 27, in 21, wildcard 9, starts_with 8, is_not_null 5, match 3, ends_with 1, ne 1bash, csh, curl, busybox, dash
event.type54eq 54start, creation, connection, protocol
Active49eq 49true
ValidUntil47is_null 47, time_range 47
IndicatorType45eq 24, in 21ipv4-addr, network-traffic, ipv6-addr, domain-name, url
host.os.type45eq 44, in 2
Image35ends_with 21, starts_with 6, wildcard 5, eq 3, contains 2, is_not_null 2, in 1/dev/shm/, ./, /curl, /media/, /boot/
CommandLine33contains 22, regex_match 6, ends_with 3, match 3, is_not_null 2, wildcard 2(?i)ftp\s+(.{1,})?\-s\:.{1,}\.\w{2,5}, --user-agent , -a , (\s+\-[Nvw]+\s+\d+?.*?(((\d{1,3}\.){3}\d{1,3})|(\w?\wtps?..., --accept-server-license-terms
EventID30eq 23, in 5, regex_match 23, 1, 22, 17, 18
NetworkSourceIP22is_not_null 22
EmailSourceIpAddress21is_not_null 21
NetworkDestinationIP21is_not_null 21
NetworkIP21is_not_null 21
process.args21eq 12, in 7, wildcard 7, starts_with 5, contains 4, match 4, ends_with 1, ne 1--output, -c, -i, -l, *socat *

Top indicator values (3000 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
51606
Activeeq
true
4968
EventTypeeq
exec
24171
EventTypeeq
connection_attempted
1025
IndicatorTypein
ipv4-addr
2121
IndicatorTypein
network-traffic
2121
IndicatorTypein
ipv6-addr
2020
EventTypein
exec
11171
EventTypein
connection_attempted
812
EventTypein
start
8134
IndicatorTypeeq
domain-name
1011
IndicatorTypeeq
url
1011
IsActiveeq
true
1017
process_namein
bash
1088
process_namein
sh
1083
process_namein
zsh
1082
process_namein
csh
971
process_namein
dash
978
process_namein
fish
972
process_namein
ksh
973
process_namein
tcsh
969
ObservableKeyeq
ipv4-addr:value
89
SourceSystemeq
Lumen
88
DeviceProducteq
X Series
77
DeviceVendoreq
Vectra Networks
77
EventIDeq
3
721
tldeq
list_tlds
77
CommonSecurityLog_TimeGeneratedlt
ExpirationDateTime
67
CommonSecurityLog_TimeGeneratedlt
ValidUntil
67
DeviceEventClassIDeq
url
66

Exclusions (765 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
TI_ipEntitycidr_match
10.0.0.0/8
34
TI_ipEntitycidr_match
127.0.0.0/8
34
TI_ipEntitycidr_match
169.254.0.0/16
34
TI_ipEntitycidr_match
172.16.0.0/12
34
TI_ipEntitycidr_match
192.168.0.0/16
34
TI_ipEntitystarts_with
127.
34
TI_ipEntitystarts_with
::
34
TI_ipEntitystarts_with
fe80
34
dest_ipcidr_match
127.0.0.0/8
26
dest_ipcidr_match
169.254.0.0/16
26
dest_ipcidr_match
10.0.0.0/8
20
dest_ipcidr_match
172.16.0.0/12
20
dest_ipcidr_match
192.168.0.0/16
20
Descriptioncontains
State: falsepos;
21
Descriptioncontains
State: inactive;
21

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 69 rules

Elastic 95 rules

Splunk 43 rules

Kusto 174 rules

YARA-L 2 rules

Panther 5 rules