T1071: Application Layer Protocol

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

hacking_tools: PT-CR-2870: PhantomCore_Tools_Usage: Activity specific to the PhantomRAT remote access trojan or its loader PhantomDL. Signs of activity: DNS queries to domains to determine the public IP address, download of libraries for working with WMI and the network configuration, or child process start to obtain the user's domain from a double extension process. mitre_attck_command_and_control: PT-CR-2780: Subrule_DoublePulsar_Process_Access: A process accessed its child process after it was started mitre_attck_command_and_control: PT-CR-2781: DoublePulsar_Activity: Anonymous access to the IPC$ named pipe and loading of libraries specific to the DoublePulsar backdoor. Specific "knock" requests are sent to the backdoor in the form of access to the IPC$ resource. mitre_attck_command_and_control: PT-CR-2782: Subrule_DoublePulsar_IPC_Access: Remote connection to the IPC$ named pipe using an anonymous account and connection to the attacker's computer. This may indicate DoublePulsar backdoor activity. mitre_attck_command_and_control: PT-CR-2435: CC_Triangulation_Trojan: Targeted attack with the Triangulation Trojan. Sensitive information may leak from devices running the iOS operating system.

Subtechniques

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Mitigation

IDM1031NameNetwork Intrusion PreventionDescription

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

IDM1037NameFilter Network TrafficDescription

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.