Standard Application Layer Protocol

From attackics
Revision as of 18:00, 10 January 2020 by (username removed)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Standard Application Layer Protocol
Technique
ID T869
Tactic Command and Control
Data Sources Process use of network, Malware reverse engineering, Process monitoring, Network protocol analysis, Packet capture
Asset Human-Machine Interface, Control Server, Data Historian, Engineering Workstation

Description

Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port.

Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.


Procedure Examples

  • HEXANE communicated with command and control over HTTP and DNS.1
  • OilRig communicated with its command and control using HTTP requests.2
  • BlackEnergy uses HTTP POST request to contact external command and control servers.3
  • Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised.4