Standard Application Layer Protocol
|Standard Application Layer Protocol|
|Tactic||Command and Control|
|Data Sources||Process use of network, Malware reverse engineering, Process monitoring, Network protocol analysis, Packet capture|
|Asset||Human-Machine Interface, Control Server, Data Historian, Engineering Workstation|
Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port.
Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.
- HEXANE communicated with command and control over HTTP and DNS.1
- OilRig communicated with its command and control using HTTP requests.2
- BlackEnergy uses HTTP POST request to contact external command and control servers.3
- Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised.4