Standard Application Layer Protocol

From attackics
Jump to navigation Jump to search
Standard Application Layer Protocol
ID T869
Tactic Command and Control
Data Sources Process use of network, Malware reverse engineering, Process monitoring, Network protocol analysis, Packet capture
Asset Human-Machine Interface, Control Server, Data Historian, Engineering Workstation


Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port.

Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.

Procedure Examples

  • HEXANE communicated with command and control over HTTP and DNS.1
  • OilRig communicated with its command and control using HTTP requests.2
  • BlackEnergy uses HTTP POST request to contact external command and control servers.3
  • Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised.4