EXPLORE
Sign In
← Back to Explore
T1071

Application Layer Protocol

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enc...

LinuxmacOSWindowsNetwork DevicesESXi
100
Detections
3
Sources
5
Threat Actors

BY SOURCE

90elastic5sigma5splunk_escu

PROCEDURES (55)

Command And Control6 detections

Auto-extracted: 6 detections for command and control

Network Connection Monitoring5 detections

Auto-extracted: 5 detections for network connection monitoring

Service4 detections

Auto-extracted: 4 detections for service

Parent Process3 detections

Auto-extracted: 3 detections for parent process

Dns3 detections

Auto-extracted: 3 detections for dns

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Container3 detections

Auto-extracted: 3 detections for container

Beacon3 detections

Auto-extracted: 3 detections for beacon

Remote3 detections

Auto-extracted: 3 detections for remote

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Bypass3 detections

Auto-extracted: 3 detections for bypass

Email3 detections

Auto-extracted: 3 detections for email

Named Pipe3 detections

Auto-extracted: 3 detections for named pipe

Unusual3 detections

Auto-extracted: 3 detections for unusual

C22 detections

Auto-extracted: 2 detections for c2

Download2 detections

Auto-extracted: 2 detections for download

Remote2 detections

Auto-extracted: 2 detections for remote

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Http2 detections

Auto-extracted: 2 detections for http

Credential2 detections

Auto-extracted: 2 detections for credential

Privilege2 detections

Auto-extracted: 2 detections for privilege

Spray2 detections

Auto-extracted: 2 detections for spray

Dns2 detections

Auto-extracted: 2 detections for dns

Lateral2 detections

Auto-extracted: 2 detections for lateral

Container2 detections

Auto-extracted: 2 detections for container

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Email1 detections

Auto-extracted: 1 detections for email

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Privilege1 detections

Auto-extracted: 1 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

Download1 detections

Auto-extracted: 1 detections for download

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Container1 detections

Auto-extracted: 1 detections for container

Child Process1 detections

Auto-extracted: 1 detections for child process

Phish1 detections

Auto-extracted: 1 detections for phish

Credential1 detections

Auto-extracted: 1 detections for credential

Download1 detections

Auto-extracted: 1 detections for download

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Dns1 detections

Auto-extracted: 1 detections for dns

Persist1 detections

Auto-extracted: 1 detections for persist

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Persist1 detections

Auto-extracted: 1 detections for persist

Container1 detections

Auto-extracted: 1 detections for container

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Privilege1 detections

Auto-extracted: 1 detections for privilege

Beacon1 detections

Auto-extracted: 1 detections for beacon

Download1 detections

Auto-extracted: 1 detections for download

Remote1 detections

Auto-extracted: 1 detections for remote

Child Process1 detections

Auto-extracted: 1 detections for child process

Child Process1 detections

Auto-extracted: 1 detections for child process

THREAT ACTORS (5)

INC RansomMagic HoundRockeTeamTNTVelvet Ant

DETECTIONS (100)

Accepted Default Telnet Port Connection
elasticmedium
Apple Script Execution followed by Network Connection
elasticmedium
Cisco Secure Firewall - High Priority Intrusion Classification
splunk_escu
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
splunk_escu
Cobalt Strike Command and Control Beacon
elastichigh
Connection to Commonly Abused Web Services
elasticlow
Connection to External Network via Telnet
elasticmedium
Curl or Wget Spawned via Node.js
elasticmedium
Default Cobalt Strike Team Server Certificate
elastichigh
Deprecated - SUNBURST Command and Control Activity
elastichigh
DNS Tunneling
elasticlow
Egress Connection from Entrypoint in Container
elasticmedium
Entra ID Protection - Risk Detection - Sign-in Risk
elastichigh
Entra ID Protection - Risk Detection - User Risk
elastichigh
Execution via OpenClaw Agent
elasticmedium
File Creation and Execution Detected via Defend for Containers
elasticmedium
File Download Detected via Defend for Containers
elasticmedium
GenAI Process Connection to Suspicious Top Level Domain
elasticmedium
GenAI Process Connection to Unusual Domain
elasticmedium
Git Hook Egress Network Connection
elasticmedium
Git Repository or File Download to Suspicious Directory
elasticlow
Github Self-Hosted Runner Execution
sigmamedium
HackTool - SILENTTRINITY Stager DLL Load
sigmahigh
HackTool - SILENTTRINITY Stager Execution
sigmahigh
Halfbaked Command and Control Beacon
elastichigh
High Number of Egress Network Connections from Unusual Executable
elasticmedium
Linux Telegram API Request
elasticmedium
Machine Learning Detected a DNS Request Predicted to be a DGA Domain
elasticlow
Machine Learning Detected a DNS Request With a High DGA Probability Score
elasticlow
Machine Learning Detected DGA activity using a known SUNBURST DNS domain
elastichigh
MsBuild Making Network Connections
elasticmedium
Network Activity to a Suspicious Top Level Domain
elastichigh
Network Connection from Binary with RWX Memory Region
elasticmedium
Network Connection via Compiled HTML File
elasticlow
Network Connection via Recently Compiled Executable
elasticmedium
Network Traffic to Rare Destination Country
elasticlow
Openssl Client or Server Activity
elasticmedium
Outlook Home Page Registry Modification
elastichigh
PANW and Elastic Defend - Command and Control Correlation
elasticmedium
Payload Execution via Shell Pipe Detected by Defend for Containers
elasticmedium
Perl Outbound Network Connection
elasticmedium
Possible FIN7 DGA Command and Control Behavior
elastichigh
Potential Command and Control via Internet Explorer
elasticmedium
Potential DGA Activity
elasticlow
Potential DNS Tunneling via NsLookup
elasticmedium
Potential File Transfer via Certreq
elasticmedium
Potential File Transfer via Curl for Windows
elasticlow
Potential Linux Tunneling and/or Port Forwarding
elasticmedium
Potential Malware-Driven SSH Brute Force Attempt
elasticmedium
Potential Meterpreter Reverse Shell
elastichigh
Potential Reverse Shell
elastichigh
Potential Reverse Shell via Background Process
elastichigh
Potential Reverse Shell via Child
elastichigh
Potential Reverse Shell via Java
elasticmedium
Potential Reverse Shell via Suspicious Binary
elastichigh
Potential Reverse Shell via Suspicious Child Process
elastichigh
Potential Reverse Shell via UDP
elasticmedium
Potentially Suspicious Rundll32.EXE Execution of UDL File
sigmamedium
Root Network Connection via GDB CAP_SYS_PTRACE
elasticmedium
Simple HTTP Web Server Connection
elasticlow
Simple HTTP Web Server Creation
elasticlow
SMTP on Port 26/TCP
elasticlow
Spike in Firewall Denies
elasticlow
Spike in host-based traffic
elasticlow
Spike in Network Traffic To a Country
elasticlow
Statistical Model Detected C2 Beaconing Activity
elasticlow
Statistical Model Detected C2 Beaconing Activity with High Confidence
elasticlow
Suricata and Elastic Defend Network Correlation
elasticmedium
Suspicious Command Prompt Network Connection
elasticlow
Suspicious Curl from macOS Application
elastichigh
Suspicious Curl to Google App Script Endpoint
elastichigh
Suspicious Execution from a WebDav Share
elastichigh
Suspicious Installer Package Child Process
sigmamedium
Suspicious Installer Package Spawns Network Event
elasticmedium
Suspicious Interpreter Execution Detected via Defend for Containers
elasticmedium
Suspicious Named Pipe Creation
elastichigh
Suspicious Network Activity to the Internet by Previously Unknown Executable
elasticlow
Suspicious Process Execution Detected via Defend for Containers
elastichigh
System Path File Creation and Execution Detected via Defend for Containers
elasticmedium
System Public IP Discovery via DNS Query
elastichigh
Uncommon Destination Port Connection by Web Server
elasticlow
Unusual Command Execution from Web Server Parent
elasticlow
Unusual DNS Activity
elasticlow
Unusual Linux Network Activity
elasticlow
Unusual Linux Network Port Activity
elasticlow
Unusual Network Connection to Suspicious Top Level Domain
elasticmedium
Unusual Network Connection to Suspicious Web Service
elasticmedium
Unusual Network Connection via DllHost
elasticmedium
Unusual Network Connection via RunDLL32
elasticmedium
Unusual Network Destination Domain Name
elasticlow
Unusual Process Spawned from Web Server Parent
elasticlow
Unusual Web Request
elasticlow
Unusual Web Server Command Execution
elasticmedium
Unusual Web User Agent
elasticlow
Unusual Windows Network Activity
elasticlow
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Potential Command Injection Request
elasticlow
Windows App Layer Protocol Qakbot NamedPipe
splunk_escu
Windows App Layer Protocol Wermgr Connect To NamedPipe
splunk_escu
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
splunk_escu