EXPLORE
Sign In
← Back to Explore
T1071.001

Web Protocols

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have ...

ESXiLinuxmacOSNetwork DevicesWindows
74
Detections
4
Sources
56
Threat Actors

BY SOURCE

31sigma29elastic13splunk_escu1crowdstrike_cql

PROCEDURES (45)

Suspicious7 detections

Auto-extracted: 7 detections for suspicious

Network Connection Monitoring5 detections

Auto-extracted: 5 detections for network connection monitoring

Dns4 detections

Auto-extracted: 4 detections for dns

Command And Control3 detections

Auto-extracted: 3 detections for command and control

Api3 detections

Auto-extracted: 3 detections for api

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Remote2 detections

Auto-extracted: 2 detections for remote

Service2 detections

Auto-extracted: 2 detections for service

Http2 detections

Auto-extracted: 2 detections for http

Unusual2 detections

Auto-extracted: 2 detections for unusual

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Http2 detections

Auto-extracted: 2 detections for http

Credential2 detections

Auto-extracted: 2 detections for credential

Beacon2 detections

Auto-extracted: 2 detections for beacon

Download2 detections

Auto-extracted: 2 detections for download

Tunnel2 detections

Auto-extracted: 2 detections for tunnel

Http1 detections

Auto-extracted: 1 detections for http

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Download1 detections

Auto-extracted: 1 detections for download

Bypass1 detections

Auto-extracted: 1 detections for bypass

Remote1 detections

Auto-extracted: 1 detections for remote

Child Process1 detections

Auto-extracted: 1 detections for child process

Container1 detections

Auto-extracted: 1 detections for container

Phish1 detections

Auto-extracted: 1 detections for phish

Email1 detections

Auto-extracted: 1 detections for email

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Phish1 detections

Auto-extracted: 1 detections for phish

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Download1 detections

Auto-extracted: 1 detections for download

Dns1 detections

Auto-extracted: 1 detections for dns

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Credential1 detections

Auto-extracted: 1 detections for credential

Container1 detections

Auto-extracted: 1 detections for container

Download1 detections

Auto-extracted: 1 detections for download

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

C21 detections

Auto-extracted: 1 detections for c2

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Inject1 detections

Auto-extracted: 1 detections for inject

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (56)

APT18APT19APT28APT32APT33APT37APT38APT39APT41APT42BITTERBlackByteBRONZE BUTLERChimeraCobalt GroupConfuciusDaggerflyDark CaracalFIN13FIN4FIN8Gamaredon GroupHAFNIUMHigaisaInceptionKe3changKimsukyLazarus GroupLuminousMothMagic HoundMedusa GroupMetadorMoonstone SleetMuddyWaterMustang PandaOilRigOrangewormRancorRedCurlRedEchoRockeSandworm TeamSea TurtleSidewinderSilverTerrierStealth FalconTA505TA551TeamTNTThreat Group-3390Tropic TrooperTurlaWindshiftWinter VivernWIRTEWizard Spider

DETECTIONS (74)

APT User Agent
sigmahigh
Bitsadmin to Uncommon IP Server Address
sigmahigh
Bitsadmin to Uncommon TLD
sigmahigh
Change User Agents with WebRequest
sigmamedium
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
splunk_escu
Cisco Secure Firewall - Connection to File Sharing Domain
splunk_escu
Cisco Secure Firewall - High EVE Threat Confidence
splunk_escu
Cisco Secure Firewall - Wget or Curl Download
splunk_escu
Cloudflared Tunnels Related DNS Requests
sigmamedium
Cobalt Strike Command and Control Beacon
elastichigh
Connection to Commonly Abused Web Services
elasticlow
Crypto Miner User Agent
sigmahigh
Curl or Wget Spawned via Node.js
elasticmedium
Default Cobalt Strike Team Server Certificate
elastichigh
Deprecated - SUNBURST Command and Control Activity
elastichigh
Detection of External Direct IP Usage in CommandLine Windows and Mac
crowdstrike_cql
DNS Query Request By QuickAssist.EXE
sigmalow
DNS Query To Devtunnels Domain
sigmamedium
DNS Query To Visual Studio Code Tunnels Domain
sigmamedium
Execution via OpenClaw Agent
elasticmedium
Exploit Framework User Agent
sigmahigh
File Download Detected via Defend for Containers
elasticmedium
GenAI Process Connection to Unusual Domain
elasticmedium
Git Repository or File Download to Suspicious Directory
elasticlow
HackTool - BabyShark Agent Default URL Pattern
sigmacritical
HackTool - CobaltStrike Malleable Profile Patterns - Proxy
sigmahigh
HackTool - Empire UserAgent URI Combo
sigmahigh
Halfbaked Command and Control Beacon
elastichigh
HTTP C2 Framework User Agent
splunk_escu
HTTP Duplicated Header
splunk_escu
HTTP Malware User Agent
splunk_escu
HTTP Possible Request Smuggling
splunk_escu
HTTP PUA User Agent
splunk_escu
HTTP Rapid POST with Mixed Status Codes
splunk_escu
HTTP Request to Reserved Name on IIS Server
splunk_escu
HTTP Request With Empty User Agent
sigmamedium
HTTP RMM User Agent
splunk_escu
HTTP Scripting Tool User Agent
splunk_escu
Linux Telegram API Request
elasticmedium
Malware User Agent
sigmahigh
Outbound Network Connection Initiated By Microsoft Dialer
sigmahigh
Outlook Home Page Registry Modification
elastichigh
Perl Outbound Network Connection
elasticmedium
Possible FIN7 DGA Command and Control Behavior
elastichigh
Potential Base64 Encoded User-Agent
sigmamedium
Potential File Transfer via Certreq
elasticmedium
Potential File Transfer via Curl for Windows
elasticlow
PwnDrp Access
sigmacritical
Raw Paste Service Access
sigmahigh
Renamed Visual Studio Code Tunnel Execution
sigmahigh
Simple HTTP Web Server Connection
elasticlow
Simple HTTP Web Server Creation
elasticlow
Suspicious Base64 Encoded User-Agent
sigmamedium
Suspicious Curl Change User Agents - Linux
sigmamedium
Suspicious Curl from macOS Application
elastichigh
Suspicious Curl to Google App Script Endpoint
elastichigh
Suspicious Execution from a WebDav Share
elastichigh
Suspicious Installer Package Child Process
sigmamedium
Suspicious Installer Package Spawns Network Event
elasticmedium
Suspicious Interpreter Execution Detected via Defend for Containers
elasticmedium
Suspicious User Agent
sigmahigh
Telegram API Access
sigmamedium
Unusual Network Connection to Suspicious Top Level Domain
elasticmedium
Unusual Network Connection to Suspicious Web Service
elasticmedium
Unusual Network Connection via RunDLL32
elasticmedium
Unusual Network Destination Domain Name
elasticlow
Unusual Web Request
elasticlow
Unusual Web User Agent
elasticlow
Visual Studio Code Tunnel Execution
sigmamedium
Visual Studio Code Tunnel Service Installation
sigmamedium
Visual Studio Code Tunnel Shell Execution
sigmamedium
Wannacry Killswitch Domain
sigmahigh
Windows PowerShell User Agent
sigmamedium
Windows WebDAV User Agent
sigmahigh