# T1071.001 Web Protocols

-----------------------------------------------------------------------

## Technique Description

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. 

## Technique Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)

Monitor for web traffic to/from known-bad or suspicious domains. 

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Traffic Flow

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used HTTP for C2 communications.(Citation: Uptycs Confucius APT Jan 2021)| 
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has the curl command to send credentials over HTTP and download new software.(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020) [TeamTNT](https://attack.mitre.org/groups/G0139) has also used a custom user agent HTTP header in shell scripts.(Citation: Trend Micro TeamTNT)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has communicated with its C2 via HTTP POST requests.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021)| 
| TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used HTTP for C2 communications.(Citation: Unit 42 Valak July 2020)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used HTTP and HTTPS to send data back to its C2 server.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)| 
| HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used open-source C2 frameworks, including Covenant.(Citation: Microsoft HAFNIUM March 2020)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used HTTP in C2 communications.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used HTTPS for C2 communications.(Citation: NCC Group Chimera January 2021)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used tools that communicate with C2 over HTTP.(Citation: BlackBerry Bahamut)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has executed wget and curl commands to Pastebin over the HTTPS protocol.(Citation: Anomali Rocke March 2019)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has used HTTP, HTTPS, and WebDav in network communications.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Unit 42 Inception November 2018)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.(Citation: FireEye APT41 March 2020) | 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094)  has used HTTP GET and POST requests for C2.(Citation: Talos Kimsuky Nov 2021)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used HTTP to communicate with C2 nodes.(Citation: IBM TA505 April 2020)| 
| WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used HTTP for network communication.(Citation: Lab52 WIRTE Apr 2019)	| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used HTTP in communications with C2.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)| 
| FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has used HTTP POST requests to transmit data.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)| 
| SilverTerrier | [SilverTerrier](https://attack.mitre.org/groups/G0083) uses HTTP for C2 communications.(Citation: Unit42 SilverTerrier 2018)	| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.(Citation: FireEye APT38 Oct 2018)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used HTTP in communication with the C2.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)| 
| Orangeworm | [Orangeworm](https://attack.mitre.org/groups/G0071) has used HTTP for C2.(Citation: Symantec Orangeworm IOCs April 2018)| 
| Rancor | [Rancor](https://attack.mitre.org/groups/G0075) has used HTTP for C2.(Citation: Rancor Unit42 June 2018)| 
| Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used HTTPS for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)| 
| APT19 | [APT19](https://attack.mitre.org/groups/G0073) used HTTP for C2 communications. [APT19](https://attack.mitre.org/groups/G0073) also used an HTTP malware variant to communicate over HTTP for C2.(Citation: FireEye APT19)(Citation: Unit 42 C0d0so0 Jan 2016)| 
| Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070)'s version of [Bandook](https://attack.mitre.org/software/S0234) communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.(Citation: Lookout Dark Caracal Jan 2018)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used HTTP for C2 communications.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used HTTP for command and control.(Citation: Symantec Elfin Mar 2019)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) uses HTTPS to conceal C2 communications.(Citation: Talos Group123)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used HTTPS for command and control.(Citation: Bitdefender FIN8 July 2021)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has used HTTP for C2.(Citation: Unit 42 Magic Hound Feb 2017)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) malware has used HTTP for C2.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Cobalt Kitty 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used HTTP for C2.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used HTTP and HTTPS for C2 communications.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022)| 
| Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware communicates with its C2 server via HTTPS.(Citation: Citizen Lab Stealth Falcon May 2016)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool connects to the designated C2 server via HTTP.(Citation: ESET Telebots Dec 2016)	| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has conducted C2 over HTTP and HTTPS.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) malware has used HTTP for C2.(Citation: Securelist LuckyMouse June 2018)| 
| APT18 | [APT18](https://attack.mitre.org/groups/G0026) uses HTTP for C2 communications.(Citation: PaloAlto DNS Requests May 2016)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds)| 
| Night Dragon | [Night Dragon](https://attack.mitre.org/groups/G0014) has used HTTP for C2.(Citation: McAfee Night Dragon)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used HTTP and HTTPS for C2 communications.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)| 
| APT28 | Later implants used by [APT28](https://attack.mitre.org/groups/G0007), such as [CHOPSTICK](https://attack.mitre.org/software/S0023), use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1071/001)

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 07 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Servando Quinones

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- APT 28 will utilize HTTP and other legitimate channels for C2 controls. Example of this is the malware CHOPSTICK (also known as Xagent). After sending an intila HTTP "GET" request it will send and HTTP "POST' without waiting for a response from the server. APT 28 has been know to use URL-safe Base64 encoding, using an alphabet that substitutes “+” and “/” for “-” and “_”, respectively. HTTP "POST" request body will also be Base64 encoded.

### Sample CHOPSTICK v1 HTTP POST including module identification
--------------------------------------------------------------------------
`POST /webhp?rel=psy&hl=7&ai=d2SSzFKlR4l0dRd_ZdyiwE17aTzOPeP-PVsYh1lVAXpLhIebB4=
HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101
Firefox/20.0
Host: adobeincorp.com
Content-Length: 71
Cache-Control: no-cache
d2SSzFKchH9IvjcM55eQCTbMbVAU7mR0IK6pNOrbFoF7Br0Pi__0u3Sf1Oh30_HufqHiDU=`

--------------------------------------------------------------------------

- Turla will use HTTP and HTTPS for C2 communications.  Communications with the C2 server have been observed sleeping a random amount of time, it has been observed to be anywhere between 12-15 minutes, but will likely be modified by the adversary as this is a know tactic. 

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | 3 | 1, 2 |
| Turla |  | 1, 2 |

## Detection Blindspots

- Sensor location/TAP points
- HTTPS traffic is encrypted

## Analytical References

  * [Report-APT28](https://www.fireUpdateeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf)
  * [ESET Sednit Part 2](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf)
  * [Sednit Update](https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/)
  * [Turla Mosquito](https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/)
  * [Diplomats in Eastern Europe bitten by a Turla mosquito](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf)
  * [Atomic Red Team T1071.001 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** Identify DNS requests to the "wrong" DNS server.

  * **Source:** Winlogbeats, sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Pseudo Query:** ```Event_ID: 22 AND NOT <destination: dns server ip>```

#### Analytic 2

  * **Information:** Detect internal to external traffic.

  * **Source:** Winlogbeats, sysmon

  * **Tool:** Kibana

  * **Notes:** Look for uncommon processes reaching out and what is spawning the processes

  * **Pseudo Query:** ```Event_ID:3 AND <ip src>:<internal> AND <ip.dst>:<external>```
  
#### Analytic 3

  * **Information:** Check for CHOPSTICK mailslot

  * **Source:** Winlogbeats, sysmon

  * **Tool:** Kibana

  * **Notes:** APT28

  * **Pseudo Query:** ```Event_ID: 1 AND *mailslot*```

  * **Pseudo Query:** ```Event_ID: 22 AND *mailslot*```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

  - C2 detection tends to be a long and arduous process. Leverage your Intel if possible.
  
  - Be aware of traffic that appears to mismatch the protocol it's being sent over. i.e. Encrypted data sent over port 80 instead of 443.
  - Open source tools like Flare can be useful to identify beaconing patterns in your traffic.
  - Normal software/endpoints may use HTTP(s) traffic that resembles beacons.
  - Some beacons may contain encrypted traffic. As mentioned above, normal software may also use encrypted beacon-like traffic.
  - Google scripts have been identified as being used by the adversary in the past but do not focus entirely on this as they may adjust and change the way they conduct operations and services.
  - Normal communication for a website (http or https) should consist of a small "get" request (encrypted or not) followed by a response from the server, then the "web content" will be sent.
  - If communication follows a terminal/chat/challenge response style pattern (hello, reply, reply hello, hello, hello, reply) then this could be indicative of a command and control channel.
  - If possible eliminate OCSP and SSL check-ins to allow for better analysis of network traffic.

#### Analytic 1

  * **Information:** Check the content of successful POST connections of the HTTP protocols. Specifically if the payload looks encoded in base64.

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** This information is related to older versions of their malware, but could still be relevant. Eliminate domains that maybe common and have been identified as normal by removing them from the http.uri fields. Ex: `http.uri != <uri here>`

  * **Query Arkime:** `entropy.http == [6,7,8] && http.method == POST && http.statuscode == 200 && ip.dst != [10.0/8, 172.16/12, 192.168/16]`
  * **Query Kibana:** `entropy.http: (6 or 7 or 8) AND http.method: POST AND http.statuscode: 200 AND NOT dstIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)`

#### Analytic 2 (Turla)

  * **Information:**  Identifying selfsigned certs can also assist in identifying C2 traffic. Information about the self signed certs such as default names, location, and dates.

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Encrypted traffic should be evaluated with network traffic and host logs to allow for better insight of connections and possbile processes initiating external connections. View host analytics as well. JA3 should be used when a possible suspicous domain has been identified. Use it to associate the JA3 to other domains.

  * **Query Arkime:** `protocols == tls && http.host == [value] && tls.ja3 == [value]`
  * **Query Arkime:** `protocols == tls && http.host == [value] && tls.ja3 == [value] && tls.ja3s == [value]`
  * **Query Arkime:** `tags == "cert:self-signed" && cert.notbefore <= <newly registered domain here> && cert.subject.cn == EXISTS! && cert.subject.oa == EXISTS!`
  * **Query Kibana:** `protocol: tls AND http.host: [value] AND tls.ja3: [value]`
  * **Query Kibana:** `protocol: tls AND http.host: [value] AND tls.ja3: [value] AND tls.ja3s: [value]`
  
#### Analytic 3

  * **Information:**  Detect Beacons - SPI Graph

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime

  * **Notes:** Navigate to SPIGraph. Narrow your timeframe to a smaller window (i.e. 2, 6, or 8 hours work best). Change the "SPIGraph" value to one of the following: ip.src, ip.dst, asn.dst. look for patterns in connections resembling a beacon like behaviour.
    - Web traffic may be proxied, so get with MP to identify ports utilized (8080, 8443)
  
  * **Query Arkime:** `ip.src==internal && ip.dst==external`
  * **Query Arkime:** `port.dst == [80, 443]`
  * **Query Arkime:** `protocols == tls && port.dst != 443 && ip.dst != [10/8, 172.16/12, 192.168/24]`
  * **Query Arkime:** `protocols == tls`

#### Analytic 4 (APT 29)

  * **Information:**  Detect Beacons - SPI Graph

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime

  * **Notes** Enterprises typically host their own DNS, submit a MP query to verify.
- Adversaries can hide malicious DNS in legitimate host (i.e., Google, Microsoft) traffic associated with these host must be verified before they can be ruled out.
- You should always verify any DNS hosts names that are resolving as just IP addresses.

- First identify if the MP is hosting their own DNS. If they are you can also request the IP(s) for the DNS server(s).
- If the MP is hosting their own DNS then scope hunt to identify any DNS requests outside of the MP network. 
- Else, try to identify what DNS servers MP entities generally reach out to for DNS requests. You can this by querying for DNS traffic and exporting unique DNS host with counts. (See Figure 1 below).
- Start your long-tail analysis to look for outliers. Once you have exported unique DNS hosts with counts find the least-common events and analyze the sessions associated with those hosts. (See Figure 2 below)
- If you cannot find C2 behavior in this view, you can view the outliers in SPIView and SPIGraph as well. (See Figures 3-4 below).
- SPIView will show you outliers in a different format than exporting unique DNS hosts with counts. (See Figure 3).
- SPIGraph is the best way to view and identify beaconing behavior because it provided you a visual representation of behavior over time in a graph format hence the name SPIGraph. (See Figure 4).
- Once you have identified the host(s) in question take note of the IP address(es) and identify any other network traffic associated with it (this will help you understand what else this host(s) is doing on the network including any stage two activity).

* **Query Arkime**  `protocols==dns && host.dns ==*[.]dnsowl[.]com`
* **Query Arkime** `Protocols==http && host.http==<insert the hostname of interest> && ip.dst != [10/8,192.168/16,172.16/12]`

* **Query examples from arkime output**
![T1071.001figure1](../../Images/T1071.001_Web_Protocols1.png)

![T1071.001figure2](../../Images/T1071.001_Web_Protocols2.png)
![T1071.001figure3](../../Images/T1071.001_Web_Protocols3.png)
![T1071.001figure4](../../Images/T1071.001_Web_Protocols4.png)

