# T1071 Application Layer Protocol

-----------------------------------------------------------------------

## Technique Description

Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. 

## Technique Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Network Traffic:** Network Traffic Flow

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used an IRC bot for C2 communications.(Citation: Trend Micro TeamTNT)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) issued wget requests from infected systems to the C2.(Citation: Talos Rocke August 2018)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has used IRC for C2.(Citation: Unit 42 Magic Hound Feb 2017)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used SMB for C2.(Citation: US-CERT TA18-074A)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1071)

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 29 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use application layer protocols to communicate with Command and Control servers.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### APT28	
- APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims.
- Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP and other legitimate channels for C2, depending on module configuration.

#### Turla	
- Has used HTTP and HTTPS for C2 communications.
- Has been known to use Uroburos which supports several transport types and protocols including TCP, HTTP, ICMP, UDP, and DNS. 

#### APT 29 
- Has been identified as using DNS tunneling for command and control communications.
- Cobalt Strike (APT29) conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.
- Uses RDP to escalate privileges and establish persistent access by tunneling Remote Desktop Protocols or RDP traffic in and out of the network.

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1071.004 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md)
  * [RPT APT28 (fireeye)](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf)
  * [Cobalt Strike Manual](https://cobaltstrike.com/downloads/csmanual38.pdf)
  * [ESET Turla Mosquito 2018 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf)
  * [Turla Mosquito - Shift Towards Generic Tools](https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/)
  * [APT29 Analysis - The Dukes 2017 (miquelbigueur.com)](https://miguelbigueur.com/2017/10/20/russian-apt-analysis-apt29-aka-the-dukes/)
  * [Cleaning Up After Wellmess (pwc.co.uk)](https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html)
  * [Dark Halo Leverages SolarWinds Compromise to Breach Organizations](https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
- Simulated Malicious UserAgents:
> `Invoke-WebRequest <baddomain> -UserAgent "HttpBrowser/1.0" | out-null`

> `Invoke-WebRequest <baddomain> -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null`

> `Invoke-WebRequest <baddomain>-UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null`

> `Invoke-WebRequest <baddomain> -UserAgent "*<|>*" | out-null`

#### Analytic 1

  * **Information:** Monitor process name and contextual behavior

  * **Source:** Windows Audits, Sysmon

  * **Tool:**Kibana

  * **Notes:** 

  * **Query Pseudo:** ```event.code : 3 AND destinationPort : [445,22,3389]```

#### Analytic 2

  * **Information:** LOL bins

  * **Source:** Windows Audits

  * **Tool:** Kibana

  * **Notes:** High False Positive. You may want to filter out internal destination IPs

  * **Query Pseudo:** ```Event.code : 4104 AND message contains *Invoke-WebRequest*```
  * **Query Pseudo:** `Process.name: [curl.exe]`



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable 
- C2 detection tends to be a long and arduous process. Leverage your Intel if possible.
- Be aware of traffic that appears to mismatch the protocol it's being sent over. i.e. Encrypted data sent over port 80 instead of 443.
- Open source tools like Flare_Beacon can be useful to identify beaconing patterns in your traffic.adversaries could leverage to conceal data


#### Analytic 1

  * **Information:** Finding external to internal RDP for possible C2

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** There may be some processes such as McAfee that will scan ports [3389, 445, etc.] to external IPs

  * **Query:** ```protocols == rdp && ip.src != [10.0/8, 172.16/12, 192.168/16] && ip.dst == [10.0/8, 172.16/12, 192.168/16]```

#### Analytic 2

  * **Information:** Finding external SMB traffic

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** There may be some processes such as McAfee that will scan ports [3389, 445, etc.] to external IPs. Pivot to the host logs to determine the process 

  * **Query:** ```protocols == smb && ip.dst != [10.0/8, 172.16/12, 192.168/16]```
  
#### Analytic 3

  * **Information:** Finding possible named pipes via DCERPC (Modify dcerpc command as needed)

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** 

  * **Query:** ```dcerpc.cmd == EXISTS! && ip.dst != [10.0/8, 172.16/12, 192.168/16]```
  


