ID | Name |
---|---|
T1071.001 | Web Protocols |
T1071.002 | File Transfer Protocols |
T1071.003 | Mail Protocols |
T1071.004 | DNS |
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
ID | Name | Description |
---|---|---|
S0066 | 3PARA RAT | |
S0065 | 4H RAT | |
S0469 | ABK |
ABK has the ability to use HTTP in communications with C2.[2] |
S0045 | ADVSTORESHELL |
ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.[3] |
S0331 | Agent Tesla |
Agent Tesla has used HTTP for C2 communications.[4][5] |
S0504 | Anchor | |
S0584 | AppleJeus |
AppleJeus has sent data to its C2 server via |
S0622 | AppleSeed |
AppleSeed has the ability to communicate with C2 over HTTP.[8][9] |
G0026 | APT18 | |
G0073 | APT19 |
APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.[11][12] |
G0007 | APT28 |
Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.[13][14] |
G0016 | APT29 | |
G0050 | APT32 |
APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.[16][17] |
G0064 | APT33 | |
G0067 | APT37 | |
G0082 | APT38 |
APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.[20] |
G0087 | APT39 | |
G0096 | APT41 |
APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.[23] |
S0456 | Aria-body | |
S0473 | Avenger |
Avenger has the ability to use HTTP in communication with C2.[2] |
S0475 | BackConfig |
BackConfig has the ability to use HTTPS for C2 communiations.[25] |
S0031 | BACKSPACE |
BACKSPACE uses HTTP as a transport to communicate with its command server.[26] |
S0128 | BADNEWS | |
S0337 | BadPatch | |
S0239 | Bankshot |
Bankshot uses HTTP for command and control communication.[29] |
S0534 | Bazar |
Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.[30][31] |
S0470 | BBK |
BBK has the ability to use HTTP in communications with C2.[2] |
S0127 | BBSRAT |
BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.[32] |
S0268 | Bisonal | |
S0089 | BlackEnergy |
BlackEnergy communicates with its C2 server over HTTP.[35] |
S0564 | BlackMould |
BlackMould can send commands to C2 in the body of HTTP POST requests.[36] |
S0520 | BLINDINGCAN |
BLINDINGCAN has used HTTPS over port 443 for command and control.[37] |
S0657 | BLUELIGHT |
BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.[38] |
S0635 | BoomBox | |
G0060 | BRONZE BUTLER |
BRONZE BUTLER malware has used HTTP for C2.[40] |
S0043 | BUBBLEWRAP |
BUBBLEWRAP can communicate using HTTP or HTTPS.[41] |
S0482 | Bundlore | |
S0030 | Carbanak |
The Carbanak malware communicates to its command server using HTTP with an encrypted payload.[43] |
S0484 | Carberp | |
S0335 | Carbon | |
S0348 | Cardinal RAT |
Cardinal RAT is downloaded using HTTP over port 443.[46] |
S0631 | Chaes | |
S0674 | CharmPower |
CharmPower can use HTTP to communicate with C2.[48] |
S0144 | ChChes |
ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[49][50] |
G0114 | Chimera | |
S0020 | China Chopper |
China Chopper's server component executes code sent via HTTP POST commands.[52] |
S0023 | CHOPSTICK |
Various implementations of CHOPSTICK communicate with C2 over HTTP.[53] |
S0660 | Clambling | |
S0054 | CloudDuke | |
G0080 | Cobalt Group |
Cobalt Group has used HTTPS for C2.[56][57][58] |
S0154 | Cobalt Strike |
Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.[59][60][61][62] |
S0244 | Comnie | |
S0126 | ComRAT |
ComRAT has used HTTP requests for command and control.[64][65][66] |
G0142 | Confucius | |
S0137 | CORESHELL | |
S0050 | CosmicDuke |
CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[55][69] |
S0046 | CozyCar |
CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.[70] |
S0115 | Crimson |
Crimson can use a HTTP GET request to download its final payload.[71] |
S0538 | Crutch |
Crutch has conducted C2 communications with a Dropbox account using the HTTP API.[72] |
S0527 | CSPY Downloader |
CSPY Downloader can use GET requests to download additional payloads from C2.[73] |
S0687 | Cyclops Blink |
Cyclops Blink can download files via HTTP and HTTPS.[74][75] |
S0497 | Dacls | |
G0070 | Dark Caracal |
Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string "&&&".[78] |
S0334 | DarkComet | |
S0673 | DarkWatchman |
DarkWatchman uses HTTPS for command and control.[80] |
S0187 | Daserf | |
S0243 | DealersChoice |
DealersChoice uses HTTP for communication with the C2 server.[81] |
S0616 | DEATHRANSOM |
DEATHRANSOM can use HTTPS to download files.[82] |
S0659 | Diavol | |
S0200 | Dipsind | |
S0600 | Doki | |
S0695 | Donut |
Donut can use HTTP to download previously staged shellcode payloads.[86] |
S0472 | down_new |
down_new has the ability to use HTTP in C2 communications.[2] |
S0186 | DownPaper | |
S0694 | DRATzarus | |
S0384 | Dridex |
Dridex has used POST requests and HTTPS for C2 communications.[89][90] |
S0502 | Drovorub |
Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.[91] |
S0062 | DustySky | |
S0024 | Dyre | |
S0554 | Egregor |
Egregor has communicated with its C2 servers via HTTPS protocol.[95] |
S0081 | Elise | |
S0064 | ELMER | |
S0082 | Emissary | |
S0363 | Empire |
Empire can conduct command and control over protocols like HTTP and HTTPS.[99] |
S0091 | Epic | |
S0396 | EvilBunny | |
S0401 | Exaramel for Linux |
Exaramel for Linux uses HTTPS for C2 communications.[103][104] |
S0569 | Explosive | |
S0512 | FatDuke |
FatDuke can be controlled via a custom C2 protocol over HTTP.[106] |
S0171 | Felismus | |
S0267 | FELIXROOT |
FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.[108][109] |
G0085 | FIN4 |
FIN4 has used HTTP POST requests to transmit data.[110][111] |
G0061 | FIN8 | |
S0355 | Final1stspy |
Final1stspy uses HTTP for C2.[113] |
S0696 | Flagpro | |
S0381 | FlawedAmmyy |
FlawedAmmyy has used HTTP for C2.[115] |
S0661 | FoggyWeb |
FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.[116] |
G0047 | Gamaredon Group |
Gamaredon Group has used HTTP and HTTPS for C2 communications.[117][118][119][120][121][122] |
S0168 | Gazer | |
S0666 | Gelsemium | |
S0049 | GeminiDuke |
GeminiDuke uses HTTP and HTTPS for command and control.[55] |
S0460 | Get2 |
Get2 has the ability to use HTTP to send information collected from an infected host to C2.[125] |
S0249 | Gold Dragon |
Gold Dragon uses HTTP for communication to the control servers.[126] |
S0493 | GoldenSpy |
GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.[127] |
S0597 | GoldFinder |
GoldFinder has used HTTP for C2.[128] |
S0588 | GoldMax |
GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.[128][129] |
S0477 | Goopy |
Goopy has the ability to communicate with its C2 over HTTP.[17] |
S0531 | Grandoreiro |
Grandoreiro has the ability to use HTTP in C2 communications.[130][131] |
S0237 | GravityRAT |
GravityRAT uses HTTP for C2.[132] |
S0342 | GreyEnergy |
GreyEnergy uses HTTP and HTTPS for C2 communications.[109] |
S0632 | GrimAgent |
GrimAgent has the ability to use HTTP for C2 communications.[133] |
S0561 | GuLoader |
GuLoader can use HTTP to retrieve additional binaries.[134][135] |
G0125 | HAFNIUM |
HAFNIUM has used open-source C2 frameworks, including Covenant.[136] |
S0037 | HAMMERTOSS |
The "Uploader" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.[137] |
S0391 | HAWKBALL |
HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.[138] |
S0170 | Helminth | |
S0087 | Hi-Zor | |
G0126 | Higaisa |
Higaisa used HTTP and HTTPS to send data back to its C2 server.[141][142] |
S0009 | Hikit | |
S0070 | HTTPBrowser |
HTTPBrowser has used HTTP and HTTPS for command and control.[144][145] |
S0068 | httpclient |
httpclient uses HTTP for command and control.[1] |
S0398 | HyperBro | |
S0483 | IcedID | |
G0100 | Inception |
Inception has used HTTP, HTTPS, and WebDav in network communications.[148][149] |
S0604 | Industroyer |
Industroyer’s main backdoor connected to a remote C2 server using HTTPS.[150] |
S0260 | InvisiMole |
InvisiMole uses HTTP for C2 communications.[151] |
S0015 | Ixeshe | |
S0044 | JHUHUGIT |
JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.[154][155][156] |
S0265 | Kazuar |
Kazuar uses HTTP and HTTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.[157] |
G0004 | Ke3chang |
Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.[158][159] |
S0276 | Keydnap | |
S0526 | KGH_SPY | |
G0094 | Kimsuky | |
S0599 | Kinsing | |
S0250 | Koadic | |
S0162 | Komplex | |
S0356 | KONNI | |
G0032 | Lazarus Group |
Lazarus Group has conducted C2 over HTTP and HTTPS.[167][76][77][168][169][170][171] |
S0513 | LiteDuke |
LiteDuke can use HTTP GET requests in C2 communications.[106] |
S0680 | LitePower |
LitePower can use HTTP and HTTPS for C2 communications.[172] |
S0447 | Lokibot | |
S0582 | LookBack |
LookBack’s C2 proxy tool sends data to a C2 server over HTTP.[175] |
S0042 | LOWBALL |
LOWBALL command and control occurs via HTTPS over port 443.[41] |
S0409 | Machete | |
S0282 | MacSpy | |
G0059 | Magic Hound |
Magic Hound malware has used HTTP for C2.[180] |
S0652 | MarkiRAT |
MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server.[181] |
S0449 | Maze |
Maze has communicated to hard-coded IP addresses via HTTP.[182] |
S0500 | MCMD |
MCMD can use HTTPS in communication with C2 web servers.[183] |
S0459 | MechaFlounder |
MechaFlounder has the ability to use HTTP in communication with C2.[184] |
S0455 | Metamorfo | |
S0339 | Micropsia |
Micropsia uses HTTP and HTTPS for C2 network communications.[187][188] |
S0051 | MiniDuke |
MiniDuke uses HTTP and HTTPS for command and control.[55][106] |
S0084 | Mis-Type | |
S0284 | More_eggs | |
G0069 | MuddyWater |
MuddyWater has used HTTP for C2 communications.[191][192] |
G0129 | Mustang Panda |
Mustang Panda has communicated with its C2 via HTTP POST requests.[193][194][195][196] |
S0699 | Mythic | |
S0691 | Neoichor | |
S0034 | NETEAGLE |
NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2.[26] |
S0198 | NETWIRE | |
G0014 | Night Dragon |
Night Dragon has used HTTP for C2.[200] |
S0385 | njRAT | |
S0353 | NOKKI | |
S0340 | Octopus |
Octopus has used HTTP GET and POST requests for C2 communications.[203][204] |
G0049 | OilRig | |
S0439 | Okrum | |
S0138 | OLDBAIT | |
S0052 | OnionDuke | |
S0264 | OopsIE | |
G0071 | Orangeworm |
Orangeworm has used HTTP for C2.[210] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.[211] |
S0594 | Out1 |
Out1 can use HTTP and HTTPS in communications with remote hosts.[192] |
S0072 | OwaAuth |
OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.[144] |
S0598 | P.A.S. Webshell |
P.A.S. Webshell can issue commands via HTTP POST.[104] |
S0664 | Pandora | |
S0643 | Peppy | |
S0048 | PinchDuke |
PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.[55] |
S0435 | PLEAD |
PLEAD has used HTTP for communications with command and control (C2) servers.[213][214] |
S0013 | PlugX |
PlugX can be configured to use HTTP for command and control.[144][215] |
S0067 | pngdowner | |
S0428 | PoetRAT | |
S0518 | PolyglotDuke |
PolyglotDuke has has used HTTP GET requests in C2 communications.[106] |
S0453 | Pony |
Pony has sent collected information to the C2 via HTTP POST request.[217] |
S0378 | PoshC2 |
PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[218] |
S0441 | PowerShower |
PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.[149] |
S0371 | POWERTON | |
S0184 | POWRUNER | |
S0238 | Proxysvc |
Proxysvc uses HTTP over SSL to communicate commands with the control server.[221] |
S0078 | Psylo | |
S0147 | Pteranodon |
Pteranodon can use HTTP for C2.[117] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.[223][224][225] |
S0192 | Pupy | |
S0650 | QakBot |
QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.[227][228][229] |
S0269 | QUADAGENT | |
S0686 | QuietSieve |
QuietSieve can use HTTPS in C2 communications.[231] |
S0629 | RainyDay | |
S0458 | Ramsay | |
G0075 | Rancor | |
S0241 | RATANKBA |
RATANKBA uses HTTP/HTTPS for command and control communication.[235][236] |
S0662 | RCSession | |
S0495 | RDAT |
RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.[238] |
S0172 | Reaver | |
S0153 | RedLeaves |
RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.[240][241] |
S0019 | Regin |
The Regin malware platform supports many standard protocols, including HTTP and HTTPS.[242] |
S0375 | Remexi |
Remexi uses BITSAdmin to communicate with the C2 server over HTTP.[243] |
S0125 | Remsec |
Remsec is capable of using HTTP and HTTPS for C2.[244][245][246] |
S0496 | REvil |
REvil has used HTTP and HTTPS in communication with C2.[247][248][249][250][251] |
S0258 | RGDoor | |
S0003 | RIPTIDE |
APT12 has used RIPTIDE, a RAT that uses HTTP to communicate.[253] |
S0448 | Rising Sun |
Rising Sun has used HTTP for command and control.[254] |
G0106 | Rocke |
Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.[255] |
S0240 | ROKRAT |
ROKRAT can use HTTP and HTTPS for command and control communication.[256][257][258] |
S0148 | RTM |
RTM has initiated connections to external domains using HTTPS.[259] |
S0085 | S-Type | |
S0074 | Sakula | |
G0034 | Sandworm Team |
Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.[261] |
S0053 | SeaDuke | |
S0345 | Seasalt | |
S0382 | ServHelper |
ServHelper uses HTTP for C2.[263] |
S0596 | ShadowPad |
ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.[264] |
S0140 | Shamoon | |
S0444 | ShimRat |
ShimRat communicated over HTTP and HTTPS with C2 servers.[266] |
S0445 | ShimRatReporter |
ShimRatReporter communicated over HTTP with preconfigured C2 servers.[266] |
S0589 | Sibot |
Sibot communicated with its C2 server via HTTP GET requests.[128] |
S0610 | SideTwist |
SideTwist has used HTTP GET and POST requests over port 443 for C2.[267] |
G0121 | Sidewinder |
Sidewinder has used HTTP in C2 communications.[268][269][270] |
G0083 | SilverTerrier |
SilverTerrier uses HTTP for C2 communications.[271] |
S0633 | Sliver |
Sliver has the ability to support C2 communications over HTTP/S.[272][273][274] |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.[275] |
S0226 | Smoke Loader |
Smoke Loader uses HTTP for C2.[276] |
S0649 | SMOKEDHAM |
SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.[277] |
S0159 | SNUGRIDE | |
S0516 | SoreFang | |
S0543 | Spark |
Spark has used HTTP POST requests to communicate with its C2 server to receive commands.[280] |
S0374 | SpeakUp |
SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server. [281] |
G0038 | Stealth Falcon |
Stealth Falcon malware communicates with its C2 server via HTTPS.[282] |
S0491 | StrongPity |
StrongPity can use HTTP and HTTPS in C2 communications.[283][284] |
S0603 | Stuxnet |
Stuxnet uses HTTP to communicate with a command and control server. [285] |
S0559 | SUNBURST |
SUNBURST communicated via HTTP GET or HTTP POST requests to third party servers for C2.[286] |
S0578 | SUPERNOVA |
SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.[287][288] |
S0060 | Sys10 | |
G0092 | TA505 | |
G0127 | TA551 | |
S0011 | Taidoor | |
G0139 | TeamTNT |
TeamTNT has the curl command to send credentials over HTTP and download new software.[293][294] TeamTNT has also used a custom user agent HTTP header in shell scripts.[295] |
S0595 | ThiefQuest |
ThiefQuest uploads files via unencrypted HTTP. [296][297] |
G0027 | Threat Group-3390 |
Threat Group-3390 malware has used HTTP for C2.[298] |
S0668 | TinyTurla | |
S0671 | Tomiris | |
S0678 | Torisma | |
S0682 | TrailBlazer |
TrailBlazer has used HTTP requests for C2.[302] |
S0266 | TrickBot |
TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[303][6] |
S0094 | Trojan.Karagany |
Trojan.Karagany can communicate with C2 via HTTP POST requests.[304] |
G0081 | Tropic Trooper |
Tropic Trooper has used HTTP in communication with the C2.[305][306] |
S0436 | TSCookie |
TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.[307][308] |
S0647 | Turian | |
G0010 | Turla |
Turla has used HTTP and HTTPS for C2 communications.[310][311] |
S0333 | UBoatRAT | |
S0275 | UPPERCUT |
UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers.[313] |
S0386 | Ursnif | |
S0476 | Valak | |
S0636 | VaporRage |
VaporRage can use HTTP to download shellcode from compromised websites.[39] |
S0207 | Vasport |
Vasport creates a backdoor by making a connection using a HTTP POST.[318] |
S0442 | VBShower |
VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.[319] |
S0257 | VERMIN | |
S0514 | WellMess |
WellMess can use HTTP and HTTPS in C2 communications.[321][322][323][279] |
S0689 | WhisperGate |
WhisperGate can make an HTTPS connection to download additional files.[324][325] |
G0112 | Windshift |
Windshift has used tools that communicate with C2 over HTTP.[326] |
S0466 | WindTail |
WindTail has the ability to use HTTP for C2 communications.[327] |
S0059 | WinMM | |
S0430 | Winnti for Linux |
Winnti for Linux has used HTTP in outbound communications.[328] |
S0141 | Winnti for Windows |
Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications.[329] |
G0090 | WIRTE | |
G0102 | Wizard Spider |
Wizard Spider has used HTTP for network communications.[331] |
S0341 | Xbash | |
S0653 | xCaon |
xCaon has communicated with the C2 server by sending POST requests over HTTP.[333] |
S0388 | YAHOYAH | |
S0251 | Zebrocy | |
S0230 | ZeroT | |
S0330 | Zeus Panda |
Zeus Panda uses HTTP for C2 communications.[343] |
S0086 | ZLib | |
S0412 | ZxShell |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
ID | Data Source | Data Component |
---|---|---|
DS0029 | Network Traffic | Network Traffic Content |
Network Traffic Flow |
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.[345]
Monitor for web traffic to/from known-bad or suspicious domains.