Ctrl+K

T1071.001 - Web Protocols

T1071.001 - Web Protocols#

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

Atomic Tests#

Atomic Test #1 - Malicious User Agents - PowershellThis test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed.#

Use an application such as Wireshark to record the session and observe user agent strings and responses.

Inspired by APTSimulator - NextronSystems/APTSimulator Supported Platforms: windows#### Attack Commands: Run with powershell

Invoke-WebRequest www.google.com -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest www.google.com -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest www.google.com -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest www.google.com -UserAgent "*<|>*" | out-null

Invoke-AtomicTest T1071.001 -TestNumbers 1

Atomic Test #2 - Malicious User Agents - CMD#

This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses.

Inspired by APTSimulator - NextronSystems/APTSimulator

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Curl must be installed on system#
Check Prereq Commands:#
if (Test-Path C:\Windows\System32\Curl.exe) {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"


Invoke-AtomicTest T1071.001 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with command_prompt#

C:\Windows\System32\Curl.exe -s -A "HttpBrowser/1.0" -m3 www.google.com >nul 2>&1
C:\Windows\System32\Curl.exe -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com >nul 2>&1
C:\Windows\System32\Curl.exe -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com >nul 2>&1
C:\Windows\System32\Curl.exe -s -A "*<|>*" -m3 www.google.com >nul 2>&1

Invoke-AtomicTest T1071.001 -TestNumbers 2

Atomic Test #3 - Malicious User Agents - NixThis test simulates an infected host beaconing to command and control.#

Inspired by APTSimulator - NextronSystems/APTSimulator Supported Platforms: linux, macos#### Attack Commands: Run with sh

curl -s -A "HttpBrowser/1.0" -m3 www.google.com
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 www.google.com
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 www.google.com
curl -s -A "*<|>*" -m3 www.google.com

Invoke-AtomicTest T1071.001 -TestNumbers 3

Detection#

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)

Monitor for web traffic to/from known-bad or suspicious domains.

Contents