Application Layer Protocol, Technique T1071 - Enterprise | MITRE ATT&CK®

Application Layer Protocol, Technique T1071 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Application Layer Protocol
Application Layer Protocol
Sub-techniques (5)
ID
Name
T1071.001
Web Protocols
T1071.002
File Transfer Protocols
T1071.003
Mail Protocols
T1071.004
DNS
T1071.005
Publish/Subscribe Protocols
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.
[1]
ID:
T1071
Sub-techniques:
T1071.001
T1071.002
T1071.003
T1071.004
T1071.005
Tactic:
Command and Control
Platforms:
ESXi, Linux, Network Devices, Windows, macOS
Contributors:
Duane Michael
Version:
2.4
Created:
31 May 2017
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
S0660
Clambling
Clambling
has the ability to use Telnet for communication.
[2]
S0038
Duqu
Duqu
uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.
[3]
C0041
FrostyGoop Incident
During
FrostyGoop Incident
, the adversary initiated Layer Two Tunnelling Protocol (L2TP) connections to Moscow-based IP addresses.
[4]
S0601
Hildegard
Hildegard
has used an IRC channel for C2 communications.
[5]
G1032
INC Ransom
INC Ransom
has used valid accounts over RDP to connect to targeted systems.
[6]
S0532
Lucifer
Lucifer
can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.
[7]
G0059
Magic Hound
Magic Hound
malware has used IRC for C2.
[8]
[9]
S0034
NETEAGLE
Adversaries can also use
NETEAGLE
to establish an RDP connection with a controller over TCP/7519.
S1147
Nightdoor
Nightdoor
uses TCP and UDP communication for command and control traffic.
[10]
[11]
S1084
QUIETEXIT
QUIETEXIT
can use an inverse negotiated SSH connection as part of its C2.
[1]
S1130
Raspberry Robin
Raspberry Robin
is capable of contacting the TOR network for delivering second-stage payloads.
[12]
[13]
[14]
G0106
Rocke
Rocke
issued wget requests from infected systems to the C2.
[15]
S0623
Siloscape
Siloscape
connects to an IRC server for C2.
[16]
S0633
Sliver
Sliver
can utilize the Wireguard VPN protocol for command and control.
[17]
G0139
TeamTNT
TeamTNT
has used an IRC bot for C2 communications.
[18]
G1047
Velvet Ant
Velvet Ant
has used reverse SSH tunnels to communicate to victim devices.
[19]
Mitigations
ID
Mitigation
Description
M1037
Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
M1031
Network Intrusion Prevention
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Detection
ID
Data Source
Data Component
Detects
DS0029
Network Traffic
Network Traffic Content
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow
Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
References
Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.
Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.