Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Application Layer Protocol
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Application Layer Protocol
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Application Layer Protocol

ID Name
.001 Web Protocols
.002 File Transfer Protocols
.003 Mail Protocols
.004 DNS
.005 Publish/Subscribe Protocols

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

ID: T1071
Sub-techniques:  .001 .002 .003 .004 .005
Tactic(s): Command and Control
Platforms: Linux, macOS, Network, Windows
Data Sources: Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Version: 2.3
Created: 31 May 2017
Last Modified: 28 Aug 2024

Procedure Examples
Name Description
Cobalt Strike

Cobalt Strike conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)

Hildegard

Hildegard has used an IRC channel for C2 communications.(Citation: Unit 42 Hildegard Malware)
Magic Hound

Magic Hound malware has used IRC for C2.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021)
NETEAGLE

Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.
Rocke

Rocke issued wget requests from infected systems to the C2.(Citation: Talos Rocke August 2018)
INC Ransom

INC Ransom has used valid accounts over RDP to connect to targeted systems.(Citation: Huntress INC Ransom Group August 2023)
Siloscape

Siloscape connects to an IRC server for C2.(Citation: Unit 42 Siloscape Jun 2021)
Dragonfly 2.0

Dragonfly 2.0 used SMB for C2.(Citation: US-CERT TA18-074A)
QUIETEXIT

QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
Duqu

Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.(Citation: Symantec W32.Duqu)
Clambling

Clambling has the ability to use Telnet for communication.(Citation: Trend Micro DRBControl February 2020)
Lucifer

Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.(Citation: Unit 42 Lucifer June 2020)
TeamTNT

TeamTNT has used an IRC bot for C2 communications.(Citation: Trend Micro TeamTNT)
Raspberry Robin

Raspberry Robin is capable of contacting the TOR network for delivering second-stage payloads.(Citation: RedCanary RaspberryRobin 2022)(Citation: TrendMicro RaspberryRobin 2022)(Citation: HP RaspberryRobin 2024)
Nightdoor

Nightdoor uses TCP and UDP communication for command and control traffic.(Citation: ESET EvasivePanda 2024)(Citation: Symantec Daggerfly 2024)

Mitigations
Mitigation Description
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.
Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)

References

  1. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  4. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  5. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  6. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  7. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  8. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  9. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  10. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  11. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  12. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  13. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  14. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  15. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  16. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  17. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  18. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  19. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.