DET0027 Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets

Item	Value
ID	DET0027
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1071.001 (Web Protocols)

Analytics

Windows

AN0075

Detects unexpected or high-volume HTTP/S/WebSocket communication from suspicious processes (e.g., PowerShell, rundll32) using uncommon user agents or mimicking browser traffic to unusual domains or IPs.

Log Sources

Data Component	Name	Channel
Network Traffic Content (DC0085)	NSM:Flow	http.log, ssl.log
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22

Mutable Elements

Field	Description
ProcessNameExclusions	Filter out legitimate browser/network utilities
UserAgentAnomalies	Detect non-browser user-agents or spoofed headers
OutboundByteRatioThreshold	Flag when outbound > inbound volume by 90%+

Linux

AN0076

Detects curl, wget, Python requests, or custom HTTP clients communicating over non-standard ports, with repetitive or beacon-like patterns or POST-heavy behavior to rare domains.

Log Sources

Data Component	Name	Channel
Network Traffic Content (DC0085)	NSM:Flow	http.log, conn.log
Process Creation (DC0032)	auditd:SYSCALL	execve

Mutable Elements

Field	Description
CommandLinePatternMatch	curl or wget in scripts with suspicious domains or silent flags
BeaconIntervalWindow	Fixed-timed HTTP callbacks with 60±5s jitter

macOS

AN0077

Detects applications such as Automator, AppleScript, or LaunchDaemons invoking HTTP/S traffic to non-standard domains or using suspicious headers (e.g., Base64 in URIs or cookie fields).

Log Sources

Data Component	Name	Channel
Network Traffic Flow (DC0078)	macos:osquery	socket_events
Command Execution (DC0064)	macos:unifiedlog	log stream –predicate

Mutable Elements

Field	Description
SuspiciousParentProcess	Non-browser parent of web traffic (e.g., AppleScript, bash)
URIEntropyThreshold	Unusually encoded data in GET/POST URIs

ESXi

AN0078

Detects HTTP or HTTPS communication initiated by shell-based scripts or management daemons, especially those reaching public IPs over ports 80/443 using embedded curl or wget.

Log Sources

Data Component	Name	Channel
Network Traffic Content (DC0085)	NSM:Flow	SPAN or port-mirrored HTTP/S
Process Creation (DC0032)	esxi:shell	/root/.ash_history or /etc/init.d/*

Mutable Elements

Field	Description
ShellScriptMatch	Match on commands like `wget https://*`, `curl -s`
ExternalConnectionFilter	Public IPs or external DNS hostnames

Network Devices

AN0079

Detects Web protocol misuse such as encoded HTTP headers, WebSocket upgrade requests with abnormal payloads, or TLS handshake anomalies suggesting embedded C2 channels.

Log Sources

Data Component	Name	Channel
Network Traffic Content (DC0085)	NSM:Flow	http.log, ssl.log, websocket.log

Mutable Elements

Field	Description
HeaderEncodingPattern	Base64, hex, or UTF-16 encoding in URI, cookie, or host
TLSFingerprintMismatch	JA3 hash deviation from known clients