T0869 Standard Application Layer Protocol
Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.
| Item | Value |
|---|---|
| ID | T0869 |
| Sub-techniques | |
| Tactics | TA0101 |
| Platforms | Control Server, Data Historian, Engineering Workstation, Human-Machine Interface |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0089 | BlackEnergy | BlackEnergy uses HTTP POST request to contact external command and control servers. 6 |
| S1045 | INCONTROLLER | INCONTROLLER can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.5 |
| G0049 | OilRig | OilRig communicated with its command and control using HTTP requests. 7 |
| S0496 | REvil | REvil sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. 2 1 |
| S0603 | Stuxnet | Stuxnet uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. 3 |
| S1009 | Triton | Triton can communicate with the implant utilizing the TriStation ‘get main processor diagnostic data’ command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. 4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0807 | Network Allowlists | Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the Filter Network Traffic mitigation. |
| M0931 | Network Intrusion Prevention | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| M0930 | Network Segmentation | Ensure proper network segmentation between higher level corporate resources and the control process environment. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
References
-
SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ↩
-
Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ↩
-
DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022. ↩
-
Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ↩
-
Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ↩