Skip to content

T1071 Application Layer Protocol

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.2

Item Value
ID T1071
Sub-techniques T1071.001, T1071.002, T1071.003, T1071.004, T1071.005
Tactics TA0011
Platforms ESXi, Linux, Network Devices, Windows, macOS
Version 2.4
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0660 Clambling Clambling has the ability to use Telnet for communication.7
S0038 Duqu Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.6
C0041 FrostyGoop Incident During FrostyGoop Incident, the adversary initiated Layer Two Tunnelling Protocol (L2TP) connections to Moscow-based IP addresses.20
S0601 Hildegard Hildegard has used an IRC channel for C2 communications.4
G1032 INC Ransom INC Ransom has used valid accounts over RDP to connect to targeted systems.17
S0532 Lucifer Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.8
G0059 Magic Hound Magic Hound malware has used IRC for C2.1514
S0034 NETEAGLE Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.
S1147 Nightdoor Nightdoor uses TCP and UDP communication for command and control traffic.1213
S1084 QUIETEXIT QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.2
S1130 Raspberry Robin Raspberry Robin is capable of contacting the TOR network for delivering second-stage payloads.10911
G0106 Rocke Rocke issued wget requests from infected systems to the C2.16
S0623 Siloscape Siloscape connects to an IRC server for C2.5
S0633 Sliver Sliver can utilize the Wireguard VPN protocol for command and control.3
G0139 TeamTNT TeamTNT has used an IRC bot for C2 communications.19
G1047 Velvet Ant Velvet Ant has used reverse SSH tunnels to communicate to victim devices.18

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  2. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. 

  3. Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025. 

  4. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  5. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. 

  6. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. 

  7. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  8. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  9. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024. 

  10. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024. 

  11. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024. 

  12. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024. 

  13. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024. 

  14. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  15. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  16. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  17. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. 

  18. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025. 

  19. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. 

  20. Mark Graham, Carolyn Ahlers, Kyle O’Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.