T1071.001

Web Protocols

Web Protocols (T1071.001) is a MITRE ATT&CK technique associated with Command and Control . Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.

Technique ID: T1071.001
Difficulty: Intermediate
Tactics: Command and Control
Platforms: ESXiLinuxmacOSNetwork DevicesWindows

Executive Summary

Web Protocols (T1071.001) is a MITRE ATT&CK technique associated with Command and Control. Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.

Why Attackers Use It

Attackers use Web Protocols because it provides a reliable way to advance their objective within the Command and Control tactic, often with a favorable balance of impact versus detectability on ESXi, Linux, macOS, Network Devices, Windows environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.

MITRE Description

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Web Protocols to achieve its tactical objective (Command and Control).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

No universal command represents Web Protocols. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.

Splunk Queries

Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.

Investigation Workflow

Confirm that the observed behavior is consistent with Web Protocols and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

M1031 -- Network Intrusion Prevention: Use intrusion detection signatures to block traffic at network boundaries.
M1037 -- Filter Network Traffic: Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic.

Related Techniques

T1001
T1001.001
T1001.002
T1001.003
T1003
T1003.002
T1003.005
T1005
T1007
T1008
T1012
T1014
T1016
T1016.001
T1016.002
T1020
T1021.005
T1021.006
T1025
T1027
T1027.001
T1027.002
T1027.003
T1027.004
T1027.007
T1027.009
T1027.010
T1027.011
T1027.013
T1027.015
T1029
T1030
T1033
T1036
T1036.001
T1036.003
T1036.004
T1036.005
T1036.008
T1037.001
T1039
T1040
T1041
T1046
T1047
T1048.003
T1049
T1053.002
T1053.003
T1053.005
T1055
T1055.001
T1055.002
T1056
T1056.001
T1056.002
T1056.004
T1057
T1059
T1059.001
T1059.002
T1059.003
T1059.004
T1059.005
T1059.006
T1059.007
T1059.010
T1059.011
T1068
T1069
T1069.001
T1070
T1070.004
T1070.006
T1070.008
T1070.009
T1071
T1071.002
T1071.003
T1071.004
T1074
T1074.001
T1078
T1082
T1083
T1087.001
T1087.002
T1090
T1090.001
T1090.002
T1090.003
T1090.004
T1091
T1095
T1102
T1102.001
T1102.002
T1102.003
T1104
T1105
T1106
T1110.001
T1111
T1112
T1113
T1114.001
T1115
T1119
T1120
T1124
T1132
T1132.001
T1132.002
T1133
T1134.001
T1134.002
T1136.001
T1140
T1176.001
T1185
T1189
T1190
T1195
T1195.001
T1195.002
T1197
T1203
T1204.001
T1204.002
T1213
T1213.003
T1213.006
T1217
T1218.003
T1218.004
T1218.005
T1218.007
T1218.010
T1218.011
T1218.015
T1219
T1221
T1222.002
T1480
T1480.001
T1485
T1497
T1497.001
T1497.003
T1499
T1505.003
T1505.004
T1518
T1518.001
T1539
T1542.003
T1543
T1543.001
T1543.002
T1543.003
T1543.004
T1546.003
T1546.015
T1546.016
T1547.001
T1547.004
T1547.006
T1547.009
T1548.001
T1548.002
T1550.001
T1550.003
T1552.001
T1552.002
T1552.004
T1553.002
T1553.004
T1553.005
T1553.006
T1554
T1555
T1555.003
T1555.004
T1557
T1559
T1559.002
T1560.001
T1560.002
T1560.003
T1564.001
T1564.005
T1564.011
T1566.001
T1566.002
T1566.003
T1567.002
T1568
T1568.001
T1568.002
T1569.002
T1571
T1572
T1573
T1573.001
T1573.002
T1574.001
T1583.003
T1584.004
T1584.006
T1587.001
T1588.004
T1598.003
T1610
T1614
T1614.001
T1620
T1622
T1653
T1657
T1678
T1680
T1685
T1690

T1001Data Obfuscation T1001.001Junk Data T1001.002Steganography T1001.003Protocol or Service Impersonation T1003OS Credential Dumping T1003.002Security Account Manager T1003.005Cached Domain Credentials T1005Data from Local System T1007System Service Discovery T1008Fallback Channels T1012Query Registry T1014Rootkit T1016System Network Configuration Discovery T1016.001Internet Connection Discovery T1016.002Wi-Fi Discovery T1020Automated Exfiltration T1021.005VNC T1021.006Windows Remote Management T1025Data from Removable Media T1027Obfuscated Files or Information T1027.001Binary Padding T1027.002Software Packing T1027.003Steganography T1027.004Compile After Delivery T1027.007Dynamic API Resolution T1027.009Embedded Payloads T1027.010Command Obfuscation T1027.011Fileless Storage T1027.013Encrypted/Encoded File T1027.015Compression T1029Scheduled Transfer T1030Data Transfer Size Limits T1033System Owner/User Discovery T1036Masquerading T1036.001Invalid Code Signature T1036.003Rename Legitimate Utilities T1036.004Masquerade Task or Service T1036.005Match Legitimate Resource Name or Location T1036.008Masquerade File Type T1037.001Logon Script (Windows)T1039Data from Network Shared Drive T1040Network Sniffing T1041Exfiltration Over C2 Channel T1046Network Service Discovery T1047Windows Management Instrumentation T1048.003Exfiltration Over Unencrypted Non-C2 Protocol T1049System Network Connections Discovery T1053.002At T1053.003Cron T1053.005Scheduled Task T1055Process Injection T1055.001Dynamic-link Library Injection T1055.002Portable Executable Injection T1056Input Capture T1056.001Keylogging T1056.002GUI Input Capture T1056.004Credential API Hooking T1057Process Discovery T1059Command and Scripting Interpreter T1059.001PowerShell T1059.002AppleScript T1059.003Windows Command Shell T1059.004Unix Shell T1059.005Visual Basic T1059.006Python T1059.007JavaScript T1059.010AutoHotKey & AutoIT T1059.011Lua T1068Exploitation for Privilege Escalation T1069Permission Groups Discovery T1069.001Local Groups T1070Indicator Removal T1070.004File Deletion T1070.006Timestomp T1070.008Clear Mailbox Data T1070.009Clear Persistence T1071Application Layer Protocol T1071.002File Transfer Protocols T1071.003Mail Protocols T1071.004DNS T1074Data Staged T1074.001Local Data Staging T1078Valid Accounts T1082System Information Discovery T1083File and Directory Discovery T1087.001Local Account T1087.002Domain Account T1090Proxy T1090.001Internal Proxy T1090.002External Proxy T1090.003Multi-hop Proxy T1090.004Domain Fronting T1091Replication Through Removable Media T1095Non-Application Layer Protocol T1102Web Service T1102.001Dead Drop Resolver T1102.002Bidirectional Communication T1102.003One-Way Communication T1104Multi-Stage Channels T1105Ingress Tool Transfer T1106Native API T1110.001Password Guessing T1111Multi-Factor Authentication Interception T1112Modify Registry T1113Screen Capture T1114.001Local Email Collection T1115Clipboard Data T1119Automated Collection T1120Peripheral Device Discovery T1124System Time Discovery T1132Data Encoding T1132.001Standard Encoding T1132.002Non-Standard Encoding T1133External Remote Services T1134.001Token Impersonation/Theft T1134.002Create Process with Token T1136.001Local Account T1140Deobfuscate/Decode Files or Information T1176.001Browser Extensions T1185Browser Session Hijacking T1189Drive-by Compromise T1190Exploit Public-Facing Application T1195Supply Chain Compromise T1195.001Compromise Software Dependencies and Development Tools T1195.002Compromise Software Supply Chain T1197BITS Jobs T1203Exploitation for Client Execution T1204.001Malicious Link T1204.002Malicious File T1213Data from Information Repositories T1213.003Code Repositories T1213.006Databases T1217Browser Information Discovery T1218.003CMSTP T1218.004InstallUtil T1218.005Mshta T1218.007Msiexec T1218.010Regsvr32 T1218.011Rundll32 T1218.015Electron Applications T1219Remote Access Tools T1221Template Injection T1222.002Linux and Mac Permissions T1480Execution Guardrails T1480.001Environmental Keying T1485Data Destruction T1497Virtualization/Sandbox Evasion T1497.001System Checks T1497.003Time Based Checks T1499Endpoint Denial of Service T1505.003Web Shell T1505.004IIS Components T1518Software Discovery T1518.001Security Software Discovery T1539Steal Web Session Cookie T1542.003Bootkit T1543Create or Modify System Process T1543.001Launch Agent T1543.002Systemd Service T1543.003Windows Service T1543.004Launch Daemon T1546.003Windows Management Instrumentation Event Subscription T1546.015Component Object Model Hijacking T1546.016Installer Packages T1547.001Registry Run Keys / Startup Folder T1547.004Winlogon Helper DLL T1547.006Kernel Modules and Extensions T1547.009Shortcut Modification T1548.001Setuid and Setgid T1548.002Bypass User Account Control T1550.001Application Access Token T1550.003Pass the Ticket T1552.001Credentials In Files T1552.002Credentials in Registry T1552.004Private Keys T1553.002Code Signing T1553.004Install Root Certificate T1553.005Mark-of-the-Web Bypass T1553.006Code Signing Policy Modification T1554Compromise Host Software Binary T1555Credentials from Password Stores T1555.003Credentials from Web Browsers T1555.004Windows Credential Manager T1557Adversary-in-the-Middle T1559Inter-Process Communication T1559.002Dynamic Data Exchange T1560.001Archive via Utility T1560.002Archive via Library T1560.003Archive via Custom Method T1564.001Hidden Files and Directories T1564.005Hidden File System T1564.011Ignore Process Interrupts T1566.001Spearphishing Attachment T1566.002Spearphishing Link T1566.003Spearphishing via Service T1567.002Exfiltration to Cloud Storage T1568Dynamic Resolution T1568.001Fast Flux DNS T1568.002Domain Generation Algorithms T1569.002Service Execution T1571Non-Standard Port T1572Protocol Tunneling T1573Encrypted Channel T1573.001Symmetric Cryptography T1573.002Asymmetric Cryptography T1574.001DLL T1583.003Virtual Private Server T1584.004Server T1584.006Web Services T1587.001Malware T1588.004Digital Certificates T1598.003Spearphishing Link T1610Deploy Container T1614System Location Discovery T1614.001System Language Discovery T1620Reflective Code Loading T1622Debugger Evasion T1653Power Settings T1657Financial Theft T1678Delay Execution T1680Local Storage Discovery T1685Disable or Modify Tools T1690Prevent Command History Logging

Loading AttackTrace...

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Web Protocols to achieve its tactical objective (Command and Control).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

Splunk Queries

Investigation Workflow

Confirm that the observed behavior is consistent with Web Protocols and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

M1031 -- Network Intrusion Prevention: Use intrusion detection signatures to block traffic at network boundaries.
M1037 -- Filter Network Traffic: Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic.

Related Techniques

T1001
T1001.001
T1001.002
T1001.003
T1003
T1003.002
T1003.005
T1005
T1007
T1008
T1012
T1014
T1016
T1016.001
T1016.002
T1020
T1021.005
T1021.006
T1025
T1027
T1027.001
T1027.002
T1027.003
T1027.004
T1027.007
T1027.009
T1027.010
T1027.011
T1027.013
T1027.015
T1029
T1030
T1033
T1036
T1036.001
T1036.003
T1036.004
T1036.005
T1036.008
T1037.001
T1039
T1040
T1041
T1046
T1047
T1048.003
T1049
T1053.002
T1053.003
T1053.005
T1055
T1055.001
T1055.002
T1056
T1056.001
T1056.002
T1056.004
T1057
T1059
T1059.001
T1059.002
T1059.003
T1059.004
T1059.005
T1059.006
T1059.007
T1059.010
T1059.011
T1068
T1069
T1069.001
T1070
T1070.004
T1070.006
T1070.008
T1070.009
T1071
T1071.002
T1071.003
T1071.004
T1074
T1074.001
T1078
T1082
T1083
T1087.001
T1087.002
T1090
T1090.001
T1090.002
T1090.003
T1090.004
T1091
T1095
T1102
T1102.001
T1102.002
T1102.003
T1104
T1105
T1106
T1110.001
T1111
T1112
T1113
T1114.001
T1115
T1119
T1120
T1124
T1132
T1132.001
T1132.002
T1133
T1134.001
T1134.002
T1136.001
T1140
T1176.001
T1185
T1189
T1190
T1195
T1195.001
T1195.002
T1197
T1203
T1204.001
T1204.002
T1213
T1213.003
T1213.006
T1217
T1218.003
T1218.004
T1218.005
T1218.007
T1218.010
T1218.011
T1218.015
T1219
T1221
T1222.002
T1480
T1480.001
T1485
T1497
T1497.001
T1497.003
T1499
T1505.003
T1505.004
T1518
T1518.001
T1539
T1542.003
T1543
T1543.001
T1543.002
T1543.003
T1543.004
T1546.003
T1546.015
T1546.016
T1547.001
T1547.004
T1547.006
T1547.009
T1548.001
T1548.002
T1550.001
T1550.003
T1552.001
T1552.002
T1552.004
T1553.002
T1553.004
T1553.005
T1553.006
T1554
T1555
T1555.003
T1555.004
T1557
T1559
T1559.002
T1560.001
T1560.002
T1560.003
T1564.001
T1564.005
T1564.011
T1566.001
T1566.002
T1566.003
T1567.002
T1568
T1568.001
T1568.002
T1569.002
T1571
T1572
T1573
T1573.001
T1573.002
T1574.001
T1583.003
T1584.004
T1584.006
T1587.001
T1588.004
T1598.003
T1610
T1614
T1614.001
T1620
T1622
T1653
T1657
T1678
T1680
T1685
T1690

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques