Web Protocols

Information

• Name: Web Protocols

• ID: T1071.001

• Tactics: TA0011

• Technique: T1071

Introduction

Web Protocols [T1071.001] is a sub-technique within MITRE ATT&CK's Command and Control (C2) tactic. It involves adversaries leveraging standard web protocols, such as HTTP and HTTPS, to communicate with compromised systems. Using these common protocols enables attackers to blend malicious traffic with legitimate web traffic, reducing the likelihood of detection and evading security measures.

Deep Dive Into Technique

Adversaries frequently exploit web protocols due to their widespread use, availability, and general trustworthiness within networks. The primary protocols targeted are:

• HTTP (Hypertext Transfer Protocol):

  • Attackers may use unencrypted HTTP requests and responses to transmit commands, exfiltrate data, or download additional payloads.

  • Malicious HTTP traffic often mimics legitimate browsing behavior, using standard HTTP methods (GET, POST) and headers to evade detection.

• HTTPS (HTTP Secure):

  • HTTPS encrypts web traffic using SSL/TLS, making it challenging for defenders to inspect traffic content.

  • Attackers utilize HTTPS to securely communicate with compromised hosts, issue commands, and exfiltrate sensitive data without triggering alerts.

Common execution methods and mechanisms include:

• Beaconing and Polling:

  • Malware periodically contacts a remote server using HTTP/HTTPS requests to check for commands or updates.

  • Communication intervals often randomized to evade detection.

• Web Shells:

  • Attackers deploy web shells on compromised web servers to maintain persistent remote access.

  • Web shells typically leverage HTTP/HTTPS for command execution and file transfers.

• Domain Fronting:

  • Attackers use legitimate CDN (Content Delivery Networks) domains to mask malicious traffic, making detection and blocking difficult.

  • The actual malicious command-and-control server is hidden behind trusted domains.

• Custom HTTP Headers and Cookies:

  • Attackers embed commands and data within HTTP headers or cookies, disguising malicious traffic as legitimate HTTP requests.

When this Technique is Usually Used

Attackers commonly exploit web protocols throughout various stages of the cyber kill chain, including:

• Initial Access:

  • Exploiting web-facing vulnerabilities to gain initial foothold.

  • Delivering malware payloads via HTTP/HTTPS downloads.

• Command and Control (C2):

  • Establishing persistent communication channels between compromised hosts and attacker-controlled servers.

  • Issuing commands, updating malware configurations, and managing compromised endpoints.

• Data Exfiltration:

  • Transferring stolen data via HTTP/HTTPS POST requests or embedded in web traffic.

  • Utilizing encrypted HTTPS channels to conceal sensitive data exfiltration.

• Persistence and Lateral Movement:

  • Deploying web shells or malicious scripts accessible via web protocols to maintain persistent access.

  • Leveraging internal web services for lateral movement within the network.

How this Technique is Usually Detected

Effective detection of malicious web protocol usage involves multiple methods and tools, including:

• Network Traffic Analysis:

  • Monitoring for abnormal HTTP/HTTPS traffic patterns, such as unusual connection intervals, beaconing behavior, or anomalous request sizes.

  • Identifying unusual HTTP headers, cookies, or methods that deviate from standard user behavior.

• SSL/TLS Inspection and Decryption:

  • Deploying SSL inspection proxies to decrypt HTTPS traffic, enabling analysis of encrypted data streams.

  • Identifying suspicious certificates, unusual TLS negotiation patterns, or self-signed certificates.

• Endpoint Detection and Response (EDR):

  • Detecting suspicious processes initiating HTTP/HTTPS connections to unknown or malicious domains.

  • Analyzing endpoint logs for signs of web shells or unauthorized web server modifications.

• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS):

  • Utilizing signatures and anomaly detection rules to identify known malicious HTTP/HTTPS traffic.

  • Monitoring for known web shell signatures or suspicious URI patterns.

• Threat Intelligence Feeds:

  • Leveraging updated threat intelligence databases to identify known malicious IP addresses, domains, or URLs involved in web protocol-based attacks.

Specific Indicators of Compromise (IoCs) include:

• Suspicious domain names or IP addresses in HTTP/HTTPS connections.

• Unusual HTTP request methods (e.g., uncommon verbs such as PUT, DELETE, OPTIONS).

• Frequent, periodic, or anomalous web traffic patterns indicative of beaconing.

• Presence of known web shell filenames or suspicious scripts on web servers.

• Abnormal user-agent strings or headers in HTTP requests.

Why it is Important to Detect This Technique

Early detection of malicious use of web protocols is crucial due to significant potential impacts, including:

• Data Theft and Exfiltration:

  • Attackers frequently leverage web protocols to quietly exfiltrate sensitive information, intellectual property, or confidential data.

  • Early detection reduces the risk of data breaches and associated financial, legal, and reputational damages.

• Persistent Access and Control:

  • Web shells and HTTP-based malware can provide attackers persistent and stealthy access to compromised systems.

  • Early identification and removal prevent prolonged unauthorized access and further malicious activities.

• Lateral Movement and Network Compromise:

  • Attackers may exploit internal web services, leveraging HTTP/HTTPS traffic to move laterally within a network.

  • Detecting abnormal web protocol usage prevents attackers from expanding their foothold and compromising additional systems.

• Regulatory Compliance and Security Standards:

  • Organizations must comply with regulatory standards requiring monitoring, detection, and reporting of malicious activities.

  • Failure to detect and respond to web-protocol-based attacks can result in compliance violations and penalties.

• Resource Misuse and Service Disruption:

  • Attackers may misuse web servers or network resources for malicious purposes, leading to degraded service performance or outages.

  • Early detection helps maintain operational stability and ensures resource availability.

Examples

Real-world examples of adversaries leveraging web protocols include:

• APT29 (Cozy Bear):

  • Utilized domain fronting techniques over HTTPS to hide command-and-control traffic behind legitimate cloud services.

  • Leveraged HTTP/S for stealthy command-and-control communication, complicating detection and attribution.

• China Chopper Web Shell:

  • Lightweight web shell widely used by threat actors to maintain persistent HTTP/HTTPS-based remote access.

  • Enabled attackers to execute commands, upload/download files, and pivot within compromised networks.

• Emotet Malware:

  • Used HTTP/HTTPS for command-and-control communications, payload delivery, and data exfiltration.

  • Regularly rotated domains and IP addresses, complicating detection and blocking efforts.

• Cobalt Strike Framework:

  • Popular penetration testing tool frequently abused by threat actors to establish HTTP/HTTPS-based C2 channels.

  • Provided flexible options for attackers to customize HTTP headers, URIs, and beaconing intervals to evade detection.

• SUNBURST (SolarWinds) Attack:

  • Attackers leveraged HTTP/HTTPS protocols to communicate with compromised systems, blending malicious traffic with legitimate SolarWinds Orion software updates.

  • Demonstrated sophisticated use of web protocols to evade detection and establish persistent and stealthy access.

Each of these examples highlights the diverse ways attackers exploit web protocols to achieve their objectives while avoiding detection, underscoring the importance of proactive monitoring and robust detection strategies.