T1071.001

Web Protocols

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

Microsoft Sentinel / Defender

kusto

let TimeWindow = 24h;
let SuspiciousUserAgents = dynamic([
  "Mozilla/5.0 (compatible; MSIE 9.0", "Mozilla/4.0 (compatible; MSIE 7.0",
  "MALC", "WinHTTP", "Go-http-client", "python-requests",
  "Java/1.", "CobaltStrike", "Wget", "curl/7"
]);
// Detect HTTP/HTTPS beaconing and suspicious web protocol C2
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemotePort in (80, 443, 8080, 8443)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| summarize
    ConnectionCount = count(),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    UniqueURLs = dcount(RemoteUrl),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| extend Duration = datetime_diff('second', LastSeen, FirstSeen)
| extend AvgInterval = iff(ConnectionCount > 1, Duration / (ConnectionCount - 1), 0)
| where ConnectionCount > 15
| where AvgInterval between (1 .. 900)
| extend SentRecvRatio = iff(BytesReceived > 0, toreal(BytesSent) / toreal(BytesReceived), 999.0)
| extend BeaconConfidence = case(
    AvgInterval between (55 .. 65), "high",
    AvgInterval between (295 .. 305), "high",
    AvgInterval between (895 .. 905), "high",
    ConnectionCount > 100 and AvgInterval < 120, "high",
    "medium")
| project LastSeen, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, ConnectionCount, AvgInterval, BytesSent, BytesReceived, SentRecvRatio, BeaconConfidence
| sort by ConnectionCount desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Browser tabs with auto-refresh or long-polling (e.g., dashboards, social media feeds, stock tickers)
Cloud sync clients (OneDrive, Dropbox, Google Drive) that poll for changes at regular intervals
Software update mechanisms (WSUS, SCCM, apt-get) performing periodic HTTP checks
Monitoring agents and health-check probes sending heartbeats to SaaS management consoles

Splunk

spl

index=proxy OR index=web sourcetype IN ("stream:http", "squid", "bluecoat:proxysg:access:syslog", "pan:traffic")
  (dest_port=80 OR dest_port=443 OR dest_port=8080 OR dest_port=8443)
  action=allowed
  NOT (dest_ip="10.*" OR dest_ip="172.16.*" OR dest_ip="192.168.*" OR dest_ip="127.*")
| bin _time span=1m
| stats count as RequestCount, sum(bytes_out) as BytesSent, sum(bytes_in) as BytesReceived, dc(url) as UniqueURLs, earliest(_time) as FirstSeen, latest(_time) as LastSeen, values(http_user_agent) as UserAgents by src_ip, dest_ip, dest_port
| eval Duration=LastSeen-FirstSeen
| eval AvgInterval=if(RequestCount>1, Duration/(RequestCount-1), 0)
| where RequestCount > 15 AND AvgInterval > 1 AND AvgInterval < 900
| eval SentRecvRatio=if(BytesReceived>0, round(BytesSent/BytesReceived, 2), 999)
| eval BeaconConfidence=case(
    (AvgInterval >= 55 AND AvgInterval <= 65), "high",
    (AvgInterval >= 295 AND AvgInterval <= 305), "high",
    (AvgInterval >= 895 AND AvgInterval <= 905), "high",
    RequestCount > 100 AND AvgInterval < 120, "high",
    1=1, "medium")
| eval SuspiciousUA=if(match(mvindex(UserAgents,0), "(?i)(MALC|Go-http-client|python-requests|CobaltStrike|Java/1\.|WinHTTP)"), "yes", "no")
| table FirstSeen, LastSeen, src_ip, dest_ip, dest_port, RequestCount, AvgInterval, BytesSent, BytesReceived, SentRecvRatio, BeaconConfidence, SuspiciousUA, UserAgents
| sort - RequestCount

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Proxy Logs Web Logs

Required Sourcetypes

stream:http squid bluecoat:proxysg:access:syslog pan:traffic

False Positives

Browser tabs with auto-refresh or long-polling (e.g., dashboards, social media feeds, stock tickers)
Cloud sync clients (OneDrive, Dropbox, Google Drive) that poll for changes at regular intervals
Software update mechanisms (WSUS, SCCM, apt-get) performing periodic HTTP checks
Monitoring agents and health-check probes sending heartbeats to SaaS management consoles

Elastic Security (EQL)

eql

FROM logs-endpoint.network-*, logs-network_traffic.*
| WHERE @timestamp > NOW() - 24h
| WHERE event.type == "connection" AND event.outcome == "success"
| WHERE destination.port IN (80, 443, 8080, 8443)
| WHERE NOT CIDR_MATCH(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
| WHERE destination.ip IS NOT NULL AND process.name IS NOT NULL
| STATS
    connection_count = COUNT(*),
    bytes_sent = SUM(source.bytes),
    bytes_received = SUM(destination.bytes),
    first_seen = MIN(@timestamp),
    last_seen = MAX(@timestamp),
    unique_urls = COUNT_DISTINCT(url.full)
    BY host.hostname, process.name, destination.ip, destination.port
| EVAL duration_seconds = DATE_DIFF("second", first_seen, last_seen)
| EVAL avg_interval = CASE(connection_count > 1, TO_DOUBLE(duration_seconds) / TO_DOUBLE(connection_count - 1), 0.0)
| EVAL sent_recv_ratio = CASE(bytes_received > 0, TO_DOUBLE(bytes_sent) / TO_DOUBLE(bytes_received), 999.0)
| WHERE connection_count > 15 AND avg_interval > 1 AND avg_interval < 900
| EVAL beacon_confidence = CASE(
    avg_interval >= 55 AND avg_interval <= 65, "high",
    avg_interval >= 295 AND avg_interval <= 305, "high",
    avg_interval >= 895 AND avg_interval <= 905, "high",
    connection_count > 100 AND avg_interval < 120, "high",
    "medium"
  )
| KEEP host.hostname, process.name, destination.ip, destination.port, connection_count, avg_interval, bytes_sent, bytes_received, sent_recv_ratio, beacon_confidence, first_seen, last_seen
| SORT connection_count DESC

high severity high confidence

Data Sources

Elastic Endpoint Security (Elastic Agent) Elastic Network Traffic Integration (Zeek / Packetbeat) Elastic Common Schema normalized proxy or firewall logs

Required Tables

logs-endpoint.network-* logs-network_traffic.*

False Positives

Software update agents such as Windows Update, Chrome auto-update, or antivirus definition services making regular HTTP check-in connections to CDN endpoints at fixed intervals will trigger high connection counts and consistent average intervals
Application performance monitoring agents (Datadog, New Relic, Dynatrace) sending periodic telemetry heartbeats every 60 or 300 seconds to cloud collection endpoints will match the high-confidence beacon interval thresholds
Video conferencing and collaboration platforms (Zoom, Microsoft Teams, Slack) maintaining persistent HTTP long-poll or WebSocket keep-alive connections with regular renegotiation packets to regional infrastructure will accumulate high connection counts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastSeen,
  sourceip,
  destinationip,
  destinationport,
  COUNT(*) AS RequestCount,
  SUM(LONG("bytesout")) AS BytesSent,
  SUM(LONG("bytesin")) AS BytesReceived,
  ((MAX(starttime) - MIN(starttime)) / 1000) AS DurationSeconds,
  CASE
    WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1)
    ELSE 0
  END AS AvgIntervalSeconds,
  CASE
    WHEN (CASE WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1) ELSE 0 END) BETWEEN 55 AND 65 THEN 'high'
    WHEN (CASE WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1) ELSE 0 END) BETWEEN 295 AND 305 THEN 'high'
    WHEN (CASE WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1) ELSE 0 END) BETWEEN 895 AND 905 THEN 'high'
    WHEN COUNT(*) > 100 THEN 'high'
    ELSE 'medium'
  END AS BeaconConfidence
FROM events
WHERE destinationport IN (80, 443, 8080, 8443)
  AND (eventdirection = 'L2R' OR eventdirection = 'R2R')
  AND NOT (
    destinationip LIKE '10.%'
    OR destinationip LIKE '172.16.%' OR destinationip LIKE '172.17.%'
    OR destinationip LIKE '172.18.%' OR destinationip LIKE '172.19.%'
    OR destinationip LIKE '172.20.%' OR destinationip LIKE '172.21.%'
    OR destinationip LIKE '172.22.%' OR destinationip LIKE '172.23.%'
    OR destinationip LIKE '172.24.%' OR destinationip LIKE '172.25.%'
    OR destinationip LIKE '172.26.%' OR destinationip LIKE '172.27.%'
    OR destinationip LIKE '172.28.%' OR destinationip LIKE '172.29.%'
    OR destinationip LIKE '172.30.%' OR destinationip LIKE '172.31.%'
    OR destinationip LIKE '192.168.%'
    OR destinationip LIKE '127.%'
  )
GROUP BY sourceip, destinationip, destinationport
HAVING COUNT(*) > 15
  AND CASE WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1) ELSE 0 END BETWEEN 1 AND 900
ORDER BY RequestCount DESC
LAST 24 HOURS

high severity high confidence

Data Sources

QRadar Network Activity (NetFlow/IPFIX) Proxy log sources (Blue Coat ProxySG, Squid, Zscaler) Firewall log sources (Palo Alto, Fortinet, Check Point) IBM QRadar Network Insights

Required Tables

events

False Positives

Enterprise backup agents (Veeam, Commvault, Veritas) performing regular incremental backup check-ins to cloud storage providers at scheduled intervals will produce consistent high-frequency connections to fixed external IPs
SSL/TLS OCSP stapling and certificate revocation check services creating regular short-lived connections to certificate authority infrastructure at predictable intervals tied to certificate validity windows
Corporate endpoint management agents (Microsoft Intune, JAMF, IBM BigFix) polling cloud management servers at fixed intervals for policy updates and compliance status will exhibit near-identical beacon intervals across all enrolled devices

Sumo Logic CSE

sql

(_sourceCategory=proxy OR _sourceCategory=network/web OR _sourceCategory=firewall/traffic OR _sourceCategory=zeek)
| where !(dest_ip matches "10.*"
  or dest_ip matches "172.1[6-9].*"
  or dest_ip matches "172.2[0-9].*"
  or dest_ip matches "172.3[01].*"
  or dest_ip matches "192.168.*"
  or dest_ip matches "127.*")
| where dest_port in (80, 443, 8080, 8443)
| where !(action matches "*denied*" or action matches "*blocked*" or action matches "*reject*")
| timeslice 1d
| stats count as RequestCount,
        sum(bytes_out) as BytesSent,
        sum(bytes_in) as BytesReceived,
        min(_messageTime) as FirstSeen,
        max(_messageTime) as LastSeen
        by src_ip, dest_ip, dest_port, _timeslice
| where RequestCount > 15
| eval DurationMs = toLong(LastSeen) - toLong(FirstSeen)
| eval DurationSec = DurationMs / 1000
| eval AvgIntervalSec = if(RequestCount > 1, DurationSec / (RequestCount - 1), 0)
| where AvgIntervalSec > 1 and AvgIntervalSec < 900
| eval SentRecvRatio = if(BytesReceived > 0, round(BytesSent / BytesReceived, 2), 999)
| eval BeaconConfidence = if(
    (AvgIntervalSec >= 55 and AvgIntervalSec <= 65)
    or (AvgIntervalSec >= 295 and AvgIntervalSec <= 305)
    or (AvgIntervalSec >= 895 and AvgIntervalSec <= 905)
    or (RequestCount > 100 and AvgIntervalSec < 120),
    "high", "medium")
| fields src_ip, dest_ip, dest_port, RequestCount, AvgIntervalSec, BytesSent, BytesReceived, SentRecvRatio, BeaconConfidence, FirstSeen, LastSeen
| sort by RequestCount desc

high severity high confidence

Data Sources

Sumo Logic Proxy Source (Blue Coat, Zscaler NSS, Squid) Palo Alto Networks App for Sumo Logic Zeek (Bro) conn.log via Sumo Logic collector Fortinet FortiGate App Check Point App for Sumo Logic

Required Tables

_sourceCategory=proxy _sourceCategory=network/web _sourceCategory=firewall/traffic

False Positives

Cloud-hosted SaaS health check services and uptime monitors (PagerDuty agents, Datadog synthetic checks) performing frequent HTTP probes from monitored hosts to external endpoints will produce high request counts with consistent intervals
Browser extensions performing periodic background sync operations (password managers, bookmark sync, extension update checks) creating regular low-volume HTTP connections to vendor APIs from every desktop endpoint in the environment
IoT and OT devices with embedded HTTP clients performing regular telemetry uploads to vendor cloud infrastructure on fixed duty cycles — particularly common with smart building systems, HVAC controllers, and networked printers

Google Chronicle / SecOps

yaral

rule t1071_001_http_https_beaconing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects HTTP/HTTPS beaconing to external IPs indicative of C2 over web protocols (T1071.001). Counts outbound TCP connections per source host to each unique external destination on web ports within a 1-hour window and alerts when the count exceeds 15."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1071.001"
    mitre_attack_technique_name = "Application Layer Protocol: Web Protocols"
    false_positives = "Update agents, telemetry services, monitoring tools, CDN health probes"
    version = "1.1"
    created = "2024-01-01"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.network.ip_protocol = "TCP"
    $net.target.port in (80, 443, 8080, 8443)
    not re.regex($net.target.ip, `^10\.`)
    not re.regex($net.target.ip, `^172\.(1[6-9]|2[0-9]|3[01])\.`)
    not re.regex($net.target.ip, `^192\.168\.`)
    not re.regex($net.target.ip, `^127\.`)
    not re.regex($net.target.ip, `^::1$`)
    not re.regex($net.target.ip, `^fe80:`)
    $net.principal.ip = $src_ip
    $net.target.ip = $dst_ip
    $net.target.port = $dst_port
    $net.principal.hostname = $hostname

  match:
    $src_ip, $dst_ip, $dst_port, $hostname over 1h

  condition:
    #net > 15
}

high severity high confidence

Data Sources

Chronicle UDM NETWORK_CONNECTION events Palo Alto Networks via Chronicle ingestion API CrowdStrike Falcon via Chronicle forwarder Google Cloud firewall logs (VPC flow) Zscaler Internet Access via Chronicle connector

Required Tables

UDM events with metadata.event_type = NETWORK_CONNECTION

False Positives

CDN health probes and edge-node reachability checks performed by load balancers and reverse proxy infrastructure creating high-frequency regular connections to external monitoring and anycast endpoints will easily exceed the 15-connection threshold
Enterprise single sign-on and identity provider integrations (Okta, Azure AD, Ping Identity) making frequent token validation, OCSP, and metadata refresh requests to cloud identity platforms during active user sessions on shared workstations
Streaming media clients and conferencing platforms maintaining active sessions with regular TCP re-establishment or SIP-over-HTTP signaling heartbeats to regional media infrastructure will match the pattern, especially at 60-second keep-alive intervals

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NetworkConnectIP4"
| RemotePort in (80, 443, 8080, 8443)
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy(
    [ComputerName, ImageFileName, RemoteAddressIP4, RemotePort],
    function=[
      count(as=ConnectionCount),
      min(field=@timestamp, as=FirstSeenMs),
      max(field=@timestamp, as=LastSeenMs)
    ],
    limit=max
  )
| DurationSec := (LastSeenMs - FirstSeenMs) / 1000
| AvgIntervalSec := if(
    ConnectionCount > 1,
    DurationSec / (ConnectionCount - 1),
    0
  )
| where ConnectionCount > 15
| where AvgIntervalSec > 1 AND AvgIntervalSec < 900
| BeaconConfidence := if(
    (AvgIntervalSec >= 55 AND AvgIntervalSec <= 65)
    OR (AvgIntervalSec >= 295 AND AvgIntervalSec <= 305)
    OR (AvgIntervalSec >= 895 AND AvgIntervalSec <= 905),
    "high",
    if(ConnectionCount > 100 AND AvgIntervalSec < 120, "high", "medium")
  )
| sort(field=ConnectionCount, order=desc, limit=200)
| select(
    [ComputerName, ImageFileName, RemoteAddressIP4, RemotePort,
     ConnectionCount, AvgIntervalSec, DurationSec,
     BeaconConfidence, FirstSeenMs, LastSeenMs]
  )

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (NetworkConnectIP4 telemetry) Falcon LogScale (Humio) SIEM repository Falcon Data Replicator (FDR) S3 export (optional)

Required Tables

NetworkConnectIP4 (#event_simpleName=NetworkConnectIP4)

False Positives

Endpoint security agents including the Falcon sensor itself, third-party AV clients, and DLP agents making regular check-ins to vendor cloud infrastructure for signature updates, threat intelligence feeds, and policy synchronization at predictable intervals
Developer toolchains and package managers (npm, pip, cargo, Go module proxy) performing dependency resolution and registry health checks against public package repositories during automated CI/CD pipelines running on developer workstations
Business intelligence and analytics platforms (Tableau Desktop, Power BI, Grafana agents) performing scheduled data refresh connections to cloud data sources and APIs at fixed intervals configured by end users or administrators

Last updated: 2026-04-13 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1071.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1071Application Layer Protocol

Related Sub-techniques

T1071.002File Transfer Protocols T1071.003Mail Protocols T1071.004DNS T1071.005Publish/Subscribe Protocols

Web Protocols

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections