Detect Web Protocols in Google Chronicle
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1071 Application Layer Protocol
- Sub-technique
- T1071.001 Web Protocols
- Canonical reference
- https://attack.mitre.org/techniques/T1071/001/
YARA-L Detection Query
rule t1071_001_http_https_beaconing {
meta:
author = "Argus Detection Engineering"
description = "Detects HTTP/HTTPS beaconing to external IPs indicative of C2 over web protocols (T1071.001). Counts outbound TCP connections per source host to each unique external destination on web ports within a 1-hour window and alerts when the count exceeds 15."
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1071.001"
mitre_attack_technique_name = "Application Layer Protocol: Web Protocols"
false_positives = "Update agents, telemetry services, monitoring tools, CDN health probes"
version = "1.1"
created = "2024-01-01"
events:
$net.metadata.event_type = "NETWORK_CONNECTION"
$net.network.ip_protocol = "TCP"
$net.target.port in (80, 443, 8080, 8443)
not re.regex($net.target.ip, `^10\.`)
not re.regex($net.target.ip, `^172\.(1[6-9]|2[0-9]|3[01])\.`)
not re.regex($net.target.ip, `^192\.168\.`)
not re.regex($net.target.ip, `^127\.`)
not re.regex($net.target.ip, `^::1$`)
not re.regex($net.target.ip, `^fe80:`)
$net.principal.ip = $src_ip
$net.target.ip = $dst_ip
$net.target.port = $dst_port
$net.principal.hostname = $hostname
match:
$src_ip, $dst_ip, $dst_port, $hostname over 1h
condition:
#net > 15
}Chronicle YARA-L 2.0 detection rule that triggers when a single source host makes more than 15 outbound TCP connections to the same external destination IP and port on web ports (80, 443, 8080, 8443) within a 1-hour sliding window. The match clause groups events by source IP, destination IP, destination port, and hostname, and the condition count threshold mirrors the beaconing threshold used in the reference KQL and SPL queries. YARA-L does not natively compute average intervals; complement this rule with Chronicle's UEBA or ML-based detections for interval regularity scoring. Requires network telemetry normalized to UDM NETWORK_CONNECTION events via Chronicle ingestion (firewall, proxy, or EDR forwarders).
Data Sources
Required Tables
False Positives & Tuning
- CDN health probes and edge-node reachability checks performed by load balancers and reverse proxy infrastructure creating high-frequency regular connections to external monitoring and anycast endpoints will easily exceed the 15-connection threshold
- Enterprise single sign-on and identity provider integrations (Okta, Azure AD, Ping Identity) making frequent token validation, OCSP, and metadata refresh requests to cloud identity platforms during active user sessions on shared workstations
- Streaming media clients and conferencing platforms maintaining active sessions with regular TCP re-establishment or SIP-over-HTTP signaling heartbeats to regional media infrastructure will match the pattern, especially at 60-second keep-alive intervals
Other platforms for T1071.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP C2 Beaconing via curl
Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:80, repeated 10 times at 10-second intervals. Proxy logs showing identical HTTP GET requests to /updates/check with Internet Explorer User-Agent.
- Test 2HTTPS C2 with PowerShell WebClient
Expected signal: Sysmon Event ID 1: Process creation for powershell.exe with command line containing Net.WebClient. Sysmon Event ID 3: Network connections to 127.0.0.1:443 at 15-second intervals. PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 3WebSocket C2 Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:8080. Proxy logs showing HTTP request with 'Upgrade: websocket' header. The connection attempt will be long-lived if a WebSocket server is present.
References (7)
- https://attack.mitre.org/techniques/T1071/001/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
- https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md
- https://github.com/activecm/rita
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
Unlock Pro Content
Get the full detection package for T1071.001 including response playbook, investigation guide, and atomic red team tests.