T1071.001 CrowdStrike LogScale · LogScale

Detect Web Protocols in CrowdStrike LogScale

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1071 Application Layer Protocol
Sub-technique
T1071.001 Web Protocols
Canonical reference
https://attack.mitre.org/techniques/T1071/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "NetworkConnectIP4"
| RemotePort in (80, 443, 8080, 8443)
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy(
    [ComputerName, ImageFileName, RemoteAddressIP4, RemotePort],
    function=[
      count(as=ConnectionCount),
      min(field=@timestamp, as=FirstSeenMs),
      max(field=@timestamp, as=LastSeenMs)
    ],
    limit=max
  )
| DurationSec := (LastSeenMs - FirstSeenMs) / 1000
| AvgIntervalSec := if(
    ConnectionCount > 1,
    DurationSec / (ConnectionCount - 1),
    0
  )
| where ConnectionCount > 15
| where AvgIntervalSec > 1 AND AvgIntervalSec < 900
| BeaconConfidence := if(
    (AvgIntervalSec >= 55 AND AvgIntervalSec <= 65)
    OR (AvgIntervalSec >= 295 AND AvgIntervalSec <= 305)
    OR (AvgIntervalSec >= 895 AND AvgIntervalSec <= 905),
    "high",
    if(ConnectionCount > 100 AND AvgIntervalSec < 120, "high", "medium")
  )
| sort(field=ConnectionCount, order=desc, limit=200)
| select(
    [ComputerName, ImageFileName, RemoteAddressIP4, RemotePort,
     ConnectionCount, AvgIntervalSec, DurationSec,
     BeaconConfidence, FirstSeenMs, LastSeenMs]
  )
high severity high confidence

CrowdStrike Falcon LogScale (Humio) CQL query aggregating NetworkConnectIP4 telemetry events from Falcon sensor-protected endpoints to detect HTTP/HTTPS beaconing. Groups outbound connections to external IPs on web ports by host, process image name, destination IP, and destination port; computes average inter-connection interval from min/max epoch timestamps; and applies beacon confidence scoring against 60s, 300s, and 900s C2 beacon periods. Requires CrowdStrike Falcon sensor with network telemetry collection enabled and events streaming into Falcon LogScale (formerly Humio) via FDR or direct sensor pipeline. Note: NetworkConnectIP4 events do not carry byte count fields — supplement with DnsRequest or HttpRequest events for payload size analysis.

Data Sources

CrowdStrike Falcon Sensor (NetworkConnectIP4 telemetry)Falcon LogScale (Humio) SIEM repositoryFalcon Data Replicator (FDR) S3 export (optional)

Required Tables

NetworkConnectIP4 (#event_simpleName=NetworkConnectIP4)

False Positives & Tuning

  • Endpoint security agents including the Falcon sensor itself, third-party AV clients, and DLP agents making regular check-ins to vendor cloud infrastructure for signature updates, threat intelligence feeds, and policy synchronization at predictable intervals
  • Developer toolchains and package managers (npm, pip, cargo, Go module proxy) performing dependency resolution and registry health checks against public package repositories during automated CI/CD pipelines running on developer workstations
  • Business intelligence and analytics platforms (Tableau Desktop, Power BI, Grafana agents) performing scheduled data refresh connections to cloud data sources and APIs at fixed intervals configured by end users or administrators
Download portable Sigma rule (.yml)

Other platforms for T1071.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1HTTP C2 Beaconing via curl

    Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:80, repeated 10 times at 10-second intervals. Proxy logs showing identical HTTP GET requests to /updates/check with Internet Explorer User-Agent.

  2. Test 2HTTPS C2 with PowerShell WebClient

    Expected signal: Sysmon Event ID 1: Process creation for powershell.exe with command line containing Net.WebClient. Sysmon Event ID 3: Network connections to 127.0.0.1:443 at 15-second intervals. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3WebSocket C2 Simulation

    Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:8080. Proxy logs showing HTTP request with 'Upgrade: websocket' header. The connection attempt will be long-lived if a WebSocket server is present.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1071.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1071Application Layer Protocol

Related Sub-techniques

T1071.002File Transfer ProtocolsT1071.003Mail ProtocolsT1071.004DNST1071.005Publish/Subscribe Protocols

Related Techniques

T1071Application Layer ProtocolT1573.001Symmetric CryptographyT1573.002Asymmetric CryptographyT1132.001Standard EncodingT1105Ingress Tool TransferT1102Web ServiceT1090ProxyT1572Protocol TunnelingT1568.002Domain Generation Algorithms

Same Tactic: Command and Control

Popular Detections