Detect Web Protocols in IBM QRadar
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1071 Application Layer Protocol
- Sub-technique
- T1071.001 Web Protocols
- Canonical reference
- https://attack.mitre.org/techniques/T1071/001/
QRadar Detection Query
SELECT
DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastSeen,
sourceip,
destinationip,
destinationport,
COUNT(*) AS RequestCount,
SUM(LONG("bytesout")) AS BytesSent,
SUM(LONG("bytesin")) AS BytesReceived,
((MAX(starttime) - MIN(starttime)) / 1000) AS DurationSeconds,
CASE
WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1)
ELSE 0
END AS AvgIntervalSeconds,
CASE
WHEN (CASE WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1) ELSE 0 END) BETWEEN 55 AND 65 THEN 'high'
WHEN (CASE WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1) ELSE 0 END) BETWEEN 295 AND 305 THEN 'high'
WHEN (CASE WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1) ELSE 0 END) BETWEEN 895 AND 905 THEN 'high'
WHEN COUNT(*) > 100 THEN 'high'
ELSE 'medium'
END AS BeaconConfidence
FROM events
WHERE destinationport IN (80, 443, 8080, 8443)
AND (eventdirection = 'L2R' OR eventdirection = 'R2R')
AND NOT (
destinationip LIKE '10.%'
OR destinationip LIKE '172.16.%' OR destinationip LIKE '172.17.%'
OR destinationip LIKE '172.18.%' OR destinationip LIKE '172.19.%'
OR destinationip LIKE '172.20.%' OR destinationip LIKE '172.21.%'
OR destinationip LIKE '172.22.%' OR destinationip LIKE '172.23.%'
OR destinationip LIKE '172.24.%' OR destinationip LIKE '172.25.%'
OR destinationip LIKE '172.26.%' OR destinationip LIKE '172.27.%'
OR destinationip LIKE '172.28.%' OR destinationip LIKE '172.29.%'
OR destinationip LIKE '172.30.%' OR destinationip LIKE '172.31.%'
OR destinationip LIKE '192.168.%'
OR destinationip LIKE '127.%'
)
GROUP BY sourceip, destinationip, destinationport
HAVING COUNT(*) > 15
AND CASE WHEN COUNT(*) > 1 THEN ((MAX(starttime) - MIN(starttime)) / 1000) / (COUNT(*) - 1) ELSE 0 END BETWEEN 1 AND 900
ORDER BY RequestCount DESC
LAST 24 HOURSQRadar AQL query aggregating network flow and proxy events to detect HTTP/HTTPS beaconing from internal hosts to external IPs. Uses QRadar's native starttime field (epoch milliseconds) to compute session duration and average inter-connection interval. Groups by source IP, destination IP, and destination port; filters for >15 requests with average intervals between 1-900 seconds; and scores beacon confidence against known C2 periods. The LAST 24 HOURS clause drives the time window. Requires proxy, firewall, or NetFlow log sources normalized to QRadar's Common Event Format with bytesout/bytesin properties.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise backup agents (Veeam, Commvault, Veritas) performing regular incremental backup check-ins to cloud storage providers at scheduled intervals will produce consistent high-frequency connections to fixed external IPs
- SSL/TLS OCSP stapling and certificate revocation check services creating regular short-lived connections to certificate authority infrastructure at predictable intervals tied to certificate validity windows
- Corporate endpoint management agents (Microsoft Intune, JAMF, IBM BigFix) polling cloud management servers at fixed intervals for policy updates and compliance status will exhibit near-identical beacon intervals across all enrolled devices
Other platforms for T1071.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP C2 Beaconing via curl
Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:80, repeated 10 times at 10-second intervals. Proxy logs showing identical HTTP GET requests to /updates/check with Internet Explorer User-Agent.
- Test 2HTTPS C2 with PowerShell WebClient
Expected signal: Sysmon Event ID 1: Process creation for powershell.exe with command line containing Net.WebClient. Sysmon Event ID 3: Network connections to 127.0.0.1:443 at 15-second intervals. PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 3WebSocket C2 Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:8080. Proxy logs showing HTTP request with 'Upgrade: websocket' header. The connection attempt will be long-lived if a WebSocket server is present.
References (7)
- https://attack.mitre.org/techniques/T1071/001/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
- https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md
- https://github.com/activecm/rita
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
Unlock Pro Content
Get the full detection package for T1071.001 including response playbook, investigation guide, and atomic red team tests.