T1071.001 Microsoft Sentinel · KQL

Detect Web Protocols in Microsoft Sentinel

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1071 Application Layer Protocol
Sub-technique
T1071.001 Web Protocols
Canonical reference
https://attack.mitre.org/techniques/T1071/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let TimeWindow = 24h;
let SuspiciousUserAgents = dynamic([
  "Mozilla/5.0 (compatible; MSIE 9.0", "Mozilla/4.0 (compatible; MSIE 7.0",
  "MALC", "WinHTTP", "Go-http-client", "python-requests",
  "Java/1.", "CobaltStrike", "Wget", "curl/7"
]);
// Detect HTTP/HTTPS beaconing and suspicious web protocol C2
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemotePort in (80, 443, 8080, 8443)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| summarize
    ConnectionCount = count(),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    UniqueURLs = dcount(RemoteUrl),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| extend Duration = datetime_diff('second', LastSeen, FirstSeen)
| extend AvgInterval = iff(ConnectionCount > 1, Duration / (ConnectionCount - 1), 0)
| where ConnectionCount > 15
| where AvgInterval between (1 .. 900)
| extend SentRecvRatio = iff(BytesReceived > 0, toreal(BytesSent) / toreal(BytesReceived), 999.0)
| extend BeaconConfidence = case(
    AvgInterval between (55 .. 65), "high",
    AvgInterval between (295 .. 305), "high",
    AvgInterval between (895 .. 905), "high",
    ConnectionCount > 100 and AvgInterval < 120, "high",
    "medium")
| project LastSeen, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, ConnectionCount, AvgInterval, BytesSent, BytesReceived, SentRecvRatio, BeaconConfidence
| sort by ConnectionCount desc
high severity medium confidence

Detects HTTP/HTTPS C2 beaconing by analyzing connection frequency and regularity to public IPs on web ports (80, 443, 8080, 8443). Calculates the average interval between connections to identify periodic callback patterns characteristic of C2 frameworks like Cobalt Strike, Covenant, and Empire. Also computes sent/received byte ratios — C2 channels typically have small requests and larger responses (commands), or consistent small exchanges (heartbeats).

Data Sources

Network Traffic: Network Connection CreationNetwork Traffic: Network Traffic ContentNetwork Traffic: Network Traffic FlowMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives & Tuning

  • Browser tabs with auto-refresh or long-polling (e.g., dashboards, social media feeds, stock tickers)
  • Cloud sync clients (OneDrive, Dropbox, Google Drive) that poll for changes at regular intervals
  • Software update mechanisms (WSUS, SCCM, apt-get) performing periodic HTTP checks
  • Monitoring agents and health-check probes sending heartbeats to SaaS management consoles
Download portable Sigma rule (.yml)

Other platforms for T1071.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1HTTP C2 Beaconing via curl

    Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:80, repeated 10 times at 10-second intervals. Proxy logs showing identical HTTP GET requests to /updates/check with Internet Explorer User-Agent.

  2. Test 2HTTPS C2 with PowerShell WebClient

    Expected signal: Sysmon Event ID 1: Process creation for powershell.exe with command line containing Net.WebClient. Sysmon Event ID 3: Network connections to 127.0.0.1:443 at 15-second intervals. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3WebSocket C2 Simulation

    Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:8080. Proxy logs showing HTTP request with 'Upgrade: websocket' header. The connection attempt will be long-lived if a WebSocket server is present.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1071.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1071Application Layer Protocol

Related Sub-techniques

T1071.002File Transfer ProtocolsT1071.003Mail ProtocolsT1071.004DNST1071.005Publish/Subscribe Protocols

Related Techniques

T1071Application Layer ProtocolT1573.001Symmetric CryptographyT1573.002Asymmetric CryptographyT1132.001Standard EncodingT1105Ingress Tool TransferT1102Web ServiceT1090ProxyT1572Protocol TunnelingT1568.002Domain Generation Algorithms

Same Tactic: Command and Control

Popular Detections