T1071.001 Splunk · SPL

Detect Web Protocols in Splunk

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1071 Application Layer Protocol
Sub-technique
T1071.001 Web Protocols
Canonical reference
https://attack.mitre.org/techniques/T1071/001/

SPL Detection Query

Splunk (SPL)
spl 
index=proxy OR index=web sourcetype IN ("stream:http", "squid", "bluecoat:proxysg:access:syslog", "pan:traffic")
  (dest_port=80 OR dest_port=443 OR dest_port=8080 OR dest_port=8443)
  action=allowed
  NOT (dest_ip="10.*" OR dest_ip="172.16.*" OR dest_ip="192.168.*" OR dest_ip="127.*")
| bin _time span=1m
| stats count as RequestCount, sum(bytes_out) as BytesSent, sum(bytes_in) as BytesReceived, dc(url) as UniqueURLs, earliest(_time) as FirstSeen, latest(_time) as LastSeen, values(http_user_agent) as UserAgents by src_ip, dest_ip, dest_port
| eval Duration=LastSeen-FirstSeen
| eval AvgInterval=if(RequestCount>1, Duration/(RequestCount-1), 0)
| where RequestCount > 15 AND AvgInterval > 1 AND AvgInterval < 900
| eval SentRecvRatio=if(BytesReceived>0, round(BytesSent/BytesReceived, 2), 999)
| eval BeaconConfidence=case(
    (AvgInterval >= 55 AND AvgInterval <= 65), "high",
    (AvgInterval >= 295 AND AvgInterval <= 305), "high",
    (AvgInterval >= 895 AND AvgInterval <= 905), "high",
    RequestCount > 100 AND AvgInterval < 120, "high",
    1=1, "medium")
| eval SuspiciousUA=if(match(mvindex(UserAgents,0), "(?i)(MALC|Go-http-client|python-requests|CobaltStrike|Java/1\.|WinHTTP)"), "yes", "no")
| table FirstSeen, LastSeen, src_ip, dest_ip, dest_port, RequestCount, AvgInterval, BytesSent, BytesReceived, SentRecvRatio, BeaconConfidence, SuspiciousUA, UserAgents
| sort - RequestCount
high severity medium confidence

Detects HTTP/HTTPS C2 beaconing via proxy or web traffic logs. Analyzes request frequency, byte ratios, and User-Agent strings to identify periodic C2 callbacks. Flags connections with consistent intervals matching common C2 framework defaults (60s, 300s, 900s). Also evaluates User-Agent strings for known C2 indicators including non-browser HTTP libraries and default Cobalt Strike profiles.

Data Sources

Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic FlowProxy LogsWeb Logs

Required Sourcetypes

stream:httpsquidbluecoat:proxysg:access:syslogpan:traffic

False Positives & Tuning

  • Browser tabs with auto-refresh or long-polling (e.g., dashboards, social media feeds, stock tickers)
  • Cloud sync clients (OneDrive, Dropbox, Google Drive) that poll for changes at regular intervals
  • Software update mechanisms (WSUS, SCCM, apt-get) performing periodic HTTP checks
  • Monitoring agents and health-check probes sending heartbeats to SaaS management consoles
Download portable Sigma rule (.yml)

Other platforms for T1071.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1HTTP C2 Beaconing via curl

    Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:80, repeated 10 times at 10-second intervals. Proxy logs showing identical HTTP GET requests to /updates/check with Internet Explorer User-Agent.

  2. Test 2HTTPS C2 with PowerShell WebClient

    Expected signal: Sysmon Event ID 1: Process creation for powershell.exe with command line containing Net.WebClient. Sysmon Event ID 3: Network connections to 127.0.0.1:443 at 15-second intervals. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3WebSocket C2 Simulation

    Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:8080. Proxy logs showing HTTP request with 'Upgrade: websocket' header. The connection attempt will be long-lived if a WebSocket server is present.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1071.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1071Application Layer Protocol

Related Sub-techniques

T1071.002File Transfer ProtocolsT1071.003Mail ProtocolsT1071.004DNST1071.005Publish/Subscribe Protocols

Related Techniques

T1071Application Layer ProtocolT1573.001Symmetric CryptographyT1573.002Asymmetric CryptographyT1132.001Standard EncodingT1105Ingress Tool TransferT1102Web ServiceT1090ProxyT1572Protocol TunnelingT1568.002Domain Generation Algorithms

Same Tactic: Command and Control

Popular Detections