Detect Web Protocols in Sumo Logic CSE
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1071 Application Layer Protocol
- Sub-technique
- T1071.001 Web Protocols
- Canonical reference
- https://attack.mitre.org/techniques/T1071/001/
Sumo Detection Query
(_sourceCategory=proxy OR _sourceCategory=network/web OR _sourceCategory=firewall/traffic OR _sourceCategory=zeek)
| where !(dest_ip matches "10.*"
or dest_ip matches "172.1[6-9].*"
or dest_ip matches "172.2[0-9].*"
or dest_ip matches "172.3[01].*"
or dest_ip matches "192.168.*"
or dest_ip matches "127.*")
| where dest_port in (80, 443, 8080, 8443)
| where !(action matches "*denied*" or action matches "*blocked*" or action matches "*reject*")
| timeslice 1d
| stats count as RequestCount,
sum(bytes_out) as BytesSent,
sum(bytes_in) as BytesReceived,
min(_messageTime) as FirstSeen,
max(_messageTime) as LastSeen
by src_ip, dest_ip, dest_port, _timeslice
| where RequestCount > 15
| eval DurationMs = toLong(LastSeen) - toLong(FirstSeen)
| eval DurationSec = DurationMs / 1000
| eval AvgIntervalSec = if(RequestCount > 1, DurationSec / (RequestCount - 1), 0)
| where AvgIntervalSec > 1 and AvgIntervalSec < 900
| eval SentRecvRatio = if(BytesReceived > 0, round(BytesSent / BytesReceived, 2), 999)
| eval BeaconConfidence = if(
(AvgIntervalSec >= 55 and AvgIntervalSec <= 65)
or (AvgIntervalSec >= 295 and AvgIntervalSec <= 305)
or (AvgIntervalSec >= 895 and AvgIntervalSec <= 905)
or (RequestCount > 100 and AvgIntervalSec < 120),
"high", "medium")
| fields src_ip, dest_ip, dest_port, RequestCount, AvgIntervalSec, BytesSent, BytesReceived, SentRecvRatio, BeaconConfidence, FirstSeen, LastSeen
| sort by RequestCount descSumo Logic search query detecting HTTP/HTTPS beaconing from proxy, firewall, and network log sources. Uses _messageTime (epoch milliseconds) from the Sumo Logic metadata to compute session duration and average inter-request interval after aggregating by source IP, destination IP, and destination port with a 1-day timeslice. Filters for >15 requests with 1-900 second intervals and classifies beacon confidence. Field names (dest_ip, src_ip, dest_port, bytes_out, bytes_in, action) follow Sumo Logic's CIP normalized schema — adjust to match your specific source field mappings if needed.
Data Sources
Required Tables
False Positives & Tuning
- Cloud-hosted SaaS health check services and uptime monitors (PagerDuty agents, Datadog synthetic checks) performing frequent HTTP probes from monitored hosts to external endpoints will produce high request counts with consistent intervals
- Browser extensions performing periodic background sync operations (password managers, bookmark sync, extension update checks) creating regular low-volume HTTP connections to vendor APIs from every desktop endpoint in the environment
- IoT and OT devices with embedded HTTP clients performing regular telemetry uploads to vendor cloud infrastructure on fixed duty cycles — particularly common with smart building systems, HVAC controllers, and networked printers
Other platforms for T1071.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP C2 Beaconing via curl
Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:80, repeated 10 times at 10-second intervals. Proxy logs showing identical HTTP GET requests to /updates/check with Internet Explorer User-Agent.
- Test 2HTTPS C2 with PowerShell WebClient
Expected signal: Sysmon Event ID 1: Process creation for powershell.exe with command line containing Net.WebClient. Sysmon Event ID 3: Network connections to 127.0.0.1:443 at 15-second intervals. PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 3WebSocket C2 Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:8080. Proxy logs showing HTTP request with 'Upgrade: websocket' header. The connection attempt will be long-lived if a WebSocket server is present.
References (7)
- https://attack.mitre.org/techniques/T1071/001/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
- https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md
- https://github.com/activecm/rita
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
Unlock Pro Content
Get the full detection package for T1071.001 including response playbook, investigation guide, and atomic red team tests.