Detect Application Layer Protocol in Microsoft Sentinel
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1071 Application Layer Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1071/
KQL Detection Query
let TimeWindow = 24h;
let BeaconThreshold = 10;
let EntropyThreshold = 4.5;
// Detect anomalous outbound connections with beaconing patterns
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| where RemotePort in (80, 443, 53, 21, 25, 110, 143, 8080, 8443, 1883, 5222)
| summarize
ConnectionCount = count(),
UniqueRemoteIPs = dcount(RemoteIP),
UniquePorts = dcount(RemotePort),
Ports = make_set(RemotePort),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp),
AvgTimeBetween = datetime_diff('second', max(Timestamp), min(Timestamp)) / count()
by DeviceName, InitiatingProcessFileName, InitiatingProcessId
| where ConnectionCount > BeaconThreshold
| where AvgTimeBetween between (1 .. 3600)
| extend BeaconScore = iff(AvgTimeBetween between (55 .. 65) or AvgTimeBetween between (295 .. 305) or AvgTimeBetween between (895 .. 905), "high", "medium")
| project Timestamp=LastSeen, DeviceName, InitiatingProcessFileName, ConnectionCount, UniqueRemoteIPs, Ports, AvgTimeBetween, BeaconScore, FirstSeen, LastSeen
| sort by ConnectionCount descDetects anomalous outbound network connections across common application layer protocol ports that exhibit beaconing behavior. Identifies processes making repeated connections at regular intervals to public IPs — a hallmark of C2 communication using application layer protocols (HTTP, DNS, FTP, SMTP, MQTT). Calculates average time between connections to detect periodic beaconing patterns typical of malware callbacks.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software performing periodic update checks (Windows Update, antivirus definitions, NTP)
- Monitoring and heartbeat agents that maintain persistent connections to cloud management platforms
- Chat and collaboration applications (Slack, Teams, Zoom) with long-lived WebSocket or polling connections
- IoT devices communicating via MQTT to cloud brokers on regular intervals
Other platforms for T1071
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Multi-Protocol Beaconing Simulation
Expected signal: Sysmon for Linux Event ID 3 (Network Connection) showing curl processes connecting to 127.0.0.1 on ports 80, 443, 53. Firewall logs showing outbound connection attempts.
- Test 2IRC C2 Channel Simulation
Expected signal: Sysmon Event ID 3: Network Connection to port 6667 (IRC). Process creation event for nc/netcat with IRC protocol commands in arguments.
- Test 3HTTP Beaconing with Cobalt Strike User-Agent
Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 127.0.0.1:80. Proxy logs showing repeated requests to /pixel.gif with suspicious User-Agent. Sysmon Event ID 1: PowerShell process creation for each iteration.
References (6)
- https://attack.mitre.org/techniques/T1071/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://www.mandiant.com/resources/blog/unc3524-eye-spy-email
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
Unlock Pro Content
Get the full detection package for T1071 including response playbook, investigation guide, and atomic red team tests.