Command and Control (TA0011)
Sub-technique: T1071.001 - Web Protocols
Objective: Detect command and control (C2) communications using web protocols.
Detect Suspicious Web Traffic
DeviceNetworkEvents
| where RemotePort == 80 or RemotePort == 443
| summarize count() by RemoteIP, LocalIP
| where count() > 50
//Extended Search
DeviceNetworkEvents
| where RemotePort == 80 or RemotePort == 443
| summarize ConnectionCount = count() by RemoteIP, DeviceName
| where ConnectionCount > 50
| join kind=leftouter (
DeviceFileEvents
| where FileName endswith ".zip" or FileName endswith ".rar"
| summarize ArchiveFileCount = count() by DeviceName
) on DeviceName
| join kind=leftouter (
DeviceProcessEvents
| where ProcessCommandLine has_any ("curl", "wget", "POST")
| summarize ProcessCount = count() by DeviceName
) on DeviceName
| project RemoteIP, DeviceName, ConnectionCount, ArchiveFileCount, ProcessCount
| order by ConnectionCount descPurpose: Identify unusual web traffic patterns.
Monitor for Web Protocols Used by Malware
Purpose: Detect web protocols commonly used by malware.
Identify Outbound HTTP POST Requests
Purpose: Monitor for outbound HTTP POST requests used for C2.
Detect Long-Lived HTTP Connections
Purpose: Identify long-lived HTTP connections that could indicate C2.
Monitor for Unusual DNS Queries
Purpose: Detect excessive DNS queries.
Detect Use of Web Shells
Purpose: Monitor for the presence of web shells on servers.
Identify HTTPS Traffic to Unusual Domains
Purpose: Detect HTTPS traffic to unusual or unknown domains.
Monitor for Suspicious User-Agents
Purpose: Detect unusual or spoofed user-agents in web traffic.
Detect Traffic to Known Malicious Domains
Purpose: Identify traffic to known malicious IP addresses.
Identify Suspicious WebSocket Connections
Purpose: Monitor for WebSocket connections used for C2.
Last updated