Application Layer Protocol T1071
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Events covered
28 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 78 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (66 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (524 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (133 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 32 rules
- Change User Agents with WebRequest
- Cloudflared Tunnels Related DNS Requests
- Curl.EXE Execution With Custom UserAgent
- DNS Exfiltration and Tunneling Tools Execution
- DNS Query by Finger Utility
- DNS Query Request By QuickAssist.EXE
- DNS Query To Common Malware Hosting and Shortener Services
- DNS Query To Devtunnels Domain
- DNS Query To Katz Stealer Domains
- DNS Query To Visual Studio Code Tunnels Domain
- DoT (DNS over TLS) activation (command)
- DoT (DNS over TLS) activation (PowerShell)
- GALLIUM IOCs
- Github Self-Hosted Runner Execution
- HackTool - SILENTTRINITY Stager DLL Load
- HackTool - SILENTTRINITY Stager Execution
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution
- Network Connection Initiated via Finger.EXE
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security
- OilRig APT Schedule Task Persistence - System
- Outbound Network Connection Initiated By Microsoft Dialer
- Potentially Suspicious Rundll32.EXE Execution of UDL File
- Renamed Visual Studio Code Tunnel Execution
- Silence.EDA Detection
- Suspicious Cobalt Strike DNS Beaconing - DNS Client
- Suspicious Cobalt Strike DNS Beaconing - Sysmon
- Tunneling Tool Execution
- Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Service Installation
- Visual Studio Code Tunnel Shell Execution
Elastic 15 rules
- Connection to Commonly Abused Web Services
- Deprecated - SUNBURST Command and Control Activity
- MsBuild Making Network Connections
- Network Activity to a Suspicious Top Level Domain
- Network Connection via Compiled HTML File
- Outlook Home Page Registry Modification
- Potential Command and Control via Internet Explorer
- Potential DNS Tunneling via NsLookup
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
- Suspicious Command Prompt Network Connection
- Suspicious Execution from a WebDav Share
- System Public IP Discovery via DNS Query
- Unusual Network Connection via DllHost
- Unusual Network Connection via RunDLL32
Splunk 26 rules
- BitsAdmin NetCat PowerCat File Transfer (EDR)
- BitsAdmin NetCat PowerCat File Transfer (Sysmon)
- BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
- Command and Control Detection (Windows Event Log)
- DNS Kerberos Coercion
- Unexpected Network Connection from System Process (Sysmon)
- Unexpected Network Connection from System Process (Windows Event Log)
- Unusual HTTP Download (Sysmon)
- Visual Studio Code Tunnel Execution (Sysmon)
- Visual Studio Code Tunnel Execution (Windows Event Log)
- Windows AI Platform DNS Query
- Windows App Layer Protocol Qakbot NamedPipe
- Windows App Layer Protocol Wermgr Connect To NamedPipe
- Windows Application Layer Protocol RMS Radmin Tool Namedpipe
- Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
- Windows Credential Target Information Structure in Commandline
- Windows DNS Query Request by Telegram Bot API
- Windows File Transfer Protocol In Non-Common Process Path
- Windows FTP Exfiltration (PowerShell)
- Windows FTP Exfiltration (Sysmon)
- Windows FTP Exfiltration (Windows Event Log)
- Windows Kerberos Coercion via DNS
- Windows Mail Protocol In Non-Common Process Path
- Windows Multi hop Proxy TOR Website Query
- Windows Short Lived DNS Record
- Windows Visual Basic Commandline Compiler DNSQuery