Application Layer Protocol T1071

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Events covered

28 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 15FileCreateStreamHash
SysmonEvent ID 17PipeEvent (Pipe Created)
SysmonEvent ID 18PipeEvent (Pipe Connected)
SysmonEvent ID 22DNSEvent (DNS query)
Security-AuditingEvent ID 4662An operation was performed on an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4698A scheduled task was created.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5137A directory service object was created.
Security-AuditingEvent ID 5152The Windows Filtering Platform blocked a packet.
Security-AuditingEvent ID 5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-AuditingEvent ID 5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Security-AuditingEvent ID 5157The Windows Filtering Platform has blocked a connection.
Security-AuditingEvent ID 5158The Windows Filtering Platform has permitted a bind to a local port.
Security-AuditingEvent ID 5159The Windows Filtering Platform has blocked a bind to a local port.
Defender-DeviceEventsanyDefender event (any)
DNS-ClientEvent ID 3008DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
PowerShellEvent ID 800Event ID 800
Service-Control-ManagerEvent ID 7045A service was installed in the system.

Authoring guide

Patterns shared across the 78 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (66 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine23contains 15, regex_match 6, ends_with 3, match 3, wildcard 1(?i)ftp\s+(.{1,})?\-s\:.{1,}\.\w{2,5}, (\s+\-[Nvw]+\s+\d+?.*?(((\d{1,3}\.){3}\d{1,3})|(\w?\wtps?..., --accept-server-license-terms, .exe tunnel, /d /c
EventID23eq 20, in 322, 3, 1, 17, 18
Image20ends_with 16, contains 2, eq 2, wildcard 2, in 1?:\programdata\*.exe, ?:\users\*\downloads\*.exe, ?:\users\public\*.exe, \cmd.exe, \curl.exe
process_name16eq 11, wildcard 2, ends_with 1, match 1, ne 1cmd.exe, *.com, *.pif, bitsadmin.exe, rundll32.exe
QueryName11contains 4, ends_with 4, in 2, starts_with 2, is_not_null 1.stage.123456., aaa.stage., post.1, *.torproject.org, .devtunnels.ms
event.type11eq 11start, protocol
OriginalFileName6eq 4, is_null 2certreq.exe, msbuild.exe, rundll32.exe, runner.listener.dll, runner.worker.dll
EventType5in 3, eq 1, ne 1ConnectPipe, CreatePipe, connection_attempted, deletion, lookup_requested
DestinationPortName4eq 4dns, ftp, http, smtp
ParentImage4ends_with 4, contains 1\code-tunnel.exe, \code.exe, \explorer.exe, \local\microsoft\taskbar\autoit3.exe, \server\node.exe
ScriptBlockText4contains 4, match 1 irm , $cmdargs, $command | nslookup 2>&1 | out-string, $session.dead = $true, -itemproperty
dns.question.name4wildcard 2, contains 1, match 1*.blob.core.windows.net, *.blob.storage.azure.net, *.blogspot.com, *.geojs.io, *portmap.io
ParentCommandLine3ends_with 2, contains 1 tunnel, .vscode-server
parent_process_name3eq 3cmd.exe, conhost.exe, cscript.exe, excel.exe, iexplore.exe
process.args3eq 2, ends_with 1, starts_with 1-Post, -q=, -qt=, -querytype=, .bat

Top indicator values (524 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
10241
EventIDeq
22
416
EventIDeq
3
416
EventIDeq
1
3232
EventIDeq
4688
3312
EventIDeq
4104
2268
EventIDeq
5136
229
EventIDeq
5137
25
EventIDeq
5156
215
CommandLinecontains
--accept-server-license-terms
34
CommandLinecontains
code-server.cmd
33
CommandLinecontains
.exe tunnel
22
CommandLinecontains
/d /c
22
CommandLinecontains
\servers\stable-
22
CommandLinecontains
internal-run
22
CommandLinecontains
service
25
CommandLinecontains
tunnel
22
CommandLinecontains
tunnel-service.log
22
CommandLineregex_match
(?i)ftp\s+(.{1,})?\-s\:.{1,}\.\w{2,5}
33
CommandLineregex_match
(\s+\-[Nvw]+\s+\d+?.*?(((\d{1,3}\.){3}\d{1,3})|(\w?\wtps?\:(\/\/|\x5c\x5c)))\...
22
EventIDin
17
37
EventIDin
18
37
EventTypein
ConnectPipe
34
EventTypein
CreatePipe
34
CommandLineends_with
.exe tunnel
22
Descriptioncontains
st2stager
22
Imageends_with
\cmd.exe
2134
Imageends_with
\curl.exe
230
Imageends_with
\finger.exe
29
Imagewildcard
?:\programdata\*.exe
25

Exclusions (133 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
dest_ipcidr_match
10.0.0.0/8
6
dest_ipcidr_match
127.0.0.0/8
6
dest_ipcidr_match
169.254.0.0/16
6
dest_ipcidr_match
172.16.0.0/12
6
dest_ipcidr_match
192.168.0.0/16
6
dest_ipcidr_match
::1
5
dest_ipcidr_match
100.64.0.0/10
4
dest_ipcidr_match
192.0.0.0/24
4
dest_ipcidr_match
192.0.0.0/29
4
dest_ipcidr_match
192.0.0.10/32
4
dest_ipcidr_match
192.0.0.170/32
4
dest_ipcidr_match
192.0.0.171/32
4
dest_ipcidr_match
192.0.0.8/32
4
dest_ipcidr_match
192.0.0.9/32
4
dest_ipcidr_match
192.0.2.0/24
4

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 32 rules

Elastic 15 rules

Splunk 26 rules

Kusto 5 rules