1. Home
  2. Techniques
  3. Enterprise
  4. 应用层协议

应用层协议

ID Name
T1071.001 协议模拟与流量伪装
T1071.002 动态多协议协同传输
T1071.003 加密协议隧道嵌套
T1071.004 协议分片时序控制传输

应用层协议滥用是指攻击者利用合法网络协议进行恶意通信,通过模仿正常业务流量规避检测的技术手段。攻击者通常选择目标网络广泛使用的协议(如HTTP、DNS、SMB)作为传输载体,将命令控制、数据渗漏等恶意行为隐藏在标准协议交互中。传统防御手段主要通过分析协议合规性(如RFC标准符合性测试)、检测非常规端口使用、识别异常会话模式等方法进行对抗,例如检查HTTP头字段完整性或DNS查询频率异常。

为突破传统协议分析技术的检测边界,攻击者持续演进协议滥用技术,发展出多协议协同、加密嵌套、动态分片等高级匿迹手法。这些技术通过深度适配网络环境特征、严格遵循协议规范、创新性利用协议扩展机制,将恶意通信完美融入正常业务流,形成"形神兼备"的协议伪装能力,显著提升了攻击流量的隐蔽性和生存能力。

当前应用层协议匿迹技术的核心演进方向集中在协议生态融合与加密纵深防御两个维度。在协议生态融合方面,攻击者通过多协议动态切换实现功能解耦,利用协议间的互补性规避单维检测;通过协议特征精确模拟达成流量伪装,使恶意会话在语法和语义层均符合业务预期。在加密防御纵深方面,构建多层嵌套加密体系,外层使用标准加密协议满足传输层检测要求,内层采用私有加密方案对抗深度内容解析。协议分片技术则通过时空维度解构攻击特征,结合智能调度算法将数据痕迹稀释在长周期网络交互中。这些技术的共性在于突破传统协议层对抗的平面思维,通过立体化、动态化的协议栈重构,实现恶意流量的"全景式隐匿"。

匿迹技术的演进导致传统基于协议指纹匹配、端口黑白名单的防御体系逐渐失效。防御方需构建协议行为基线分析能力,通过机器学习建立多维度协议交互模型,检测微观协议异常(如字段取值分布异常)。同时应加强加密流量元数据分析,开发无需解密的内容威胁识别技术,并建立跨协议关联分析框架,识别隐蔽的多协议协同攻击链。

ID: T1071
Sub-techniques:  T1071.001, T1071.002, T1071.003, T1071.004
Tactic: 命令控制
Platforms: Linux, Network, Windows, macOS
Contributors: Duane Michael
Version: 2.3
Created: 31 May 2017
Last Modified: 28 August 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确模拟目标网络的主流协议交互特征,使恶意流量在协议结构、字段取值、交互时序等维度与合法流量高度一致。例如完全遵循HTTP协议规范构造请求头,或利用DNS协议的TXT记录字段传输加密指令。这种深度伪装使得基于协议合规性检查的防御机制难以识别异常。

数据遮蔽

采用标准加密协议(如TLS)和私有加密方案相结合的多层加密体系,外层加密满足传输安全性要求,内层加密隐藏实际通信内容。例如在HTTPS流量中嵌套AES加密的自定义协议,使得即使解密TLS层仍无法获取有效攻击信息,实现数据的多重遮蔽。

时空释痕

通过协议分片传输和动态调度策略,将完整攻击载荷分割为多个微片段,在长时间跨度内通过不同协议通道传输。例如将数据分片隐藏在连续数周的DNS查询记录中,利用时间维度稀释攻击特征浓度,使得基于短周期流量分析的检测系统难以捕获完整攻击链。

Procedure Examples

ID Name Description
S0660 Clambling

Clambling has the ability to use Telnet for communication.[1]
S0038 Duqu

Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.[2]
S0601 Hildegard

Hildegard has used an IRC channel for C2 communications.[3]
G1032 INC Ransom

INC Ransom has used valid accounts over RDP to connect to targeted systems.[4]
S0532 Lucifer

Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.[5]
G0059 Magic Hound

Magic Hound malware has used IRC for C2.[6][7]
S0034 NETEAGLE

Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.
S1147 Nightdoor

Nightdoor uses TCP and UDP communication for command and control traffic.[8][9]
S1084 QUIETEXIT

QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.[10]
S1130 Raspberry Robin

Raspberry Robin is capable of contacting the TOR network for delivering second-stage payloads.[11][12][13]
G0106 Rocke

Rocke issued wget requests from infected systems to the C2.[14]
S0623 Siloscape

Siloscape connects to an IRC server for C2.[15]
G0139 TeamTNT

TeamTNT has used an IRC bot for C2 communications.[16]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References

  1. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  2. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  3. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  4. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  5. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  6. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  7. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  8. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  1. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  2. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  3. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  4. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  5. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  6. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  7. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  8. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.