Web Protocols
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data. Monitor for web traffic to/from known-bad or suspicious domains.
Observed actors
G0082Kimsuky
G0094APT41
G0096APT32
G0050HAFNIUM
G0125MuddyWater
G0069Gamaredon Group
G0047TeamTNT
G0139Sandworm Team
G0034Machete
G0095APT18
G0026Sidewinder
G0121Mustang Panda
G0129Rocke
G0106APT39
G0087APT37
G0067OilRig
G0049Higaisa
G0126Tropic Trooper
G0081Orangeworm
G0071Ke3chang
G0004Confucius
G0142Winter Vivern
G1035SilverTerrier
G0083Turla
G0010TA505
G0092BITTER
G1002RedCurl
G1039Stealth Falcon
G0038APT29
G0016Dark Caracal
G0070Chimera
G0114BRONZE BUTLER
G0060TA551
G0127Windshift
G0112LuminousMoth
G1014APT28
G0007Metador
G1013Lazarus Group
G0032FIN4
G0085Cobalt Group
G0080Wizard Spider
G0102Moonstone Sleet
G1036Inception
G0100Daggerfly
G1034Rancor
G0075WIRTE
G0090Magic Hound
G0059Threat Group-3390
G0027APT33
G0064FIN8
G0061FIN13
G1016APT19
G0073
Correlated CTI and IR reports
Check Point Research · direct source mappingAPT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mentionAPT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mentionATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionExecutive Summary
Israel Threat Actors CTI · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionIOC Tables — MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionCTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mentionCTI Research Sandworm APT44
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mention