Application Layer Protocol
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.
Observed actors
Correlated CTI and IR reports
Israel Threat Actors CTI · explicit report mentionATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionCTI Research: LLM/AI/MCP Usage in the Cyber Kill Chain
1200km CTI repository · explicit report mentionCTI Research: LLM/AI/MCP Usage in the Cyber Kill Chain
1200km CTI repository · explicit report mentionExecutive Summary
Israel Threat Actors CTI · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionCTI Analyst Field Manual Complete Reference
1200km Medium · authored report mentionCyberattacks on 4G LTE Telecom Networks Threat Mapping and Defense
1200km Medium · authored report mention