Info
ID: AT-DC001.001
Technique: C2 over App-Protocols
Tactic: Deepening Control
Platforms: Linux, macOS, Windows, IaaS
Data Sources: Web-proxy/TLS inspection logs, Safe Client-Gateway API logs, Browser Developer-Tools network traces
Defense Bypassed: C2 domain/port black-listing, anomaly-based network detection (traffic indistinguishable from legitimate Safe usage)
Web Protocols
Command and Control (C2) over Web Protocols is a subtechnique within the Deepening Control phase where attackers leverage standard web protocols such as HTTP, HTTPS, and WebSockets to establish and maintain communication channels between compromised systems and their control infrastructure. This approach is particularly effective because these protocols are commonly allowed through organizational firewalls and security controls, making the malicious traffic blend with legitimate web traffic. Attackers typically implement custom C2 channels using these protocols by embedding command instructions within seemingly normal web requests and responses, utilizing various encoding methods or steganography to hide the actual commands. The encrypted nature of HTTPS adds another layer of obfuscation, making traffic analysis more difficult for defenders. Advanced implementations may leverage legitimate web services as proxies or employ domain fronting techniques, where communication appears to be with trusted domains while actually communicating with attacker-controlled infrastructure. Detection often requires deep packet inspection, TLS decryption capabilities, or behavioral analysis to identify abnormal communication patterns within otherwise normal-looking web traffic.
Procedure Examples
| ID | Name | Description |
|---|---|---|
| AC-0001 | ByBit $1.5B Crypto Heist | The injected JS proposed the forged upgrade via an ordinary POST /v1/chains/…/transactions/ |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic | Route all outbound HTTP/S through a secure web-gateway that performs TLS inspection, domain/URL allow-listing, and content-length + entropy checks to block suspect C2 beacons before they leave the network. |
| M1031 | Network Intrusion Prevention | Apply signature- and ML-based IPS/WAF rules that flag beacon intervals, domain-fronting headers, or protocol deviations, then automatically drop or throttle abnormal sessions. |
| M1030 | Network Segmentation | Enforce least-privilege zones and default-deny outbound ACLs so hosts can reach the Internet only via vetted proxies, sharply limiting an attacker’s ability to establish external C2 channels. |
| M1040 | Behavior Prevention | Deploy Cloud Application Detection & Response (CADR) product that baseline per-application HTTP/S behavior and terminate or quarantine requests containing abnormal beacon timing, high-entropy bodies, or domain-fronting patterns indicative of C2-over-web activity. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0029 | Network Traffic Content | Inspect HTTP/S payloads and headers for protocol-deviant patterns—fixed-length or high-entropy bodies, malformed verbs, header order that differs from browser baselines. Leverage SSL/TLS inspection (where policy permits). Correlate with process and command-line metadata to expose non-browser executables generating the traffic. |
| DS0029 | Network Traffic Flow | Baseline outbound 80/443 flows and alert on beacon-like behaviour: small, periodic connections to first-seen IPs, long-lived sessions with kilobyte-scale transfers, or flows that omit expected TCP handshakes. Link each flow to the originating process to spot binaries that do not normally initiate web connections. |
| DS0021 | DNS Query | Monitor resolutions to threat-listed, newly registered, or DGA-like domains and correlate them with subsequent HTTP/S sessions. Escalate when the same host repeatedly queries low-reputation domains just before establishing web traffic, indicating possible malicious C2 infrastructure. |