Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0079: Analytic 0079

Detects Web protocol misuse such as encoded HTTP headers, WebSocket upgrade requests with abnormal payloads, or TLS handshake anomalies suggesting embedded C2 channels.

EnterpriseAN0079AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0079 is a detection analytic for finding suspicious misuse of web protocols on network devices, such as encoded HTTP headers, abnormal WebSocket upgrade traffic, or TLS handshake anomalies that may indicate embedded command-and-control channels. For leaders, the value is not the analytic name itself; it is a reminder that C2 activity may blend into common web traffic, so visibility at network control points and the ability to inspect protocol behavior matter for resilience and incident response.

Executive priority

Prioritize this as a validation item for network monitoring and SOC readiness where web traffic is a major egress path. Security leaders should ask whether network devices and monitoring tools can preserve enough HTTP, WebSocket, and TLS metadata to support investigations, whether abnormal protocol behavior is reviewed, and whether evidence can be produced for incident response or compliance inquiries. Because no ATT&CK relationships or tactic mappings are supplied, treat this as a coverage assessment area rather than proof of exposure to a specific adversary or campaign.

Technical view

SOC and detection engineering teams should validate whether existing network-device telemetry can identify protocol misuse patterns described by the analytic: encoded HTTP headers, WebSocket upgrade requests with unusual payload characteristics, and TLS handshake anomalies. Since the official object does not provide detection logic, teams should build or tune detections around observable deviations in web protocol metadata and test them against known-good business traffic to reduce false positives. IR teams should confirm that retained logs support reconstruction of suspicious sessions and correlation with endpoint, identity, or proxy context where available locally.

Likely telemetry

  • Network device logs for HTTP and HTTPS sessions
  • HTTP header metadata, including unusual or encoded header values where collected
  • WebSocket upgrade request metadata and payload-size or framing indicators where available
  • TLS handshake metadata, such as version, cipher, SNI, certificate, and handshake error/anomaly indicators
  • Proxy, secure web gateway, firewall, IDS/IPS, or network detection logs that summarize web protocol behavior

Detection direction

  • Validate that monitoring covers the network devices and egress paths where web traffic traverses; otherwise this analytic will have blind spots.
  • Tune for protocol anomalies rather than simple domain or IP indicators, because the supplied analytic focuses on misuse of HTTP, WebSocket, and TLS behavior.
  • Baseline legitimate encoded headers, WebSocket applications, and nonstandard TLS behavior to manage false positives from enterprise applications, APIs, developer tools, and legacy systems.
  • Correlate network anomalies with local endpoint, identity, proxy, and DNS context when available, but do not assume those data sources are part of this ATT&CK object.
  • Document what parts of the analytic are actually observable in the environment, especially where encryption or limited network-device logging prevents inspection.

Mitigation priorities

  • First, ensure required network telemetry is enabled, retained, and accessible to the SOC for HTTP, WebSocket, and TLS metadata.
  • Next, define acceptable web protocol behavior for critical environments and high-risk egress points, then alert on meaningful deviations.
  • Use egress control, proxy policy, and inspection architecture reviews to reduce unmanaged outbound web paths where appropriate.
  • Create incident response playbooks for suspicious web protocol tunneling or embedded C2 indicators, including triage, containment decision points, and evidence preservation.
  • Review logging and detection evidence requirements for audit and compliance reporting where network monitoring is used as a compensating or detective control.
Analyst notes and limits

This take is based on ATT&CK analytic AN0079 in the enterprise domain, platformed to Network Devices. The object describes detection of web protocol misuse involving encoded HTTP headers, abnormal WebSocket upgrade requests, and TLS handshake anomalies. No tactic, technique, malware, group, campaign, or relationship context was supplied.

The official detection field is not provided, and no relationships are supplied. This prevents schema-supported claims about specific ATT&CK tactics, adversary usage, active exploitation, or guaranteed detection logic. Local architecture, encryption handling, logging depth, and retention determine whether this analytic can be implemented effectively.

Official MITRE ATT&CK definition

Analytic 0079

Detects Web protocol misuse such as encoded HTTP headers, WebSocket upgrade requests with abnormal payloads, or TLS handshake anomalies suggesting embedded C2 channels.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4d5705f7527b6134...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4d5705f7527b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0079
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use