DET0444: Detection of Command and Control Over Application Layer Protocols
DET0444 is a MITRE detection strategy for identifying command-and-control activity that uses normal application-layer protocols. The business issue is that...
Analyst context for executives and security teams
DET0444 is a MITRE detection strategy for identifying command-and-control activity that uses normal application-layer protocols. The business issue is that this traffic can look like ordinary web, file transfer, email, DNS, or publish/subscribe communication, so organizations need evidence that their monitoring can distinguish legitimate business communications from remote command traffic without relying only on blocked ports or perimeter filtering.
Executive priority
Prioritize this as a resilience and incident-response readiness question: can the SOC prove it has visibility into application-layer command-and-control patterns across the environments where T1071 applies, including Windows, macOS, Linux, and network devices? Leaders should ask whether network monitoring, endpoint evidence, DNS visibility, and investigation workflows are sufficient to support containment decisions and audit evidence when suspicious outbound or internal protocol traffic is observed.
Technical view
The detection strategy is related to ATT&CK technique T1071, Application Layer Protocol, under command-and-control. Because the official DET0444 description and detection text are not provided, teams should validate coverage against the related technique context: adversary command traffic may be embedded in common application protocols used for browsing, file transfer, email, DNS, or publish/subscribe messaging. SOC and detection teams should focus on confirming protocol-aware visibility, baselining normal application traffic, and correlating network observations with host/process context where available.
Likely telemetry
- Protocol-aware network traffic metadata for application-layer protocols
- DNS query and response logs
- Web proxy, secure web gateway, or HTTP/S transaction logs where available
- Email and file-transfer service logs where relevant to the environment
- Network device flow records and connection metadata
Detection direction
- Validate that detections are mapped to T1071 command-and-control behavior rather than only generic blocked-connection events.
- Look for unusual use of common application protocols, including unexpected destinations, timing, volume, user-agent or client patterns, or protocol use by unusual hosts or processes, while accounting for legitimate business applications.
- Correlate network events with endpoint process context where possible to reduce false positives and support response decisions.
- Check blind spots around encrypted traffic, internal east-west communications, unmanaged network devices, and protocols that are allowed by default.
- Because DET0444 has no supplied official detection logic, treat this as a coverage-validation objective and tune locally using known-good baselines and environment-specific business traffic.
Mitigation priorities
- Establish inventory and ownership for systems and services expected to use key application-layer protocols.
- Ensure logging is enabled and retained for DNS, web, file transfer, email, relevant application services, endpoint network connections, and network devices where applicable.
- Apply egress governance and network filtering policies that align allowed protocols and destinations to business need.
- Use segmentation and internal monitoring so command-and-control over normal protocols is not invisible after initial access.
- Prepare IR playbooks for suspicious application-layer C2 that define triage, host isolation, credential review, and evidence preservation steps.
Analyst notes and limits
This take is based on the DET0444 detection-strategy object and its relationship to T1071 Application Layer Protocol. The detection strategy itself has no official description, tactics, platforms, or detection text supplied, so the practical guidance is derived from the related ATT&CK technique context and should be validated against local architecture and telemetry.
No active exploitation, threat actor attribution, vendor-specific analytics, or guaranteed detection coverage is supported by the supplied fields. Platforms and tactics are taken from the related T1071 technique, not from the DET0444 object itself. Local protocol usage, encryption, logging depth, and retention will determine actual coverage.
Detection of Command and Control Over Application Layer Protocols
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071 | Application Layer Protocol | This object detects Application Layer Protocol. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b2b7d3ea5412… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0444Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.