Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1071: Application Layer Protocol

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.[1]

EnterpriseT1071TechniqueObject v2.4 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Application Layer Protocol is important because command-and-control can hide inside the same protocols organizations depend on every day: web, file transfer, mail, DNS, pub/sub, and internal protocols such as SMB, SSH, or RDP. For leaders, the issue is not one protocol; it is whether the organization can distinguish normal business traffic from remote control traffic across endpoints, network devices, and ESXi/Linux/macOS/Windows environments.

Executive priority

Prioritize this as a command-and-control visibility and egress-control problem. Executives should ask whether security teams can prove which systems are allowed to initiate web, DNS, mail, file-transfer, SMB, SSH, and RDP communications; whether boundary and internal filtering are enforced; and whether SOC/IR teams have usable evidence when malware or an intruder blends into approved traffic. This also matters for cyber-physical risk because the supplied relationship context includes a campaign involving disruption of district heating operations, showing that protocol-based communications can be relevant beyond traditional IT availability.

Technical view

ATT&CK provides no official detection text for T1071, but it links a detection strategy, DET0444, for command-and-control over application layer protocols. SOC and detection teams should validate coverage across the parent technique and its subtechniques: Web Protocols, File Transfer Protocols, Mail Protocols, DNS, and Publish/Subscribe Protocols. Because the technique spans Linux, macOS, Windows, Network Devices, and ESXi, detection cannot rely only on endpoint agents. Validate north-south and east-west monitoring, especially where proxies, network appliances, opaque network devices, or internal pivot paths may limit endpoint telemetry.

Likely telemetry

  • Network flow records for outbound and internal connections
  • Proxy and web gateway logs for HTTP/S and WebSocket-like traffic
  • DNS query and response logs
  • Firewall, network appliance, and egress filtering logs
  • IDS/IPS alerts and signature matches at network boundaries

Detection direction

  • Map allowed application-layer protocols by asset role, then look for protocol use that violates expected business patterns.
  • Tune detections around command-and-control behavior rather than protocol name alone, because the technique depends on blending into common traffic.
  • Validate coverage for each related subtechnique: web, file transfer, mail, DNS, and pub/sub protocols.
  • Include internal traffic paths, not only internet egress, because ATT&CK notes use between proxy or pivot nodes and other nodes inside an enclave.
  • Account for blind spots on network devices and appliances that may not support typical endpoint detection tooling.

Mitigation priorities

  • Start with M1037 Filter Network Traffic: enforce ingress, egress, and lateral firewall or endpoint filtering rules based on authorized business need.
  • Apply protocol-based restrictions where feasible, including limiting which systems may use mail, DNS, file transfer, SMB, SSH, RDP, or pub/sub protocols.
  • Use M1031 Network Intrusion Prevention at network boundaries to block known malicious or policy-violating traffic with signatures where appropriate.
  • Review internal segmentation so common protocols cannot be freely used for pivot-node communications across enclaves.
  • Treat network devices, ESXi, and other low-visibility assets as explicit control-design targets, not exceptions.
Analyst notes and limits

The relationship set shows broad relevance: multiple groups, software families, and a campaign are mapped to this technique, and subtechniques cover several common protocol families. That breadth makes T1071 useful for control validation and detection engineering prioritization, but local baselining is essential because the same protocols are also normal business traffic.

MITRE did not provide official detection text for this object. This take is based only on the supplied ATT&CK description, platforms, tactics, external references, mitigations, detection-strategy relationship, and relationship context. It does not assert active exploitation, specific customer exposure, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Application Layer Protocol

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1071.002 File Transfer Protocols Sub-technique File Transfer Protocols subtechnique of this object.
Enterprise T1071.004 DNS Sub-technique DNS subtechnique of this object.
Enterprise T1071.005 Publish/Subscribe Protocols Sub-technique Publish/Subscribe Protocols subtechnique of this object.
Enterprise T1071.003 Mail Protocols Sub-technique Mail Protocols subtechnique of this object.
Enterprise T1071.001 Web Protocols Sub-technique Web Protocols subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0059: Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

Group Enterprise

G0106: Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]

Group Enterprise

G1047: Velvet Ant

Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.[1][2]

Group Enterprise

G0139: TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[1][2][3][4][5][6][7][8][9]

Malware Enterprise

S0601: Hildegard

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. [1]

LinuxContainersIaaS
Malware Enterprise

S0034: NETEAGLE

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” [1]

Windows
Malware Enterprise

S1084: QUIETEXIT

QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.[1]

Network Devices
Malware Enterprise

S0038: Duqu

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [1]

Windows
Tool Enterprise

S0633: Sliver

Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.[1][2]

WindowsLinuxmacOS
Malware Enterprise

S0532: Lucifer

Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.[1]

Windows
Malware Enterprise

S1130: Raspberry Robin

Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee.[1][2][3] The DLL componenet in the Raspberry Robin infection chain is also referred to as "Roshtyak."[4] The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.[5]

Windows
Campaign Enterprise

C0041: FrostyGoop Incident

FrostyGoop Incident took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, FrostyGoop was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.[1][2]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1031: Network Intrusion Prevention Enterprise subtechnique of · Technique T1071.002: File Transfer Protocols Enterprise uses · Malware S0601: Hildegard Enterprise uses · Group G0059: Magic Hound Enterprise detects · Detection Strategy DET0444: Detection of Command and Control Over Application Layer Protocols Enterprise uses · Malware S0034: NETEAGLE Enterprise uses · Campaign C0041: FrostyGoop Incident Enterprise uses · Group G0106: Rocke Enterprise subtechnique of · Technique T1071.004: DNS Enterprise uses · Group G1032: INC Ransom Enterprise uses · Malware S0623: Siloscape Enterprise uses · Malware S1084: QUIETEXIT Enterprise uses · Malware S0038: Duqu Enterprise uses · Malware S0660: Clambling Enterprise subtechnique of · Technique T1071.005: Publish/Subscribe Protocols Enterprise subtechnique of · Technique T1071.003: Mail Protocols Enterprise uses · Tool S0633: Sliver Enterprise uses · Malware S0532: Lucifer Enterprise subtechnique of · Technique T1071.001: Web Protocols Enterprise uses · Group G1047: Velvet Ant Enterprise uses · Group G0139: TeamTNT Enterprise uses · Malware S1130: Raspberry Robin Enterprise mitigates · Mitigation M1037: Filter Network Traffic Enterprise uses · Malware S1147: Nightdoor Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1037: Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

- Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers. - Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

- Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications. - Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

- Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs. - Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

- Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized. - Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

- Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic. - Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.4
Created
Modified
Raw hash
e21813d4278db328...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.4 Current bundle e21813d4278d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant APT29 Eye Spy Email Nov 22

    Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.

    Open source URL
  2. [2]
    University of Birmingham C2

    Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

    Open source URL
  3. [3]
    mitre-attack T1071
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use