What is application layer protocol (T1071)?
Application Layer Protocol (T1071) describes how adversaries use standard application protocols - HTTP, HTTPS, DNS, SMTP, and others - as the transport layer for C2 communications. Because these protocols are essential for normal business operations, firewalls allow them by default. Attackers exploit this by embedding C2 commands and data within protocol-compliant traffic.
This technique has four sub-techniques:
| Sub-technique | Protocol | Common C2 tools |
|---|---|---|
| T1071.001 | Web Protocols (HTTP/HTTPS) | Cobalt Strike, Sliver, Mythic, Havoc, Brute Ratel C4 |
| T1071.002 | File Transfer Protocols (FTP/SFTP) | Custom implants, RATs with FTP exfiltration |
| T1071.003 | Mail Protocols (SMTP/IMAP/POP3) | Turla Outlook backdoor, custom SMTP C2 |
| T1071.004 | DNS | Cobalt Strike DNS beacon, dnscat2, ALMA communicator, Anchor DNS |
Why this matters: Application layer C2 is the most common C2 method because it blends with normal traffic. Detection requires analyzing protocol usage patterns, request timing, payload characteristics, and destination reputation - not just connection metadata. Log360 correlates proxy, DNS, and firewall logs to reveal C2 patterns hidden within allowed protocols.
HTTP/HTTPS C2 detection (T1071.001)
How HTTP/HTTPS C2 works
HTTP-based C2 frameworks like Cobalt Strike use GET and POST requests to communicate with a team server. The implant periodically "checks in" via HTTP GET (receiving tasking) and sends results via HTTP POST. Malleable C2 profiles customize the traffic to mimic legitimate web applications - jQuery CDN calls, Google API requests, or CMS traffic.
Detection signals in proxy logs
- Beaconing regularity - HTTP requests to the same URI at regular intervals (even with jitter, mathematical periodicity is detectable)
- Unusual User-Agent strings - Default C2 agents use static or suspicious User-Agents; mismatches between UA and actual browser fingerprint
- Low content-to-connection ratio - Many requests returning small response bodies or 0-byte GET responses (sleep check-ins)
- Cookie or header-encoded data - C2 data embedded in Cookie headers, custom HTTP headers, or URI parameters with base64-like encoding
- POST without prior browsing - Large POST requests to a domain with no preceding page loads or resource requests
- Uncategorized domains - Connections to domains not categorized by URL filtering services
DNS C2 detection (T1071.004)
How DNS tunneling works
DNS tunneling encodes C2 data in DNS queries. The implant sends data as subdomain labels (e.g., aGVsbG8gd29ybGQ.tunnel.attacker.com) and receives responses in TXT, CNAME, or A records. This works even in air-gapped environments that only allow DNS resolution.
Detection signals in DNS logs
- Long subdomain labels - Normal subdomains are under 20 characters; tunneling produces 40-63 character labels with high entropy
- High query volume to single domain - Hundreds or thousands of unique subdomain queries to one parent domain per hour
- TXT record query spikes - Normal environments generate few TXT queries; tunneling produces excessive TXT lookups
- Non-existent domain responses (NXDOMAIN) - High rates of NXDOMAIN responses from a single source (malformed tunneling attempts)
- Unusual query types - NULL, CNAME, or MX record queries used as data channels
- Direct queries bypassing internal DNS - Endpoints querying external DNS servers directly (8.8.8.8, 1.1.1.1) instead of internal resolvers
Log360's 22 prebuilt T1071 detection rules
| Rule name | Severity | What it detects |
|---|---|---|
| HTTP beaconing pattern detected | High | Regular-interval HTTP requests to same destination (within 15% jitter) |
| Suspicious User-Agent string | Medium | Known C2 User-Agents or UA strings not matching installed browsers |
| DNS tunneling - long subdomain query | High | DNS queries with subdomain labels exceeding 50 characters |
| DNS tunneling - high query volume | High | Over 500 unique subdomain queries to single parent domain per hour |
| DNS tunneling - TXT record spike | Medium | Abnormal increase in TXT record queries from single source |
| HTTP POST without browsing context | Medium | POST request to external domain with no preceding GET/page load |
| Uncategorized domain connection | Medium | HTTPS/HTTP connection to domain without URL category assignment |
| Cookie header data exfiltration | High | Oversized Cookie headers (over 4KB) suggesting encoded C2 data |
| Direct external DNS query | High | Endpoint bypassing internal DNS resolver to query external DNS |
| HTTP to IP address (no hostname) | Medium | HTTP request using IP address instead of domain name |
| Known C2 URI pattern match | Critical | URI matching known Cobalt Strike, Sliver, or Metasploit malleable profiles |
| Newly registered domain HTTP traffic | High | HTTP/HTTPS traffic to domain registered in last 14 days |
| DNS query entropy anomaly | High | DNS subdomain strings with Shannon entropy exceeding 3.5 bits/char |
| HTTP response size anomaly | Medium | Consistent small responses followed by occasional large downloads (tasking pattern) |
| SMTP C2 - unusual outbound mail pattern | Medium | Non-mail-server sending SMTP traffic or mail to uncommon external domains |
| WebSocket persistent connection | Medium | Long-lived WebSocket connections to uncategorized or low-reputation domains |
| Cloud API abuse for C2 | High | Repeated API calls to cloud services (Slack, Discord, Telegram) from non-sanctioned apps |
| HTTP header anomaly | Medium | Non-standard or custom HTTP headers not matching legitimate application patterns |
| DNS over HTTPS (DoH) to non-corporate resolver | High | DoH connections to external resolvers bypassing DNS visibility |
| Multiple DNS query types to single domain | Medium | A, TXT, CNAME, and NULL queries to same domain (tunneling protocol negotiation) |
| FTP/SFTP to external unauthorized server | High | File transfer protocol connections to non-whitelisted external servers |
| Combined protocol C2 indicators | Critical | HTTP beaconing + DNS anomaly + uncategorized domain = high-confidence C2 |
Real-world examples
Cobalt Strike HTTP beaconing
Cobalt Strike's default HTTP beacon checks in every 60 seconds with a GET request to a URI like /visit.js or /pixel.gif. The team server responds with tasking encoded in the response body. Results are sent via POST. Default malleable profiles mimic jQuery CDN traffic or Microsoft update patterns.
10.1.5.22 - - [05/May/2026:09:14:01] "GET /jquery-3.3.1.min.js HTTP/1.1" 200 1024 "Mozilla/5.0"
10.1.5.22 - - [05/May/2026:09:15:02] "GET /jquery-3.3.1.min.js HTTP/1.1" 200 1024 "Mozilla/5.0"
10.1.5.22 - - [05/May/2026:09:16:01] "GET /jquery-3.3.1.min.js HTTP/1.1" 200 1024 "Mozilla/5.0"
10.1.5.22 - - [05/May/2026:09:17:03] "POST /jquery-3.3.2.min.js HTTP/1.1" 200 0 "Mozilla/5.0" ← command result
DNS tunneling with dnscat2
dnscat2 encodes data in CNAME and TXT queries. A compromised host generates hundreds of queries per minute to the attacker's authoritative DNS domain:
09:20:01 client=10.1.5.22 query=cXVlcnkgZGF0YQ.c2.attacker[.]com type=TXT
09:20:01 client=10.1.5.22 query=cmVzcG9uc2UgZQ.c2.attacker[.]com type=TXT
09:20:02 client=10.1.5.22 query=bW9yZSBkYXRhIA.c2.attacker[.]com type=TXT
# Note: 40+ character subdomains with base64 encoding to single parent domain
Investigation and response
- Identify the process - Correlate the source IP/host with endpoint logs to find which process is generating the suspicious HTTP/DNS traffic. C2 implants often inject into legitimate processes (svchost.exe, browser processes).
- Analyze the full session - Pull complete proxy logs for the identified destination. Look for the full beacon pattern: initial connection, periodic check-ins, command execution bursts.
- Check for lateral movement - Once C2 is confirmed, search for the same destination IP/domain from other hosts. Check for credential access or lateral movement originating from the compromised host.
- Block at multiple layers - Block the C2 domain/IP at DNS, proxy, and firewall simultaneously. Attackers often have fallback C2 channels, so blocking one layer alone may be insufficient.
- Hunt for additional C2 - Use the confirmed C2 indicators (JA3 hash, URI patterns, User-Agent) to search historical logs for earlier connections or other compromised hosts.
Remediation and prevention
- Enforce proxy for all HTTP/HTTPS - Route all web traffic through an inspecting proxy. Block direct internet access from endpoints to prevent C2 that bypasses proxy-based detection.
- Restrict DNS to internal resolvers - Block direct DNS queries to external resolvers (8.8.8.8, 1.1.1.1). Force all DNS through internal servers where query logging and analysis is performed.
- Deploy DNS response policy zones (RPZ) - Block queries to known C2 domains and newly registered domains at the DNS layer.
- URL categorization enforcement - Block or alert on traffic to uncategorized domains. Most legitimate business traffic goes to well-categorized sites.
- Application whitelisting for outbound protocols - Restrict which applications can make outbound HTTP, DNS, and SMTP connections. This limits C2 to only processes with legitimate network access.
Need to explore ManageEngine Log360? Schedule a personalized demo
FAQ
What is application layer protocol (T1071)?
Application layer protocol covers adversaries using HTTP, HTTPS, DNS, SMTP, and other standard protocols for C2 communications. These protocols are allowed by firewalls, making the C2 traffic harder to block at the network layer.
How do I detect HTTP/HTTPS C2 beaconing?
Analyze proxy logs for connection regularity (periodic requests to same destination), suspicious User-Agents, uncategorized domains, and request/response patterns inconsistent with normal browsing. Log360's beaconing detection rules surface these automatically.
What is DNS tunneling and how is it detected?
DNS tunneling hides C2 data in DNS queries using long, encoded subdomain labels. Detect it through query length analysis, high query volumes to single domains, TXT record spikes, and entropy analysis of subdomain strings.
How does Log360 detect application layer C2?
22 rules analyze proxy logs, DNS query logs, and firewall metadata. Coverage includes HTTP beaconing, DNS tunneling, User-Agent anomalies, uncategorized domains, cloud API abuse, and combined multi-signal detections.
Which protocols are most commonly abused for C2?
HTTP/HTTPS is most common (Cobalt Strike, Sliver, Mythic), followed by DNS (dnscat2, Cobalt Strike DNS beacon). SMTP and cloud service APIs are used for slower, stealthier C2 channels.
Detect C2 hidden in web and DNS traffic
Start your free 30-day trial of Log360 and activate 22 prebuilt Application Layer Protocol detection rules.
- What is application layer protocol (T1071)?
- HTTP/HTTPS C2 detection (T1071.001)
- DNS C2 detection (T1071.004)
- Log360's 22 prebuilt T1071 detection rules
- Real-world examples
- Investigation and response
- Remediation and prevention
- FAQ
