analyst @ nohacky :~/mitre $
cat / mitre / t1071.001
analyst@nohacky:~/mitre/t1071001-web-protocols.html
reading mode 11 min read
technique_id T1071.001
category MITRE ATT&CK
tactics
Command and Control
parent_technique T1071 Application Layer Protocol
published April 2026

T1071.001: Web Protocols

Adversaries route command-and-control traffic over HTTP and HTTPS — the protocols that carry ordinary web browsing — to blend malicious implant communications with the high-volume, routinely permitted traffic that security tools are least likely to scrutinise. T1071 (Application Layer Protocol) ranked fifth in the Picus Red Report 2026 as the most commonly observed ATT&CK technique, with its Web Protocols sub-technique accounting for the overwhelming share of that activity.

T1071.001 is a sub-technique of T1071 (Application Layer Protocol) and sits within the Command and Control tactic. The core advantage it offers adversaries is camouflage: HTTP and HTTPS traffic flows freely through nearly every corporate firewall, web proxy, and network gateway. Blocking port 80 and 443 outright is not operationally viable in any modern environment, which means that all C2 traffic using those ports starts from a position of default allowance. The adversary's challenge is then reduced to making the traffic look sufficiently normal to avoid anomaly-based inspection — a challenge that commodity C2 frameworks have made straightforward to solve.

The technique is not associated with any particular malware family or threat actor; it is foundational infrastructure behaviour shared across nation-state implants, commodity RATs, post-exploitation frameworks, and ransomware stagers alike. According to FortiGuard Labs' 2025 Global Threat Landscape report, the use of encrypted SSL-based command-and-control has continued to grow year over year as adversaries standardise on HTTPS to prevent traffic inspection.

How Web Protocol C2 Works

The basic pattern is straightforward: a compromised host runs an implant that periodically initiates outbound HTTP or HTTPS connections to an attacker-controlled server, retrieves tasking, executes it, and returns results. This is called a beacon. The interval between connections — the sleep time — is configurable and commonly randomised with jitter to avoid the statistical regularity that network anomaly detection tools look for.

HTTP request structure as a data channel. HTTP packets have numerous fields that can carry hidden data: the URL path, query string parameters, cookie headers, custom headers, the request body, and the response body. Adversaries exploit this flexibility extensively. Cobalt Strike's malleable C2 profiles, for example, allow operators to configure exactly which fields carry beacon data, what legitimate-looking content surrounds it, and which User-Agent string the beacon presents — making each deployment appear to be traffic from a specific browser version, software updater, or cloud service. UPPERCUT (used by APT10) and ChChes embed C2 instructions directly within HTTP Cookie headers, mimicking standard session management at a cursory glance.

HTTPS and the encryption problem for defenders. When a beacon operates over HTTPS, the payload content is encrypted under TLS. Without TLS inspection at a terminating proxy, network monitoring tools can see that a connection occurred to a given IP address and port, but cannot read the exchanged data. This is the primary reason HTTPS-based C2 has become the default for sophisticated implants: it raises the inspection bar significantly. The WezRat backdoor, attributed to Iranian threat actors and analysed in November 2024, uses HTTPS exclusively for its C2 communication, sending system reconnaissance data, receiving encrypted commands, and exfiltrating stolen output — all indistinguishable from normal HTTPS traffic without TLS termination in place.

WebSocket upgrades for persistent channels. Standard HTTP beaconing requires the implant to re-initiate each connection. WebSocket, which begins as an HTTP connection and upgrades to a persistent full-duplex channel, eliminates the need for repeated connection setup and removes the periodic timing pattern that beacon detection targets. The RevC2 backdoor, active through mid-2024, used WebSocket for precisely this reason — after the initial HTTP Upgrade handshake, the connection became a persistent channel that many network monitoring tools and proxies do not inspect as deeply as conventional HTTP sessions.

Routing through trusted cloud services. An increasingly common variant routes C2 traffic through legitimate third-party platforms rather than directly to attacker infrastructure. The HazyBeacon backdoor, reported in July 2025, sends and receives all commands through an AWS Lambda URL — a standard HTTPS endpoint associated with a well-known, trusted cloud provider. CreepyDrive, linked to the POLONIUM group, routes C2 through the Microsoft Graph API, reading and writing files on OneDrive as a bidirectional command channel. Because most enterprise firewalls and security tools have allowlists for major cloud providers, this variant is particularly difficult to block without disrupting legitimate business operations.

defender note

HTTPS encryption is not a detection dead end. TLS metadata — JA3/JA3S fingerprints, certificate subject and issuer fields, ALPN values, SNI hostnames, and certificate age — remains visible without traffic decryption and can reliably fingerprint specific C2 frameworks. Cobalt Strike beacons, Sliver implants, and Havoc agents each produce characteristic TLS handshake patterns even when payload content is fully encrypted.

Real-World Case Studies

Cobalt Strike Beaconing to LockBit Ransomware Deployment

A January 2024 intrusion documented by The DFIR Report illustrates T1071.001 in a complete ransomware kill chain. After initial access via a malicious loader, the threat actor deployed a Cobalt Strike beacon that established HTTPS C2 to a domain on port 443, with the beacon communicating through process injection into svchost.exe — a trusted Windows process — to blend with normal system traffic. The beacon maintained persistent communication for the duration of the intrusion, enabling lateral movement, credential harvesting, and ultimately LockBit ransomware deployment. This pattern — Cobalt Strike HTTP/HTTPS beaconing as the persistent C2 channel through an entire intrusion lifecycle — is one of the most consistently documented attack chains in incident response reports.

Sliver C2 Following Ivanti Zero-Day Exploitation

In early 2024, following the disclosure of critical zero-day vulnerabilities in Ivanti Connect Secure VPN appliances, Darktrace observed attackers deploying Sliver C2 as post-exploitation infrastructure on affected customer networks. Sliver, an open-source framework that has emerged as a widely used Cobalt Strike alternative, communicates over HTTPS and exhibits characteristic TLS fingerprints — including a distinctive JA3 hash associated with its Golang TLS implementation — that allowed detection despite encrypted payloads. The campaign demonstrated the shift toward open-source C2 frameworks as adversaries seek alternatives to Cobalt Strike whose detection signatures have matured significantly.

LameHug and LLM API Abuse for Covert C2 (2025)

A December 2025 analysis documented LameHug malware routing its entire C2 channel through HTTPS calls to publicly accessible large language model APIs hosted by HuggingFace and similar services. The malware issued reconnaissance prompts as standard API requests, with the C2 payload delivered inside the LLM's HTTPS response. Because traffic to major AI API providers is widely permitted and expected in modern enterprise environments, this variant represents an escalation of the trusted-cloud-service evasion pattern — one that standard domain reputation and IP reputation systems are structurally unable to block without disrupting legitimate business use.

Detection Strategies

Detecting T1071.001 requires moving beyond simple allow/block decisions on protocol and port, toward behavioural analysis of traffic patterns, endpoint context, and TLS metadata. No proxy deployment or firewall rule set directly blocks this technique — the protocols themselves are legitimate.

Splunk — Beacon Periodicity and Anomalous Outbound Connections

# Identify hosts making periodic low-volume HTTPS connections to single external IPs
# Adjust index and sourcetype to match your proxy or firewall log source
index=proxy_logs (http_method=GET OR http_method=POST)
| bucket _time span=1h
| stats count by src_ip, dest_ip, dest_port, _time
| where dest_port=443 OR dest_port=80
| stats stdev(count) AS jitter, avg(count) AS avg_requests,
        dc(_time) AS hours_seen, values(dest_ip) AS destinations
  by src_ip
| where hours_seen > 6 AND avg_requests < 5 AND jitter < 2
| sort - hours_seen

Behavioral Indicators

Indicator What It Means
Regular low-volume HTTPS connections to a single external IP at consistent intervals Classic beacon pattern; legitimate browsing does not produce highly periodic traffic to a single destination
Hardcoded, outdated, or malformed User-Agent strings in HTTP requests Many C2 frameworks use static User-Agent values that do not match the actual browser or software on the host — a reliable fingerprint when compared against known browser baselines
HTTPS connections to domains registered within the past 30 days Adversaries frequently register infrastructure immediately before operations; newly registered domains with HTTPS certificates on standard ports are a high-signal indicator
Unusual JA3 or JA3S TLS fingerprint from a workstation or server Framework-specific TLS implementations produce distinctive handshake patterns; Cobalt Strike, Sliver, and Havoc each have documented JA3 signatures that do not match common browser or OS TLS stacks
Outbound HTTP/HTTPS connections from processes that should not make network calls (svchost.exe, notepad.exe, calc.exe) Process injection delivers the beacon implant into a trusted host process; network connections from those processes are anomalous and indicate in-memory execution
Large volume of small HTTPS POST requests to a single cloud API endpoint from a non-browser process Cloud-service C2 variants (Microsoft Graph, AWS Lambda, LLM APIs) produce characteristic request patterns — high frequency, uniform size, non-browser process context
note

JA3 fingerprinting does not require TLS decryption. The handshake metadata used to compute the hash is transmitted in plaintext during the TLS negotiation phase and is available in standard proxy and network sensor logs. Zeek, Suricata, and commercial NDR platforms all support JA3 extraction natively.

Known Threat Actors Using T1071.001

HTTP/HTTPS-based C2 is foundational infrastructure used across virtually every documented threat actor category. The following represent notable users with documented operational patterns.

  • APT29 / Cozy Bear (Russia, SVR) — HAMMERTOSS and related tooling used HTTP/HTTPS for C2, with commands embedded in social media and cloud storage platforms; continued use of web-protocol C2 across espionage campaigns targeting government and defence organisations
  • APT10 / MenuPass (China) — UPPERCUT and ChChes implants embed C2 instructions within HTTP Cookie headers, routing traffic through standard ports to blend with enterprise web traffic against managed service providers globally
  • RedNovember / TAG-100 (China-nexus) — Active from mid-2024, combining Cobalt Strike with custom backdoors against aerospace, government, and legal targets; heavily modified Cobalt Strike malleable profiles to evade standard beacon detection signatures
  • Lemon Sandstorm (Iran-nexus) — Sustained Cobalt Strike-based C2 operations against Middle Eastern critical infrastructure from 2023 through 2025, using legitimate cloud services for C2 infrastructure and timed beacon callbacks to blend with business hours traffic
  • FIN7 (cybercriminal) — Consistent use of Cobalt Strike HTTP/HTTPS beacons across intrusions targeting retail, hospitality, and automotive sectors; January 2024 campaign against U.S. automotive industry documented deploying heavily modified Cobalt Strike stagers
  • Medusa Ransomware affiliates — CISA advisory AA25-071A (March 2025) documented HTTP/HTTPS-based C2 communications as a consistent component of Medusa ransomware affiliate intrusion chains prior to encryption deployment
  • Multiple actors via Sliver, Havoc, Mythic — Open-source C2 frameworks surpassed Cobalt Strike in observed malicious use volume in Q2 2025 per Kaspersky data; all support HTTP/HTTPS transport as a primary C2 channel

Defensive Recommendations

  1. Deploy TLS-inspecting egress proxies for all endpoints: Without TLS termination, the payload content of HTTPS-based C2 is opaque. A terminating proxy decrypts, inspects, and re-encrypts HTTPS traffic, enabling content-aware rules and logging of request and response bodies. This is the single control that most expands detection surface for T1071.001.
  2. Enforce proxy usage and block direct-to-IP HTTPS connections: Adversary infrastructure frequently uses IP addresses rather than domain names to avoid DNS-based detection. Firewall rules blocking direct outbound connections to external IP addresses on ports 80 and 443 — requiring all web traffic to traverse an inspecting proxy — eliminates a significant portion of C2 delivery options.
  3. Implement domain reputation and age filtering at the proxy: Block or quarantine connections to uncategorised, newly registered (under 30 days), or low-reputation domains. C2 infrastructure is routinely registered shortly before deployment. Integrating threat intelligence feeds with domain age lookups at the proxy layer provides effective early-stage filtering.
  4. Collect and analyse TLS metadata for JA3/JA3S fingerprinting: Configure network sensors, NDR platforms, or Zeek to extract and log JA3 fingerprints for all outbound TLS connections. Correlate against known C2 framework fingerprint databases. This provides beacon detection capability without requiring payload decryption, and is effective against HTTPS-based C2 from Cobalt Strike, Sliver, Havoc, and Brute Ratel C4.
  5. Apply statistical beacon detection to proxy and firewall logs: Build SIEM rules or hunt queries that identify hosts making regular low-volume connections to a small number of external destinations over extended periods. Beacon jitter reduces but does not eliminate the statistical regularity that distinguishes automated implant traffic from human-driven browsing patterns.
  6. Monitor process-to-network connection relationships on endpoints: EDR telemetry correlating process identity with outbound network connections flags anomalous combinations — system processes making HTTPS connections, or applications connecting to destinations inconsistent with their function. This is particularly effective at detecting process-injected beacons where the implant runs inside a trusted host process.
  7. Scope cloud service access by application and user: For environments where cloud-service C2 variants are a concern, apply cloud access security broker (CASB) or identity-aware proxy policies that restrict which applications and user accounts can reach specific cloud APIs. An endpoint process connecting to the Microsoft Graph API is normal for Outlook; it is anomalous for svchost.exe.

MITRE ATT&CK Mapping

Field Value
Technique IDT1071.001
Technique NameApplication Layer Protocol: Web Protocols
Parent TechniqueT1071 Application Layer Protocol
TacticCommand and Control (TA0011)
PlatformsLinux, Windows, macOS, Network
Data SourcesNetwork Traffic: Network Traffic Content; Network Traffic: Network Traffic Flow
MitigationsM1031 Network Intrusion Prevention, M1037 Filter Network Traffic
Version1.3 (Last Modified: October 24, 2025)
MITRE Referenceattack.mitre.org/techniques/T1071/001

Frequently Asked Questions

What is T1071.001 Web Protocols?

T1071.001 is a MITRE ATT&CK sub-technique under Command and Control in which adversaries communicate with compromised systems using HTTP and HTTPS — the same protocols used for normal web browsing — to blend malicious traffic with legitimate network activity and evade detection tools that permit outbound web traffic by default.

How do adversaries use web protocols for C2?

Adversaries deploy implants that establish periodic beaconing connections to attacker-controlled servers over HTTP or HTTPS on standard ports 80 and 443. They embed tasking and results within HTTP headers, URL parameters, cookies, or the request and response body, often encrypted or encoded to obscure content. Randomised jitter on beacon intervals reduces the regularity that statistical detection looks for, and HTTPS encryption prevents inline inspection of payload content.

How can organizations detect web protocol C2 traffic?

Detection relies on proxy and network telemetry analysis: flagging connections to uncategorised or newly registered domains, identifying beacon periodicity through statistical interval analysis, detecting anomalous or hardcoded User-Agent strings, monitoring for high-frequency low-volume HTTPS connections to single external IPs, and correlating outbound connections from processes that should not make network calls. TLS inspection via terminating proxy is necessary to examine encrypted payload content. JA3 fingerprinting provides framework-level identification without requiring decryption.

Sources and References

  • MITRE ATT&CK — T1071.001 Application Layer Protocol: Web Protocols: attack.mitre.org
  • Picus Security — T1071.001 Web Protocols in MITRE ATT&CK Explained: picussecurity.com
  • The DFIR Report — Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware: thedfirreport.com
  • Darktrace — Sliver C2: How Darktrace Provided a Sliver of Hope: darktrace.com
  • CISA — AA25-071A StopRansomware: Medusa Ransomware: cisa.gov
  • Picus Security — T1071 Application Layer Protocol Technique Explained (Red Report 2026): picussecurity.com
cd ../mitre