Last reviewed:
T1071.001 is command and control hidden inside ordinary HTTP and HTTPS: beacons that blend into legitimate web traffic, the channel of choice for Cobalt Strike and most commodity malware. DCV's anchor is GuardDuty's Backdoor:EC2/C&CActivity.B finding, joined by the MaliciousDomainRequest and AbusedDomainRequest reputation findings that catch instances resolving known C2 infrastructure, with GCP Chronicle's APPLICATION_LAYER_PROTOCOL rules on the GCP side. Egress filtering combined with DNS reputation is the practical defence; full TLS inspection rarely pays for itself.
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Platforms: ESXi, Linux, macOS, Network Devices, Windows.
DCV maps 7 detections across 2 cloud providers to T1071.001. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS GuardDuty | AWS | 6 | 0.83 |
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma has coverage metadata for 7 T1071.001 rules across 2 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1071.001, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1071.001 is command and control hidden inside ordinary HTTP and HTTPS: beacons that blend into legitimate web traffic, the channel of choice for Cobalt Strike and most commodity malware. DCV's anchor is GuardDuty's Backdoor:EC2/C&CActivity.B finding, joined by the MaliciousDomainRequest and AbusedDomainRequest reputation findings that catch instances resolving known C2 infrastructure, with GCP Chronicle's APPLICATION_LAYER_PROTOCOL rules on the GCP side. Egress filtering combined with DNS reputation is the practical defence; full TLS inspection rarely pays for itself.
DCV maps 7 cloud-native detections to T1071.001 across 2 cloud providers, drawn from AWS GuardDuty and GCP Chronicle.
T1071.001 is part of MITRE ATT&CK TA0011 Command and Control: How adversaries communicate with compromised systems.
CloudSigma ships 2 validated Sigma rules for T1071.001 across Linux auditd and Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.