Application Layer Protocol (C2)
Process Transmit NetworkTraffic — Transmit command-and-control communications over a standard application layer protocol to blend with legitimate traffic.
Detect
No OCSF field is invariant for this technique — the attacker controls the destination, protocol, and timing. Beaconing behaviour analysis requires statistical modelling and uses variable victim-side fields at best.
Focus on beaconing behaviour analysis across all protocols. Unexpected destinations combined with periodic connection patterns are more durable than domain or IP blocklists. No single rule reaches STP 5 for this technique.
Mitigate
Protocol-specific controls are STP 3 — the attacker switches protocol. Zero-trust egress controls restricting which processes may make outbound connections raise the bar but stop short of STP 5 because the attacker can use any allowed process as a proxy.
d3f:NetworkTrafficFilteringNo STP 5 mitigation exists. Detection is the primary defensive lever.
Restrict outbound connections per process using an egress proxy or zero-trust network controls. This forces C2 through inspectable channels regardless of protocol.
Respond
The target process now executes attacker-controlled code. Kill the injector process and the compromised target immediately. Investigate all files, network connections, and child processes they spawned.
actor.processdst_endpointnetworkd3f:ProcessTerminationd3f:NetworkIsolationOCSF event model▼
Event class: Network Activity (4001)
· activity_id: Traffic
%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa
EVENT(["Network Activity\n· Traffic"])
actor_process["Implant / Beacon\nactor.process\nd3f:Process"]:::attacker
c2_endpoint["C2 Server\ndst_endpoint\nd3f:Host"]:::attacker
network_traffic["C2 Channel\nnetwork\nd3f:NetworkTraffic"]:::attacker
device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted
EVENT --> actor_process
EVENT --> c2_endpoint
EVENT --> network_traffic
EVENT --> device
actor_process -->|"beacons to"| c2_endpointactor.process·d3f:Processd3f:ProcessTerminationdst_endpoint·d3f:Hostdst_endpoint.ip | attacker_controlled | C2 IP — attacker-controlled, rotated frequently |
dst_endpoint.domain | attacker_controlled | C2 domain — attacker-controlled, DGA or fast-flux evades this |
d3f:NetworkTrafficFilteringnetwork·d3f:NetworkTrafficnetwork.bytes_out | variable | Outbound bytes — beaconing periodicity is the closest technique-proximate observable |
network.protocol_name | attacker_controlled | Protocol — Execution Medium, attacker switches freely |
d3f:NetworkTrafficFilteringdevice·d3f:Hostd3f:NetworkIsolationDefinitional Sigma rule▼
Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.
title: Application Layer Protocol (C2) (T1071)
status: experimental
description: >
Definitional rule — broad by design. Defines the technique independent of
medium, tool, or attacker-controlled variables. Narrow with variable and
attacker-controlled field conditions for operational use.
logsource:
product: ocsf
category: Network Activity (4001)
detection:
selection:
activity_id: 'Traffic'
condition: selectionSeen in the wild2reports▼
APT28's Covenant C2 bridge routes all traffic through Koofr and Filen cloud storage APIs — C2 communication indistinguishable from legitimate cloud storage at the network layer.
GammaLoad uses Telegram and Cloudflare Workers as Dead Drop Resolvers — application layer protocol abuse to retrieve live C2 addresses while blending with legitimate traffic.