Application Layer Protocol
Use HTTP(S), DNS, etc. for C2.
§ Where this technique fits
T1071 is catalogued under the Command and Control tactic of the offensive-security kill-chain. It appears in 8 approved dossiers in the registry, typically at step 4.9 on average.
Authoritative reference: attack.mitre.org/techniques/T1071/.
§ Dossiers chaining this technique
- step 2 / 5
Autodiscover external leak → credential harvest
Mis-implemented Autodiscover falls back to autodiscover.<TLD>; register that domain externally, harvest plaintext Basic-auth credentials from clients that haven't been patched / configured properly.
- step 4 / 6
ISO container → LNK → stage from CDN → C2
Email attaches an ISO. Windows mounts it as a drive, bypassing Mark-of-the-Web. LNK inside runs a hidden binary that pulls the real stager from a CDN — Defender often misses the chain.
- step 5 / 6
AMSI patch → in-memory .NET / PowerShell stager
Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning.
- step 5 / 6
OneNote .one attachment → embedded payload → C2
OneNote .one file with a friendly 'Double-click to view' overlay hides an embedded HTA / VBS / EXE. Effective initial access vector after Microsoft blocked internet macros in 2022.
- step 5 / 6
USB drop in parking lot → HID payload → C2
Drop branded-looking USB sticks near the target site. An employee plugs one in; a Rubber-Ducky-class HID device types a PowerShell payload that connects out to attacker C2.
- step 6 / 6
Process hollowing → run beacon in svchost shell
Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code.
- step 6 / 7
Build-system implant → signed supply-chain backdoor (SolarWinds-class)
Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.
- step 6 / 6
certutil + bitsadmin → AV-friendly stager chain
Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.
§ What commonly comes next
- 01Scheduled Task Hijackseen 2×W-SCHEDTASK-HIJACK · Persistence
- 02Autodiscover Domain Hijackseen 1×EX-AUTODISCOVER-LEAK · Credential Access
- 03Boot or Logon Autostart Executionseen 1×T1547 · Persistence
- 04Valid Accountsseen 1×T1078 · Initial Access
- 05scrcons.exe WMI Event Subscriptionseen 1×LOL-SCRCONS · Persistence