Skip to content

Latest commit

 

History

History
100 lines (87 loc) · 8.79 KB

http-communication.md

File metadata and controls

100 lines (87 loc) · 8.79 KB
Raw
ID C0002
Objective(s) Communication
Related ATT&CK Techniques None
Version 2.0
Created 14 August 2020
Last Modified 13 September 2023

HTTP Communication

This micro-behavior is related to HTTP communication.

Instead of being listed alphabetically, methods have been grouped to better faciliate labeling and mapping.

Methods

Name ID Description
Server C0002.001 General HTTP server behavior.
Client C0002.002 General HTTP client behavior.
Connect to Server C0002.009 HTTP client connects to HTTP server.
Open URL C0002.004 HTTP client connects to a URL.
Download URL C0002.006 HTTP client downloads URL to file.
Extract Body C0002.011 HTTP client extracts HTTP body.
Create Request C0002.012 HTTP client creates request.
Send Request C0002.003 HTTP client sends request (GET).
Send Data C0002.005 HTTP clients sends data to a server (POST/PUT).
Receive Request C0002.015 HTTP server receives request.
Send Response C0002.016 HTTP server sends response.
Get Response C0002.017 HTTP client receives response.
Start Server C0002.018 HTTP server is started.
Set Header C0002.013 HTTP header is set.
Read Header C0002.014 HTTP read header.
IWebBrowser C0002.010 The IWebBrowser interface exposes methods and properties implemented by the WebBrowser control or implemented by an instance of the InternetExplorer application. Specific methods and properties can be captured: e.g., COMMUNICATION::HTTP Communication::IWebBrowser.get_Document.
WinHTTP C0002.008 An HTTP request is made via the Windows HTTP Services (WinHTTP) application programming interface (API).
WinINet C0002.007 A HTTP request is made via the Windows Internet (WinINet) application programming interface (API). A specific function can be specified as a method on the WinInet micro-behavior.

Use in Malware

Name Date Method Description
BlackEnergy 2007 C0002.010 The malware initializes IWebBrowser2. [1]
BlackEnergy 2007 C0002.011 The malware extracts the HTTP body. [1]
Emotet 2018 C0002.012 The malware creates a HTTP request. [1]
Kovter 2016 C0002.009 Kovter connects to a HTTP server. [1]
Kovter 2016 C0002.012 Kovter creates a HTTP request. [1]

Detection

Tool: capa Mapping APIs
read HTTP header HTTP Communication::Read Header (C0002.014) winhttp.WinHttpQueryHeaders
initialize WinHTTP library HTTP Communication::WinHTTP (C0002.008) winhttp.WinHttpOpen
initialize IWebBrowser2 HTTP Communication::IWebBrowser (C0002.010) ole32.CoCreateInstance
get HTTP content length HTTP Communication (C0002) wininet.HttpQueryInfo
set HTTP header HTTP Communication::Set Header (C0002.013) winhttp.WinHttpAddRequestHeaders, System.Net.WebHeaderCollection::Add
reference HTTP User-Agent string HTTP Communication (C0002) urlmon.ObtainUserAgentString
start HTTP server HTTP Communication::Start Server (C0002.018) httpapi.HttpInitialize, httpapi.HttpTerminate, System.Net.HttpListener::Start
receive HTTP request HTTP Communication::Receive Request (C0002.015) httpapi.HttpReceiveHttpRequest, httpapi.HttpReceiveRequestEntityBody
send HTTP response HTTP Communication::Send Response (C0002.016) httpapi.HttpSendHttpResponse, httpapi.HttpSendResponseEntityBody
receive HTTP response HTTP Communication::Get Response (C0002.017) System.Net.WebRequest::GetResponse, winhttp.WinHttpReceiveResponse, winhttp.WinHttpReadData, winhttp.WinHttpQueryDataAvailable
send HTTP request HTTP Communication::Send Request (C0002.003) System.Net.WebRequest::GetResponse, System.Net.WebRequest::GetResponseAsync, wininet.HttpOpenRequest, wininet.InternetConnect, wininet.HttpSendRequest, wininet.HttpSendRequestEx, winhttp.WinHttpSendRequest, winhttp.WinHttpWriteData, winhttp.WinHttpOpenRequest, winhttp.WinHttpConnect
read data from Internet HTTP Communication::Get Response (C0002.017) wininet.InternetReadFile, wininet.InternetReadFileEx, System.Net.WebClient::DownloadString, System.Net.WebClient::DownloadStringAsync, System.Net.WebClient::DownloadStringTaskAsync, System.Net.WebClient::DownloadData, System.Net.WebClient::DownloadDataAsync, System.Net.WebClient::DownloadDataTaskAsync
get HTTP document via IWebBrowser2 HTTP Communication::Get Response (C0002.017) oleaut32.SysAllocString, oleaut32.VariantInit
get HTTP document via IWebBrowser2 HTTP Communication::IWebBrowser (C0002.010) oleaut32.SysAllocString, oleaut32.VariantInit
download URL HTTP Communication::Download URL (C0002.006) urlmon.URLDownloadToFile, urlmon.URLDownloadToCacheFile, urlmon.URLOpenBlockingStream, urlmon.URLOpenPullStream, urlmon.URLOpenStream, System.Net.WebClient::DownloadFile, System.Net.WebClient::DownloadFileAsync, System.Net.WebClient::DownloadFileTaskAsync, Microsoft.VisualBasic.Devices.Network::DownloadFile
prepare HTTP request HTTP Communication::Create Request (C0002.012) winhttp.WinHttpOpenRequest
create HTTP request HTTP Communication::Create Request (C0002.012) wininet.InternetOpen, System.Net.WebRequest::Create, System.Net.WebRequest::CreateDefault, System.Net.WebRequest::CreateHttp, wininet.InternetCloseHandle
send file via HTTP HTTP Communication::Send Data (C0002.005) wininet.InternetWriteFile
decompress HTTP response via IEncodingFilterFactory HTTP Communication::Get Response (C0002.017)
check HTTP status code HTTP Communication::Read Header (C0002.014) atoi, wininet.HttpQueryInfo
get HTTP response content encoding HTTP Communication::Get Response (C0002.017) wininet.HttpQueryInfo
connect to URL HTTP Communication::Open URL (C0002.004) wininet.InternetOpenUrl
connect to HTTP server HTTP Communication::Connect to Server (C0002.009) wininet.InternetConnect
extract HTTP body HTTP Communication::Extract Body (C0002.011)

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022