| ID | C0002 |
| Objective(s) | Communication |
| Related ATT&CK Techniques | None |
| Version | 2.2 |
| Created | 14 August 2020 |
| Last Modified | 30 April 2024 |
This micro-behavior is related to HTTP communication.
Instead of being listed alphabetically, methods have been grouped to better faciliate labeling and mapping.
| Name | ID | Description |
|---|---|---|
| Server | C0002.001 | General HTTP server behavior. |
| Client | C0002.002 | General HTTP client behavior. |
| Connect to Server | C0002.009 | HTTP client connects to HTTP server. |
| Open URL | C0002.004 | HTTP client connects to a URL. |
| Download URL | C0002.006 | HTTP client downloads URL to file. |
| Extract Body | C0002.011 | HTTP client extracts HTTP body. |
| Create Request | C0002.012 | HTTP client creates request. |
| Send Request | C0002.003 | HTTP client sends request (GET). |
| Send Data | C0002.005 | HTTP clients sends data to a server (POST/PUT). |
| Receive Request | C0002.015 | HTTP server receives request. |
| Send Response | C0002.016 | HTTP server sends response. |
| Get Response | C0002.017 | HTTP client receives response. |
| Start Server | C0002.018 | HTTP server is started. |
| Set Header | C0002.013 | HTTP header is set. |
| Read Header | C0002.014 | HTTP read header. |
| IWebBrowser | C0002.010 | The IWebBrowser interface exposes methods and properties implemented by the WebBrowser control or implemented by an instance of the InternetExplorer application. Specific methods and properties can be captured: e.g., COMMUNICATION::HTTP Communication::IWebBrowser.get_Document. |
| WinHTTP | C0002.008 | An HTTP request is made via the Windows HTTP Services (WinHTTP) application programming interface (API). |
| WinINet | C0002.007 | A HTTP request is made via the Windows Internet (WinINet) application programming interface (API). A specific function can be specified as a method on the WinInet micro-behavior. |
| Name | Date | Method | Description |
|---|---|---|---|
| BlackEnergy | 2007 | C0002.010 | The malware initializes IWebBrowser2. [1] |
| BlackEnergy | 2007 | C0002.011 | The malware extracts the HTTP body. [1] |
| Emotet | 2018 | C0002.012 | The malware creates a HTTP request. [1] |
| Kovter | 2016 | C0002.009 | Kovter connects to a HTTP server. [1] |
| Kovter | 2016 | C0002.012 | Kovter creates a HTTP request. [1] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| read HTTP header | HTTP Communication::Read Header (C0002.014) | winhttp.WinHttpQueryHeaders |
| initialize WinHTTP library | HTTP Communication::WinHTTP (C0002.008) | winhttp.WinHttpOpen |
| initialize IWebBrowser2 | HTTP Communication::IWebBrowser (C0002.010) | ole32.CoCreateInstance |
| get HTTP content length | HTTP Communication (C0002) | wininet.HttpQueryInfo |
| set HTTP header | HTTP Communication::Set Header (C0002.013) | winhttp.WinHttpAddRequestHeaders, System.Net.WebHeaderCollection::Add |
| reference HTTP User-Agent string | HTTP Communication (C0002) | urlmon.ObtainUserAgentString |
| start HTTP server | HTTP Communication::Start Server (C0002.018) | httpapi.HttpInitialize, httpapi.HttpTerminate, System.Net.HttpListener::Start |
| receive HTTP request | HTTP Communication::Receive Request (C0002.015) | httpapi.HttpReceiveHttpRequest, httpapi.HttpReceiveRequestEntityBody |
| send HTTP response | HTTP Communication::Send Response (C0002.016) | httpapi.HttpSendHttpResponse, httpapi.HttpSendResponseEntityBody |
| receive HTTP response | HTTP Communication::Get Response (C0002.017) | System.Net.WebRequest::GetResponse, winhttp.WinHttpReceiveResponse, winhttp.WinHttpReadData, winhttp.WinHttpQueryDataAvailable |
| send HTTP request | HTTP Communication::Send Request (C0002.003) | System.Net.WebRequest::GetResponse, System.Net.WebRequest::GetResponseAsync, wininet.HttpOpenRequest, wininet.InternetConnect, wininet.HttpSendRequest, wininet.HttpSendRequestEx, winhttp.WinHttpSendRequest, winhttp.WinHttpWriteData, winhttp.WinHttpOpenRequest, winhttp.WinHttpConnect |
| read data from Internet | HTTP Communication::Get Response (C0002.017) | wininet.InternetReadFile, wininet.InternetReadFileEx, System.Net.WebClient::DownloadString, System.Net.WebClient::DownloadStringAsync, System.Net.WebClient::DownloadStringTaskAsync, System.Net.WebClient::DownloadData, System.Net.WebClient::DownloadDataAsync, System.Net.WebClient::DownloadDataTaskAsync |
| get HTTP document via IWebBrowser2 | HTTP Communication::Get Response (C0002.017) | oleaut32.SysAllocString, oleaut32.VariantInit |
| get HTTP document via IWebBrowser2 | HTTP Communication::IWebBrowser (C0002.010) | oleaut32.SysAllocString, oleaut32.VariantInit |
| download URL | HTTP Communication::Download URL (C0002.006) | urlmon.URLDownloadToFile, urlmon.URLDownloadToCacheFile, urlmon.URLOpenBlockingStream, urlmon.URLOpenPullStream, urlmon.URLOpenStream, System.Net.WebClient::DownloadFile, System.Net.WebClient::DownloadFileAsync, System.Net.WebClient::DownloadFileTaskAsync, Microsoft.VisualBasic.Devices.Network::DownloadFile |
| prepare HTTP request | HTTP Communication::Create Request (C0002.012) | winhttp.WinHttpOpenRequest |
| create HTTP request | HTTP Communication::Create Request (C0002.012) | wininet.InternetOpen, System.Net.WebRequest::Create, System.Net.WebRequest::CreateDefault, System.Net.WebRequest::CreateHttp, wininet.InternetCloseHandle |
| send file via HTTP | HTTP Communication::Send Data (C0002.005) | wininet.InternetWriteFile |
| decompress HTTP response via IEncodingFilterFactory | HTTP Communication::Get Response (C0002.017) | -- |
| check HTTP status code | HTTP Communication::Read Header (C0002.014) | atoi, wininet.HttpQueryInfo |
| get HTTP response content encoding | HTTP Communication::Get Response (C0002.017) | wininet.HttpQueryInfo |
| connect to URL | HTTP Communication::Open URL (C0002.004) | wininet.InternetOpenUrl |
| connect to HTTP server | HTTP Communication::Connect to Server (C0002.009) | wininet.InternetConnect |
| extract HTTP body | HTTP Communication::Extract Body (C0002.011) | -- |
| Tool: CAPE | Class | Mapping | APIs |
|---|---|---|---|
| internet_dropper | Internet_Dropper | HTTP Communication (C0002) | HttpOpenRequestA, InternetConnectA, HttpOpenRequestW, InternetConnectW |
| bot_madness | Madness | HTTP Communication (C0002) | -- |
| bot_madness | Madness | HTTP Communication::Send Request (C0002.003) | -- |
| bot_drive | Drive | HTTP Communication (C0002) | -- |
| bot_drive | Drive | HTTP Communication::Send Data (C0002.005) | -- |
| network_cnc_http | NetworkCnCHTTP | HTTP Communication (C0002) | -- |
| recon_beacon | Recon_Beacon | HTTP Communication (C0002) | HttpOpenRequestA, HttpSendRequestA |
| network_http | NetworkHTTP | HTTP Communication (C0002) | -- |
| explorer_http | ExplorerHTTP | HTTP Communication (C0002) | WinHttpConnect, WinHttpOpenRequest |
| bot_drive2 | Drive2 | HTTP Communication (C0002) | -- |
| bot_drive2 | Drive2 | HTTP Communication::Send Data (C0002.005) | -- |
| bot_dirtjumper | DirtJumper | HTTP Communication (C0002) | -- |
| bot_dirtjumper | DirtJumper | HTTP Communication::Send Data (C0002.005) | -- |
| bot_athenahttp | AthenaHttp | HTTP Communication (C0002) | -- |
| koadic_network_activity | KoadicNetworkActivity | HTTP Communication (C0002) | WinHttpOpenRequest, HttpOpenRequestW |
| http_request | HTTP_Request | HTTP Communication (C0002) | HttpOpenRequestA, HttpOpenRequestW, InternetConnectW, InternetOpenUrlA, InternetConnectA, InternetOpenUrlW, WinHttpGetProxyForUrl |
| cmdline_http_link | CommandLineHTTPLink | HTTP Communication (C0002) | -- |
| cmdline_reversed_http_link | CommandLineReversedHTTPLink | HTTP Communication (C0002) | -- |
| network_docfile_http | NetworkDocumentHTTP | HTTP Communication (C0002) | InternetCrackUrlW, InternetCrackUrlA, URLDownloadToFileW, HttpOpenRequestW, InternetReadFile, WSASend |
| banker_zeus_url | ZeusURL | HTTP Communication (C0002) | -- |
| downloads_from_filehosting | Modiloader_APIs | HTTP Communication (C0002) | InternetOpenUrlA, WinHttpOpenRequest |
| purplewave_network_activity | PurpleWaveNetworkAcivity | HTTP Communication (C0002) | InternetOpenW, HttpAddRequestHeadersA, HttpSendRequestW, HttpOpenRequestW |
Communication::HTTP Communication::Get Response
SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641 Location: 0x180001380mov param_2, ebx lea r9, [rsp + 0x44] ; where to store the number of bytes read add param_2, r14 ; pointer to buffer to receive HTTP data mov param_3, 0x400 ; number of bytes to read (1024) mov param_1, rsi ; handle to previously opened HTTP request call qword ptr [->WININET::InternetReadFile] ; Windows API for reading data from HTTP or FTP connections
[1] capa v4.0, analyzed at MITRE on 10/12/2022