Application Layer Protocol (T1071) is a technique in the MITRE ATT&CK framework that refers to the use of standard application-layer network protocols for communication.
In simple terms, it describes network communication that takes place over commonly used protocols such as HTTP/HTTPS, DNS, SMTP, FTP, or other web and email protocols. Because these protocols operate at the application layer (Layer 7 of the OSI model), they structure how data is formatted, transmitted, and interpreted between systems.
T1071 is categorized under the Command and Control tactic in MITRE ATT&CK and focuses specifically on communication conducted through legitimate, widely used application-layer protocols.
Application layer protocols provide threat actors with a reliable way to operate within normal network patterns. By embedding malicious communications inside traffic that organizations already allow and depend on, attackers reduce the likelihood of raising immediate suspicion.
Protocol selection is often deliberate. Actors choose channels that are heavily used and expected within a given environment, allowing their activity to blend into routine operations. Web traffic, email flows, DNS lookups, and file transfer communications are especially attractive because of their volume and business necessity.
In enterprise environments, attackers frequently leverage internally trusted protocols such as HTTP/S, WebSocket, SMB, FTP/FTPS, DNS, SMTP, IMAP, POP3, MQTT, XMPP, and AMQP. Because these protocols support core business functions, including remote access, file exchange, and application messaging, security controls often treat them as legitimate by default.
By operating through these trusted channels, adversaries can maintain persistent communication with compromised systems, transfer data, and traverse network segments while minimizing anomalies that would otherwise trigger defensive alerts.
In the Red Report 2026, Application Layer Protocol ranked as the fifth most commonly observed technique. First identified as a top-ten threat in the Red Report 2024, it has remained in the upper tier through 2025 and into 2026. Its continued presence underscores a persistent, and growing, risk that defenders should expect to face for the foreseeable future.
The broader trend reinforces this shift. We observed a 38% year-over-year decrease in Data Encrypted for Impact, while the Application Layer Protocol technique accounted for 19% of all malware samples collected throughout 2025. Together, these figures highlight a clear evolution in attacker tradecraft.
The strategy change is evident. Rather than encrypting entire environments and immediately demanding ransom, many threat actors are opting to remain undetected for longer periods, quietly exfiltrating targeted data, and returning with proof of theft as leverage. With this model proving highly effective, infostealers are likely to continue playing a central role in modern attack campaigns.
The Application Layer Protocol technique consists of five sub-techniques in MITRE ATT&CK v18.
This blog serves as a hub page for the T1071 Application Layer Protocol technique within the MITRE ATT&CK framework. Each linked sub-technique page explains how the technique works, details adversary behavior, and includes real-world procedure examples observed in the wild, as documented in the Red Report.