Threat actors may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. It includes HTTP and DNS.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.