T1572: Protocol Tunneling
| View on MITRE ATT&CK | T1572 |
|---|---|
| Tactic(s) | Command and Control |
Data from MITRE ATT&CK®:
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)
Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)
Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol Impersonation to further conceal C2 communications and infrastructure.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
#StopRansomware: LockBit 3.0
This #StopRansomware Cybersecurity Advisory from CISA and partners describes the operations associated with LockBit 3.0 which operates as a ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Network Connection Creation (Network Traffic)
Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Suspicious Plink Port Forwarding
Communication To Ngrok Tunneling Service - Linux
Potential RDP Tunneling Via Plink
Potential RDP Tunneling Via SSH
Cloudflared Tunnel Execution
PUA - 3Proxy Execution
Cloudflared Tunnel Connections Cleanup
PUA - Ngrok Execution
RDP Over Reverse SSH Tunnel
RDP to HTTP or HTTPS Target Ports
Silence.EDA Detection
Communication To Ngrok Tunneling Service Initiated
Port Forwarding Activity Via SSH.EXE
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.