Technique on mitre.org

T1095: Non-Application Layer Protocol

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts. However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

solaris_suspicious_network_activity: PT-CR-550: Solaris_Detect_Raw_Socket: Network activity via raw sockets is detected network_devices_compromise: PT-CR-574: Suspicious_ICMP_Packet: A large ICMP packet is detected unix_mitre_attck_command_and_control: PT-CR-293: Unix_Raw_Socket: Raw socket network activity mitre_attck_command_and_control: PT-CR-611: Suspicious_Connection_After_Imageload: A process opened a network connection after loading a library mitre_attck_command_and_control: PT-CR-612: Suspicious_Connection_System_Process: A process accessed a network address

Detection

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ID	Data source and component	Description
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Mitigation

ID	M1037	Name	Filter Network Traffic	Description	Filter network traffic to prevent use of protocols across the network boundary that are unnecessary.

ID	M1031	Name	Network Intrusion Prevention	Description	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

ID	M1030	Name	Network Segmentation	Description	Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.

ID	Name	Description
M1037	Filter Network Traffic	Filter network traffic to prevent use of protocols across the network boundary that are unnecessary.
M1031	Network Intrusion Prevention	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1030	Network Segmentation	Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.