T1095: Non-Application Layer Protocol

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts. However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

solaris_suspicious_network_activity: PT-CR-550: Solaris_Detect_Raw_Socket: Network activity via raw sockets is detected mitre_attck_command_and_control: PT-CR-2808: Subrule_Suspicious_Connection_System_Process: An auxiliary rule for detecting network connections established by a process with system privileges after it was accessed, a thread was established in the process address space, a suspicious DLL library was loaded, or a child process was started mitre_attck_command_and_control: PT-CR-3053: Wintun_Network_Driver_Usage: The Wintun library was used, which may indicate a created peer-to-peer connection to an attackers' server mitre_attck_command_and_control: PT-CR-612: Subrule_Connection_System_Process: A process with system privileges opened a network connection mitre_attck_command_and_control: PT-CR-2814: Suspicious_Connection_System_Process: A network connection established by a process with system privileges after the process was accessed, a thread was established in the process address space, a suspicious DLL library was loaded, or a child process was started mitre_attck_command_and_control: PT-CR-611: Suspicious_Connection_After_Imageload: A process opened a network connection after loading a library unix_mitre_attck_command_and_control: PT-CR-293: Unix_Raw_Socket: Raw socket network activity network_devices_compromise: PT-CR-574: Suspicious_ICMP_Packet: A large ICMP packet is detected

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Mitigation

IDM1037NameFilter Network TrafficDescription

Filter network traffic to prevent use of protocols across the network boundary that are unnecessary.

IDM1031NameNetwork Intrusion PreventionDescription

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

IDM1030NameNetwork SegmentationDescription

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.