Technique on mitre.org

T1572: Protocol Tunneling

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.

Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.

Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol Impersonation to further conceal C2 communications and infrastructure.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

solaris_suspicious_network_activity: PT-CR-549: Solaris_Detect_Possible_Unix_Tunneling_Via_SSH: An SSH tunnel from a client host to a remote server is detected solaris_suspicious_network_activity: PT-CR-548: Solaris_Detect_Possible_Unix_Reverse_Tunneling_Via_SSH: A reverse SSH tunnel is detected pt_nad: PT-CR-739: NAD_Tunnel_Tool: PT NAD detected signs of a hacker tool for traffic tunneling remote_work: PT-CR-2561: RDP_Tunneling: Possible RDP tunneling unix_mitre_attck_command_and_control: PT-CR-1675: Unix_Tunneling_Via_SSHuttle: An SSH tunnel was created using the SSHuttle utility unix_mitre_attck_command_and_control: PT-CR-1677: Unix_Tunneling_Via_SSH: An SSH tunnel from a host to a remote server unix_mitre_attck_command_and_control: PT-CR-1676: Unix_Tunnel_Process: A tunnel to the internal network mitre_attck_command_and_control: PT-CR-428: Possible_Network_Local_Tunnel: Attempt to connect to a remote host using a tunnel. This may indicate that the tunnel is being used for network reconnaissance, accessing local resources, or lateral movement. mitre_attck_command_and_control: PT-CR-1354: Tunnel_Process_Windows: Tunnel to internal network is detected

Detection

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections that are sent or received by untrusted hosts.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ID	Data source and component	Description
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections that are sent or received by untrusted hosts.
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Mitigation

ID	M1037	Name	Filter Network Traffic	Description	Consider filtering network traffic to untrusted or known bad domains and resources.

ID	M1031	Name	Network Intrusion Prevention	Description	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

ID	Name	Description
M1037	Filter Network Traffic	Consider filtering network traffic to untrusted or known bad domains and resources.
M1031	Network Intrusion Prevention	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.