T1095 Non-Application Layer Protocol Mappings

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1095 Non-Application Layer Protocol
AC-4 Information Flow Enforcement Protects T1095 Non-Application Layer Protocol
CA-7 Continuous Monitoring Protects T1095 Non-Application Layer Protocol
CM-2 Baseline Configuration Protects T1095 Non-Application Layer Protocol
CM-6 Configuration Settings Protects T1095 Non-Application Layer Protocol
CM-7 Least Functionality Protects T1095 Non-Application Layer Protocol
SC-7 Boundary Protection Protects T1095 Non-Application Layer Protocol
SI-10 Information Input Validation Protects T1095 Non-Application Layer Protocol
SI-15 Information Output Filtering Protects T1095 Non-Application Layer Protocol
SI-3 Malicious Code Protection Protects T1095 Non-Application Layer Protocol
SI-4 System Monitoring Protects T1095 Non-Application Layer Protocol