Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1095 | Non-Application Layer Protocol | |
| AC-4 | Information Flow Enforcement | Protects | T1095 | Non-Application Layer Protocol | |
| CA-7 | Continuous Monitoring | Protects | T1095 | Non-Application Layer Protocol | |
| CM-2 | Baseline Configuration | Protects | T1095 | Non-Application Layer Protocol | |
| CM-6 | Configuration Settings | Protects | T1095 | Non-Application Layer Protocol | |
| CM-7 | Least Functionality | Protects | T1095 | Non-Application Layer Protocol | |
| SC-7 | Boundary Protection | Protects | T1095 | Non-Application Layer Protocol | |
| SI-10 | Information Input Validation | Protects | T1095 | Non-Application Layer Protocol | |
| SI-15 | Information Output Filtering | Protects | T1095 | Non-Application Layer Protocol | |
| SI-3 | Malicious Code Protection | Protects | T1095 | Non-Application Layer Protocol | |
| SI-4 | System Monitoring | Protects | T1095 | Non-Application Layer Protocol |