Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)
Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)
Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol or Service Impersonation to further conceal C2 communications and infrastructure.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement provides protection from Protocol Tunneling by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement protects adversaries from using tunneling to encapsulate a protocol within another protocol. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic to untrusted or known bad domains and resources can prevent tunnelling of network communications.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement protects against Protocol Tunneling through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement protects against Protocol Tunneling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1572 | Protocol Tunneling | |
| CM-06 | Configuration Settings | mitigates | T1572 | Protocol Tunneling | |
| SI-10 | Information Input Validation | mitigates | T1572 | Protocol Tunneling | |
| SI-15 | Information Output Filtering | mitigates | T1572 | Protocol Tunneling | |
| SI-03 | Malicious Code Protection | mitigates | T1572 | Protocol Tunneling | |
| CM-02 | Baseline Configuration | mitigates | T1572 | Protocol Tunneling | |
| CM-07 | Least Functionality | mitigates | T1572 | Protocol Tunneling | |
| SI-04 | System Monitoring | mitigates | T1572 | Protocol Tunneling | |
| AC-03 | Access Enforcement | mitigates | T1572 | Protocol Tunneling | |
| AC-04 | Information Flow Enforcement | mitigates | T1572 | Protocol Tunneling | |
| SC-07 | Boundary Protection | mitigates | T1572 | Protocol Tunneling |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_dns | Alerts for DNS | technique_scores | T1572 | Protocol Tunneling |
Comments
Can identify protocol misuse/anomalies in DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1572 | Protocol Tunneling |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic from known bad IP addresses and domains which could protect against protocol tunneling by adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1572 | Protocol Tunneling |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and domains which could protect against protocol tunneling by adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.
References
|