Home
ATT&CK Techniques
T1572 Protocol Tunneling

T1572 Protocol Tunneling

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)

Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)

Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol or Service Impersonation to further conceal C2 communications and infrastructure.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
DE.AE-02.01	Event analysis and detection	Mitigates	T1572	Protocol Tunneling	Comments This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts. References
DE.CM-01.03	Unauthorized network connections and data transfers	Mitigates	T1572	Protocol Tunneling	Comments This diagnostic statement provides protection from Protocol Tunneling by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. References
DE.CM-01.01	Intrusion detection and prevention	Mitigates	T1572	Protocol Tunneling	Comments This diagnostic statement protects adversaries from using tunneling to encapsulate a protocol within another protocol. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. References
PR.IR-04.01	Utilization monitoring	Mitigates	T1572	Protocol Tunneling	Comments This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques. References
PR.IR-01.02	Network device configurations	Mitigates	T1572	Protocol Tunneling	Comments This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic to untrusted or known bad domains and resources can prevent tunnelling of network communications. References
PR.IR-01.03	Network communications integrity and availability	Mitigates	T1572	Protocol Tunneling	Comments This diagnostic statement protects against Protocol Tunneling through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. References
PR.IR-01.04	Wireless network protection	Mitigates	T1572	Protocol Tunneling	Comments This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. References
PR.PS-01.08	End-user device protection	Mitigates	T1572	Protocol Tunneling	Comments This diagnostic statement protects against Protocol Tunneling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1572	Protocol Tunneling
CM-06	Configuration Settings	mitigates	T1572	Protocol Tunneling
SI-10	Information Input Validation	mitigates	T1572	Protocol Tunneling
SI-15	Information Output Filtering	mitigates	T1572	Protocol Tunneling
SI-03	Malicious Code Protection	mitigates	T1572	Protocol Tunneling
CM-02	Baseline Configuration	mitigates	T1572	Protocol Tunneling
CM-07	Least Functionality	mitigates	T1572	Protocol Tunneling
SI-04	System Monitoring	mitigates	T1572	Protocol Tunneling
AC-03	Access Enforcement	mitigates	T1572	Protocol Tunneling
AC-04	Information Flow Enforcement	mitigates	T1572	Protocol Tunneling
SC-07	Boundary Protection	mitigates	T1572	Protocol Tunneling

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.hacking.variety.Evade Defenses	Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.	related-to	T1572	Protocol Tunneling
action.hacking.vector.Other network service	Network service that is not remote access or a web application.	related-to	T1572	Protocol Tunneling
action.malware.variety.Backdoor or C2	Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.	related-to	T1572	Protocol Tunneling
action.malware.variety.C2	Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.	related-to	T1572	Protocol Tunneling

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
alerts_for_dns	Alerts for DNS	technique_scores	T1572	Protocol Tunneling	Comments Can identify protocol misuse/anomalies in DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-dns

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
cloud_ngfw	Cloud Next-Generation Firewall (NGFW)_	technique_scores	T1572	Protocol Tunneling	Comments Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic from known bad IP addresses and domains which could protect against protocol tunneling by adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones. References ['https://cloud.google.com/firewalls']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
aws_network_firewall	AWS Network Firewall	technique_scores	T1572	Protocol Tunneling	Comments AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and domains which could protect against protocol tunneling by adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones. References https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html