Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
In ESXi environments, adversaries may leverage the Virtual Machine Communication Interface (VMCI) for communication between guest virtual machines and the ESXi host. This traffic is similar to client-server communications on traditional network sockets but is localized to the physical machine running the ESXi host, meaning it does not traverse external networks (routers, switches). This results in communications that are invisible to external monitoring and standard networking tools like tcpdump, netstat, nmap, and Wireshark. By adding a VMCI backdoor to a compromised ESXi host, adversaries may persistently regain access from any guest VM to the compromised ESXi host’s backdoor, regardless of network segmentation or firewall rules in place.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1095 | Non-Application Layer Protocol |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Filtering network traffic to prevent use of protocols across the network boundary that are unnecessary can prevent the use of an OSI non-application layer protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and uncommon patterns or flows can be used to mitigate activity at the network level.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1095 | Non-Application Layer Protocol |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems and also ensuring hosts are only provisioned to communicate over authorized interfaces can prevent the use of an OSI non-application layer protocol for communication.
References
|
| UEM-10 | Software Firewall | mitigates | T1095 | Non-Application Layer Protocol |
Comments
This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active.
References
|
| I&S-09 | Network Defense | mitigates | T1095 | Non-Application Layer Protocol |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems and also ensuring hosts are only provisioned to communicate over authorized interfaces can prevent the use of an OSI non-application layer protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and uncommon patterns or flows can be used to mitigate activity at the network level.
References
|