Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)(Citation: Sygnia Abyss Locker 2025)
Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)
Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol or Service Impersonation to further conceal C2 communications and infrastructure.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1572 | Protocol Tunneling |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected protocol standards or traffic flows can be used to mitigate activity at the network level.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1572 | Protocol Tunneling |
Comments
This control provides for appropriately segmented and segregated cloud environments. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication.
References
|
| UEM-10 | Software Firewall | mitigates | T1572 | Protocol Tunneling |
Comments
This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active.
References
|
| I&S-09 | Network Defense | mitigates | T1572 | Protocol Tunneling |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Configuring firewalls to filter network traffic to untrusted domains or hosts can prevent encapsulating a protocol within another protocol for communication. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and unexpected protocol standards or traffic flows can be used to mitigate activity at the network level.
References
|