Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1095 | Non-Application Layer Protocol | |
| AC-4 | Information Flow Enforcement | Protects | T1095 | Non-Application Layer Protocol | |
| CA-7 | Continuous Monitoring | Protects | T1095 | Non-Application Layer Protocol | |
| CM-2 | Baseline Configuration | Protects | T1095 | Non-Application Layer Protocol | |
| CM-6 | Configuration Settings | Protects | T1095 | Non-Application Layer Protocol | |
| CM-7 | Least Functionality | Protects | T1095 | Non-Application Layer Protocol | |
| SC-7 | Boundary Protection | Protects | T1095 | Non-Application Layer Protocol | |
| SI-10 | Information Input Validation | Protects | T1095 | Non-Application Layer Protocol | |
| SI-15 | Information Output Filtering | Protects | T1095 | Non-Application Layer Protocol | |
| SI-3 | Malicious Code Protection | Protects | T1095 | Non-Application Layer Protocol | |
| SI-4 | System Monitoring | Protects | T1095 | Non-Application Layer Protocol | |
| network_security_groups | Network Security Groups | technique_scores | T1095 | Non-Application Layer Protocol |
Comments
This control can be used to restrict access to trusted networks and protocols.
References
|
| azure_firewall | Azure Firewall | technique_scores | T1095 | Non-Application Layer Protocol |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
Furthermore, it can be used to filter non-application layer protocol traffic such as ICMP.
References
|