T1095 Non-Application Layer Protocol Mappings

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1095 Non-Application Layer Protocol
AC-4 Information Flow Enforcement Protects T1095 Non-Application Layer Protocol
CA-7 Continuous Monitoring Protects T1095 Non-Application Layer Protocol
CM-2 Baseline Configuration Protects T1095 Non-Application Layer Protocol
CM-6 Configuration Settings Protects T1095 Non-Application Layer Protocol
CM-7 Least Functionality Protects T1095 Non-Application Layer Protocol
SC-7 Boundary Protection Protects T1095 Non-Application Layer Protocol
SI-10 Information Input Validation Protects T1095 Non-Application Layer Protocol
SI-15 Information Output Filtering Protects T1095 Non-Application Layer Protocol
SI-3 Malicious Code Protection Protects T1095 Non-Application Layer Protocol
SI-4 System Monitoring Protects T1095 Non-Application Layer Protocol
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1095 Non-Application Layer Protocol
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1095 Non-Application Layer Protocol
action.malware.variety.C2 Command and control (C2) related-to T1095 Non-Application Layer Protocol
aws_iot_device_defender AWS IoT Device Defender technique_scores T1095 Non-Application Layer Protocol
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1095 Non-Application Layer Protocol
aws_network_firewall AWS Network Firewall technique_scores T1095 Non-Application Layer Protocol