Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1095 | Non-Application Layer Protocol | |
| AC-4 | Information Flow Enforcement | Protects | T1095 | Non-Application Layer Protocol | |
| CA-7 | Continuous Monitoring | Protects | T1095 | Non-Application Layer Protocol | |
| CM-2 | Baseline Configuration | Protects | T1095 | Non-Application Layer Protocol | |
| CM-6 | Configuration Settings | Protects | T1095 | Non-Application Layer Protocol | |
| CM-7 | Least Functionality | Protects | T1095 | Non-Application Layer Protocol | |
| SC-7 | Boundary Protection | Protects | T1095 | Non-Application Layer Protocol | |
| SI-10 | Information Input Validation | Protects | T1095 | Non-Application Layer Protocol | |
| SI-15 | Information Output Filtering | Protects | T1095 | Non-Application Layer Protocol | |
| SI-3 | Malicious Code Protection | Protects | T1095 | Non-Application Layer Protocol | |
| SI-4 | System Monitoring | Protects | T1095 | Non-Application Layer Protocol | |
| action.hacking.variety.Use of backdoor or C2 | Use of Backdoor or C2 channel | related-to | T1095 | Non-Application Layer Protocol | |
| action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1095 | Non-Application Layer Protocol | |
| action.malware.variety.C2 | Command and control (C2) | related-to | T1095 | Non-Application Layer Protocol | |
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1095 | Non-Application Layer Protocol |
Comments
The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and non-application layer protocols - especially TCP and UDP - to communicate for command and control purposes: "Source IP" ("aws:source-ip-address") values outside of expected IP address ranges may suggest that a device has been stolen. "Messages sent" ("aws:num-messages-sent"), "Messages received" ("aws:num-messages-received"), and "Message size" ("aws:message-byte-size") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include command and control traffic.
The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and non-application layer protocols - especially TCP and UDP - to communicate for command and control purposes: "Destination IPs" ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include command and control traffic. "Listening TCP ports" ("aws:listening-tcp-ports"), "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside of expected norms may indicate that devices are communicating via TCP and/or UDP on unexpected ports that may suggest command and control traffic.
Coverage factor is minimal, since these metrics are limited to IoT device communication and none of this technique's sub-techniques are addressed, resulting in an overall score of Minimal.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1095 | Non-Application Layer Protocol |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the minimum required and can therefore mitigate adversary attempts to utilize non-application layer protocols for communication. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1095 | Non-Application Layer Protocol |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging non-application layer protocols. Given this, the mapping is given a score of Significant.
References
|