Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)
Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)
Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol Impersonation to further conceal C2 communications and infrastructure.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1572 | Protocol Tunneling | |
| AC-4 | Information Flow Enforcement | Protects | T1572 | Protocol Tunneling | |
| CA-7 | Continuous Monitoring | Protects | T1572 | Protocol Tunneling | |
| CM-2 | Baseline Configuration | Protects | T1572 | Protocol Tunneling | |
| CM-6 | Configuration Settings | Protects | T1572 | Protocol Tunneling | |
| CM-7 | Least Functionality | Protects | T1572 | Protocol Tunneling | |
| SC-7 | Boundary Protection | Protects | T1572 | Protocol Tunneling | |
| SI-10 | Information Input Validation | Protects | T1572 | Protocol Tunneling | |
| SI-15 | Information Output Filtering | Protects | T1572 | Protocol Tunneling | |
| SI-3 | Malicious Code Protection | Protects | T1572 | Protocol Tunneling | |
| SI-4 | System Monitoring | Protects | T1572 | Protocol Tunneling |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of backdoor or C2 | Use of Backdoor or C2 channel | related-to | T1572 | Protocol Tunneling | |
| action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1572 | Protocol Tunneling | |
| action.malware.variety.C2 | Command and control (C2) | related-to | T1572 | Protocol Tunneling |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1572 | Protocol Tunneling |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and domains which could protect against protocol tunneling by adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.
References
|