T1572 Protocol Tunneling Mappings

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)

Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)

Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol Impersonation to further conceal C2 communications and infrastructure.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1572 Protocol Tunneling
AC-4 Information Flow Enforcement Protects T1572 Protocol Tunneling
CA-7 Continuous Monitoring Protects T1572 Protocol Tunneling
CM-2 Baseline Configuration Protects T1572 Protocol Tunneling
CM-6 Configuration Settings Protects T1572 Protocol Tunneling
CM-7 Least Functionality Protects T1572 Protocol Tunneling
SC-7 Boundary Protection Protects T1572 Protocol Tunneling
SI-10 Information Input Validation Protects T1572 Protocol Tunneling
SI-15 Information Output Filtering Protects T1572 Protocol Tunneling
SI-3 Malicious Code Protection Protects T1572 Protocol Tunneling
SI-4 System Monitoring Protects T1572 Protocol Tunneling
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1572 Protocol Tunneling
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1572 Protocol Tunneling
action.malware.variety.C2 Command and control (C2) related-to T1572 Protocol Tunneling
aws_network_firewall AWS Network Firewall technique_scores T1572 Protocol Tunneling