Skip to content

DET0538 Detection Strategy for Protocol Tunneling accross OS platforms.

Item Value
ID DET0538
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1572 (Protocol Tunneling)

Analytics

Windows

AN1483

Processes such as plink.exe, ssh.exe, or netsh.exe establishing outbound network connections where traffic patterns show encapsulated protocols (e.g., RDP over SSH). Defender observations include anomalous process-to-network relationships, large asymmetric data flows, and port usage mismatches.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
AllowedTools Whitelist legitimate tunneling tools (e.g., used by admins).
DataAsymmetryThreshold Ratio of sent vs received bytes that indicates tunneling activity.
TimeWindow Correlate process creation with network connection within N seconds.

Linux

AN1484

sshd, socat, or custom binaries initiating port forwarding or encapsulating traffic (e.g., RDP, SMB) through SSH or HTTP. Defender sees abnormal connect/bind syscalls, encrypted traffic on ports typically used for non-encrypted services, and outlier traffic volume patterns.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) auditd:SYSCALL socket/connect calls showing SSH processes forwarding arbitrary ports
Application Log Content (DC0038) linux:syslog sshd sessions with unusual port forwarding parameters
Process Creation (DC0032) linux:osquery socat, ssh, or nc processes opening unexpected ports
Mutable Elements
Field Description
ForwardingFlags Specific sshd config flags indicating port forwarding.
ProtocolBaseline Define expected application protocols by port to catch tunneling mismatches.

macOS

AN1485

launchd or user-invoked processes (ssh, socat) encapsulating traffic via SSH tunnels, VPN-style tooling, or DNS-over-HTTPS clients. Defender sees outbound TLS traffic with embedded DNS or RDP payloads.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process execution of ssh with -L/-R forwarding flags
Network Traffic Content (DC0085) macos:unifiedlog encrypted outbound traffic carrying unexpected application data
Mutable Elements
Field Description
ExpectedDoHResolvers Known legitimate DoH resolvers used in environment.
PayloadEntropyThreshold Flag excessive randomness in payloads on standard ports.

ESXi

AN1486

VMware daemons or user processes encapsulating traffic (e.g., guest VMs tunneling via hostd). Defender sees network services inside ESXi creating flows inconsistent with management plane traffic, such as SSH forwarding or DNS-over-HTTPS from management interfaces.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) esxi:vpxd ESXi processes relaying traffic via SSH or unexpected ports
Network Traffic Content (DC0085) esxcli:network listening sockets bound with non-standard encapsulated protocols
Mutable Elements
Field Description
ESXiServiceProfiles Baseline allowed services and expected ports for ESXi management.