Skip to content

T1095 Non-Application Layer Protocol

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.5 Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.2 Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.3 However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

Item Value
ID T1095
Sub-techniques
Tactics TA0011
Platforms Linux, Network, Windows, macOS
Version 2.2
Created 31 May 2017
Last Modified 20 April 2023

Procedure Examples

ID Name Description
S0504 Anchor Anchor has used ICMP in C2 communications.9
G0022 APT3 An APT3 downloader establishes SOCKS5 connections for its initial C2.70
S0456 Aria-body Aria-body has used TCP in C2 communications.25
S1029 AuTo Stealer AuTo Stealer can use TCP to communicate with command and control servers.64
G0135 BackdoorDiplomacy BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.74
S0234 Bandook Bandook has a command built in to use a raw TCP socket.44
S0268 Bisonal Bisonal has used raw sockets for network communication.63
G1002 BITTER BITTER has used TCP for C2 communications.71
S1063 Brute Ratel C4 Brute Ratel C4 has the ability to use TCP for external C2.8
S0043 BUBBLEWRAP BUBBLEWRAP can communicate using SOCKS.56
C0021 C0021 During C0021, the threat actors used TCP for some C2 communications.75
S0335 Carbon Carbon uses TCP and UDP for C2.35
S0660 Clambling Clambling has the ability to use TCP and UDP for communication.39
S0154 Cobalt Strike Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications.5455
S0115 Crimson Crimson uses a custom TCP protocol for C2.1920
S0498 Cryptoistic Cryptoistic can use TCP in communications with C2.42
S0021 Derusbi Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.51
S0502 Drovorub Drovorub can use TCP to communicate between its agent and client modules.31
S0076 FakeM Some variants of FakeM use SSL to communicate with C2 servers.40
G0037 FIN6 FIN6 has used Metasploit Bind and Reverse TCP stagers.73
S1044 FunnyDream FunnyDream can communicate with C2 over TCP and UDP.68
S0666 Gelsemium Gelsemium has the ability to use TCP and UDP in C2 communications.11
S0032 gh0st RAT gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2.17
G0125 HAFNIUM HAFNIUM has used TCP for C2.69
S0394 HiddenWasp HiddenWasp communicates with a simple network protocol over TCP.62
S0260 InvisiMole InvisiMole has used TCP to download additional modules.15
S1051 KEYPLUG
KEYPLUG can use TCP and KCP (KERN Communications Protocol) over UDP for C2 communication.50
S0582 LookBack LookBack uses a custom binary protocol over sockets for C2 communications.38
S1016 MacMa MacMa has used a custom JSON-based protocol for its C&C communications.61
S1060 Mafalda Mafalda can use raw TCP for C2.23
G1013 Metador Metador has used TCP for C2.23
S1059 metaMain metaMain can establish an indirect and raw TCP socket-based connection to the C2 server.2328
S0455 Metamorfo Metamorfo has used raw TCP for C2.18
S0084 Mis-Type Mis-Type network traffic can communicate over a raw socket.12
S0083 Misdat Misdat network traffic communicates over a raw socket.12
S0149 MoonWind MoonWind completes network communication via raw sockets.21
S0699 Mythic Mythic supports WebSocket and TCP-based C2 profiles.6
S0630 Nebulae Nebulae can use TCP in C2 communications.46
S0034 NETEAGLE If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.33
S0198 NETWIRE NETWIRE can use TCP in C2 communications.3637
C0014 Operation Wocao During Operation Wocao, threat actors used a custom protocol for command and control.76
S0556 Pay2Key Pay2Key has sent its public key to the C2 server over TCP.34
S0587 Penquin The Penquin C2 mechanism is based on TCP and UDP packets.1314
S0158 PHOREAL PHOREAL communicates via ICMP for C2.57
S1031 PingPull PingPull variants have the ability to communicate with C2 servers using ICMP or TCP.30
S0501 PipeMon The PipeMon communication module can use a custom protocol based on TLS over TCP.48
G0068 PLATINUM PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.72
S0013 PlugX PlugX can be configured to use raw TCP or UDP for command and control.47
S0650 QakBot QakBot has the ability use TCP to send or receive C2 packets.24
S0262 QuasarRAT QuasarRAT can use TCP for C2 communication.7
S0629 RainyDay RainyDay can use TCP in C2 communications.46
S0055 RARSTONE RARSTONE uses SSL to encrypt its communication with its C2 server.60
S0662 RCSession RCSession has the ability to use TCP and UDP in C2 communications.3941
S0172 Reaver Some Reaver variants use raw TCP for C2.29
S0019 Regin The Regin malware platform can use ICMP to communicate between infected computers.10
S0125 Remsec Remsec is capable of using ICMP, TCP, and UDP for C2.6667
S1073 Royal Royal establishes a TCP socket for C2 communication using the API WSASocketW.45
S0461 SDBbot SDBbot has the ability to communicate with C2 with TCP over port 443.22
S0596 ShadowPad ShadowPad has used UDP for C2 communications.59
S0615 SombRAT SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server.5253
S1049 SUGARUSH SUGARUSH has used TCP for C2.43
S0011 Taidoor Taidoor can use TCP for C2 communications.26
S0436 TSCookie TSCookie can use ICMP to receive information on the destination server.65
S0221 Umbreon Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.49
S0670 WarzoneRAT WarzoneRAT can communicate with its C2 server via TCP over port 5200.32
S0515 WellMail WellMail can use TCP for C2 communications.27
S0155 WINDSHIELD WINDSHIELD C2 traffic can communicate via TCP raw sockets.57
S0430 Winnti for Linux Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.58
S0141 Winnti for Windows Winnti for Windows can communicate using custom TCP.16

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic Filter network traffic to prevent use of protocols across the network boundary that are unnecessary.
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1030 Network Segmentation Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  2. Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. 

  3. Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014. 

  4. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. 

  5. Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014. 

  6. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022. 

  7. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  8. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  9. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  10. Kaspersky Lab’s Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. 

  11. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  12. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  13. Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021. 

  14. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  15. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  16. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  17. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  18. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  19. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  20. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  21. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  22. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  23. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  24. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  25. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  26. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  27. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. 

  28. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  29. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. 

  30. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  31. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. 

  32. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  33. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. 

  34. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021. 

  35. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. 

  36. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  37. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021. 

  38. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  39. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  40. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  41. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  42. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. 

  43. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  44. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  45. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. 

  46. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  47. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  48. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  49. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018. 

  50. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  51. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. 

  52. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  53. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  54. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  55. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  56. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. 

  57. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  58. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. 

  59. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  60. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015. 

  61. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  62. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. 

  63. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  64. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  65. Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020. 

  66. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. 

  67. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. 

  68. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  69. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. 

  70. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. 

  71. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. 

  72. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018. 

  73. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020. 

  74. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  75. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  76. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.