Register to stream ATT&CKcon 2.0 October 29-30

Standard Non-Application Layer Protocol

Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. [1] Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; [2] however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

ID: T1095
Tactic: Command And Control
Platform: Windows, Linux, macOS
Data Sources: Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Requires Network:  Yes
Contributors: Ryan Becwar
Version: 1.0


Mitigation Description
Filter Network Traffic Filter network traffic to prevent use of protocols across the network boundary that are unnecessary.
Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Network Segmentation Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.


Name Description
APT29 APT29 uses TCP for C2 communications. [18]
APT3 An APT3 downloader establishes SOCKS5 connections for its initial C2. [19]
BUBBLEWRAP BUBBLEWRAP can communicate using SOCKS. [5]
Carbon Carbon uses TCP and UDP for C2. [10]
Crimson Crimson uses a custom TCP protocol for C2. [13]
Derusbi Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2. [12]
HiddenWasp HiddenWasp communicates with a simple network protocol over TCP. [16]
Mis-Type Mis-Type network traffic can communicate over a raw socket. [3]
Misdat Misdat network traffic communicates over a raw socket. [3]
MoonWind MoonWind completes network communication via raw sockets. [14]
NETEAGLE If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs. [7]
PHOREAL PHOREAL communicates via ICMP for C2. [6]
PLATINUM PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control. [17]
PlugX PlugX can be configured to use raw TCP or UDP for command and control. [15]
Reaver Some Reaver variants use raw TCP for C2. [4]
Regin The Regin malware platform can use ICMP to communicate between infected computers. [11]
Remsec Remsec is capable of using ICMP, TCP, and UDP for C2. [8] [9]
WINDSHIELD WINDSHIELD C2 traffic can communicate via TCP raw sockets. [6]


Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [20]

Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.