Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.[1]
Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.[2]
Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol Impersonation to further conceal C2 communications and infrastructure.
ID | Name | Description |
---|---|---|
C0034 | 2022 Ukraine Electric Power Attack |
During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the GOGETTER tunneler software to establish a "Yamux" TLS-based C2 channel with an external server(s).[3] |
S1063 | Brute Ratel C4 |
Brute Ratel C4 can use DNS over HTTPS for C2.[4][5] |
C0027 | C0027 |
During C0027, Scattered Spider used SSH tunneling in targeted environments.[6] |
C0032 | C0032 |
During the C0032 campaign, TEMP.Veles used encrypted SSH-based PLINK tunnels to transfer tools and enable RDP connections throughout the environment.[7] |
G0114 | Chimera |
Chimera has encapsulated Cobalt Strike's C2 protocol in DNS and HTTPS.[8] |
G1021 | Cinnamon Tempest |
Cinnamon Tempest has used the Iox and NPS proxy and tunneling tools in combination create multiple connections through a single tunnel.[9] |
G0080 | Cobalt Group |
Cobalt Group has used the Plink utility to create SSH tunnels.[10][11][12] |
S0154 | Cobalt Strike |
Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.[13][14] |
C0004 | CostaRicto |
During CostaRicto, the threat actors set up remote SSH tunneling into the victim's environment from a malicious domain.[15] |
C0029 | Cutting Edge |
During Cutting Edge, threat actors used Iodine to tunnel IPv4 traffic over DNS.[16] |
S0687 | Cyclops Blink |
Cyclops Blink can use DNS over HTTPS (DoH) to resolve C2 nodes.[17] |
S0038 | Duqu |
Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.[18] |
G1016 | FIN13 |
FIN13 has utilized web shells and Java tools for tunneling capabilities to and from compromised assets.[19] |
G0037 | FIN6 |
FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[20] |
S0173 | FLIPSIDE |
FLIPSIDE uses RDP to tunnel traffic from a victim environment.[21] |
G0117 | Fox Kitten |
Fox Kitten has used protocol tunneling for communication and RDP activity on compromised hosts through the use of open source tools such as ngrok and custom tool SSHMinion.[22][23][24] |
S1044 | FunnyDream |
FunnyDream can connect to HTTP proxies via TCP to create a tunnel to C2.[25] |
S1027 | Heyoka Backdoor |
Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers.[26] |
S0604 | Industroyer |
Industroyer attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel.[27] |
S1020 | Kevin |
Kevin can use a custom protocol tunneled through DNS or HTTP.[28] |
G0065 | Leviathan |
Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.[29] |
G0059 | Magic Hound |
Magic Hound has used Plink to tunnel RDP over SSH.[30] |
S1015 | Milan |
Milan can use a custom protocol tunneled through DNS or HTTP.[28] |
S0699 | Mythic |
Mythic can use SOCKS proxies to tunnel traffic through another protocol.[31] |
S0508 | ngrok |
ngrok can tunnel RDP and other services securely over internet connections.[32][33][34][35] |
G0049 | OilRig |
OilRig has used the Plink utility and other tools to create tunnels to C2 servers.[36][37][38] |
S0650 | QakBot |
The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.[39] |
S0022 | Uroburos |
Uroburos has the ability to communicate over custom communications methodologies that ride over common network protocols including raw TCP and UDP sockets, HTTP, SMTP, and DNS.[40] |
ID | Mitigation | Description |
---|---|---|
M1037 | Filter Network Traffic |
Consider filtering network traffic to untrusted or known bad domains and resources. |
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
||
Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |