Meet Garnet Labs team at Black Hat USA 2025 in a few days.
Message us
DiscordLinkedInPricingGarnet🐈‍⬛

Non-Application Layer Protocol

Non-Application Layer Protocol [T1095]

Information

  • Name: Non-Application Layer Protocol

  • ID: T1095

  • Tactics: TA0011

Introduction

Non-Application Layer Protocol is a technique categorized under MITRE ATT&CK framework (Technique ID: T1095). Adversaries leverage network protocols that operate below the application layer (OSI layers 3 and 4, such as ICMP, TCP, UDP) to communicate, control compromised systems, exfiltrate data, and evade detection. By utilizing these lower-level protocols, attackers can bypass traditional security defenses that primarily monitor application-layer traffic (e.g., HTTP, DNS).

Deep Dive Into Technique

Attackers utilize Non-Application Layer Protocols to establish covert communication channels, evade network monitoring, and maintain persistent access. Technical execution methods typically involve:

  • ICMP Tunneling:

    • Embedding payloads within ICMP echo request/reply packets.

    • Tools such as ICMP Shell, PingTunnel, or Loki can facilitate command and control (C2) communication or data exfiltration.

  • UDP and TCP Covert Channels:

    • Manipulating packet headers and payloads to hide data within legitimate protocol traffic.

    • Techniques include embedding data in TCP sequence numbers, acknowledgment fields, or UDP payloads.

    • Tools like DNScat2 (over UDP), ptunnel, or iodine are commonly employed.

  • Protocol Misuse and Fragmentation:

    • Fragmenting packets to evade IDS/IPS detection.

    • Abnormal use of flags, packet sizes, or header fields to embed malicious payloads or instructions.

  • Custom Protocols and Raw Sockets:

    • Crafting custom protocols or utilizing raw sockets to directly manipulate packet headers.

    • This approach allows attackers to evade signature-based detections and standard protocol inspection.

When this Technique is Usually Used

Attackers may employ Non-Application Layer Protocol techniques across various stages of the attack lifecycle, including:

  • Initial Access and Reconnaissance:

    • Using ICMP or UDP packets to probe network boundaries, firewall rules, and system responsiveness.

  • Command and Control (C2):

    • Establishing covert communication channels to remotely control compromised hosts without detection by standard application-layer monitoring.

  • Data Exfiltration:

    • Transferring sensitive data out of the victim network through covert channels embedded in lower-level protocols, bypassing traditional data loss prevention (DLP) systems.

  • Persistence and Evasion:

    • Maintaining long-term covert communication channels to evade detection by security monitoring solutions focused primarily on application-layer traffic.

How this Technique is Usually Detected

Detection of Non-Application Layer Protocol exploitation can be challenging, but several methods and tools can assist:

  • Network Traffic Analysis:

    • Monitoring for unusual patterns or anomalies in ICMP, TCP, or UDP traffic.

    • Tools such as Wireshark, Zeek (formerly Bro), Suricata, and Snort can detect abnormal protocol usage or unusual packet structures.

  • Behavioral Anomaly Detection:

    • Implementing machine learning-based or heuristic analysis systems (e.g., Darktrace, Cisco Stealthwatch) to identify deviations from typical network behaviors.

    • Detecting unusual ICMP payload sizes, high volumes of ICMP traffic, or irregular TCP/UDP packet fragmentation.

  • Endpoint Detection and Response (EDR):

    • Monitoring system-level socket operations, raw socket usage, and unusual network connections.

    • Tools such as CrowdStrike Falcon, Carbon Black, or Microsoft Defender for Endpoint can detect suspicious process behavior or network activity.

  • Specific Indicators of Compromise (IoCs):

    • High frequency of ICMP echo requests/replies from a single host.

    • Unusual fragmentation patterns or abnormal TCP/UDP packet sizes.

    • Connections to known malicious IP addresses or domains associated with covert channel tools.

Why it is Important to Detect This Technique

Detecting Non-Application Layer Protocol misuse is critical due to several high-impact risks:

  • Stealthy Data Exfiltration:

    • Attackers can silently remove large volumes of sensitive data, intellectual property, or confidential information without triggering traditional alerts.

  • Persistent Command and Control:

    • Covert communication channels can remain active for extended periods, allowing attackers continuous control and access to compromised systems.

  • Security Monitoring Evasion:

    • Traditional security solutions concentrating on application-layer traffic may fail to detect lower-layer protocol misuse, leaving organizations blind to ongoing malicious activities.

  • Operational Disruption and Damage:

    • Undetected covert channels can facilitate lateral movement, privilege escalation, and deployment of additional malicious payloads, significantly increasing the potential impact of an attack.

Early detection and mitigation of Non-Application Layer Protocol abuse help prevent attackers from achieving their objectives, limiting potential damage and maintaining organizational security posture.

Examples

Real-world examples highlighting the usage and impact of Non-Application Layer Protocol attacks include:

  • Operation TunnelSnake (ICMP Tunneling):

    • Attackers used ICMP tunneling to establish persistent covert channels, evade detection, and exfiltrate sensitive data from compromised networks.

    • Tools involved included PingTunnel and ICMP Shell, allowing attackers to bypass firewall rules blocking traditional application-layer protocols.

  • Loki ICMP Tunneling:

    • Loki is a publicly available tool that embeds payloads within ICMP packets to establish covert C2 channels.

    • Attackers leveraged Loki in targeted attacks to maintain persistent and stealthy communication with compromised hosts, bypassing standard IDS/IPS systems.

  • DNScat2 (UDP Protocol Abuse):

    • DNScat2 utilizes DNS queries (UDP protocol) to establish covert communication channels and exfiltrate data.

    • Attackers employed DNScat2 in multiple documented breaches, successfully evading monitoring solutions focused on HTTP and HTTPS traffic.

  • Advanced Persistent Threat (APT) Groups:

    • APT29 (Cozy Bear) and APT28 (Fancy Bear) have historically leveraged lower-layer protocol tunneling and covert channels to evade detection, perform reconnaissance, and exfiltrate sensitive data from targeted networks.

    • These sophisticated adversaries frequently employ customized implementations of ICMP and UDP tunneling to remain undetected and maintain long-term access.

These examples underscore the critical importance of monitoring and detecting Non-Application Layer Protocol abuse to prevent severe security implications and mitigate potential damage from sophisticated cyber-attacks.

PreviousCommunication Through Removable MediaNextWeb Service

Last updated