Non-Application Layer Protocol (T1095)

Information

• Name: Non-Application Layer Protocol

• ID: T1095

• Tactics:

Introduction

Non-Application Layer Protocol is a technique categorized under MITRE ATT&CK framework (Technique ID: T1095). Adversaries leverage network protocols that operate below the application layer (OSI layers 3 and 4, such as ICMP, TCP, UDP) to communicate, control compromised systems, exfiltrate data, and evade detection. By utilizing these lower-level protocols, attackers can bypass traditional security defenses that primarily monitor application-layer traffic (e.g., HTTP, DNS).

Deep Dive Into Technique

Attackers utilize Non-Application Layer Protocols to establish covert communication channels, evade network monitoring, and maintain persistent access. Technical execution methods typically involve:

• ICMP Tunneling:

  • Embedding payloads within ICMP echo request/reply packets.

  • Tools such as ICMP Shell, PingTunnel, or Loki can facilitate command and control (C2) communication or data exfiltration.

• UDP and TCP Covert Channels:

  • Manipulating packet headers and payloads to hide data within legitimate protocol traffic.

  • Techniques include embedding data in TCP sequence numbers, acknowledgment fields, or UDP payloads.

  • Tools like DNScat2 (over UDP), ptunnel, or iodine are commonly employed.

• Protocol Misuse and Fragmentation:

  • Fragmenting packets to evade IDS/IPS detection.

  • Abnormal use of flags, packet sizes, or header fields to embed malicious payloads or instructions.

• Custom Protocols and Raw Sockets:

  • Crafting custom protocols or utilizing raw sockets to directly manipulate packet headers.

  • This approach allows attackers to evade signature-based detections and standard protocol inspection.

When this Technique is Usually Used

Attackers may employ Non-Application Layer Protocol techniques across various stages of the attack lifecycle, including:

• Initial Access and Reconnaissance:

  • Using ICMP or UDP packets to probe network boundaries, firewall rules, and system responsiveness.

• Command and Control (C2):

  • Establishing covert communication channels to remotely control compromised hosts without detection by standard application-layer monitoring.

• Data Exfiltration:

  • Transferring sensitive data out of the victim network through covert channels embedded in lower-level protocols, bypassing traditional data loss prevention (DLP) systems.

• Persistence and Evasion:

  • Maintaining long-term covert communication channels to evade detection by security monitoring solutions focused primarily on application-layer traffic.

How this Technique is Usually Detected

Detection of Non-Application Layer Protocol exploitation can be challenging, but several methods and tools can assist:

• Network Traffic Analysis:

  • Monitoring for unusual patterns or anomalies in ICMP, TCP, or UDP traffic.

  • Tools such as Wireshark, Zeek (formerly Bro), Suricata, and Snort can detect abnormal protocol usage or unusual packet structures.

• Behavioral Anomaly Detection:

  • Implementing machine learning-based or heuristic analysis systems (e.g., Darktrace, Cisco Stealthwatch) to identify deviations from typical network behaviors.

  • Detecting unusual ICMP payload sizes, high volumes of ICMP traffic, or irregular TCP/UDP packet fragmentation.

• Endpoint Detection and Response (EDR):

  • Monitoring system-level socket operations, raw socket usage, and unusual network connections.

  • Tools such as CrowdStrike Falcon, Carbon Black, or Microsoft Defender for Endpoint can detect suspicious process behavior or network activity.

• Specific Indicators of Compromise (IoCs):

  • High frequency of ICMP echo requests/replies from a single host.

  • Unusual fragmentation patterns or abnormal TCP/UDP packet sizes.

  • Connections to known malicious IP addresses or domains associated with covert channel tools.

Why it is Important to Detect This Technique

Detecting Non-Application Layer Protocol misuse is critical due to several high-impact risks:

• Stealthy Data Exfiltration:

  • Attackers can silently remove large volumes of sensitive data, intellectual property, or confidential information without triggering traditional alerts.

• Persistent Command and Control:

  • Covert communication channels can remain active for extended periods, allowing attackers continuous control and access to compromised systems.

• Security Monitoring Evasion:

  • Traditional security solutions concentrating on application-layer traffic may fail to detect lower-layer protocol misuse, leaving organizations blind to ongoing malicious activities.

• Operational Disruption and Damage:

  • Undetected covert channels can facilitate lateral movement, privilege escalation, and deployment of additional malicious payloads, significantly increasing the potential impact of an attack.

Early detection and mitigation of Non-Application Layer Protocol abuse help prevent attackers from achieving their objectives, limiting potential damage and maintaining organizational security posture.

Examples

Real-world examples highlighting the usage and impact of Non-Application Layer Protocol attacks include:

• Operation TunnelSnake (ICMP Tunneling):

  • Attackers used ICMP tunneling to establish persistent covert channels, evade detection, and exfiltrate sensitive data from compromised networks.

  • Tools involved included PingTunnel and ICMP Shell, allowing attackers to bypass firewall rules blocking traditional application-layer protocols.

• Loki ICMP Tunneling:

  • Loki is a publicly available tool that embeds payloads within ICMP packets to establish covert C2 channels.

  • Attackers leveraged Loki in targeted attacks to maintain persistent and stealthy communication with compromised hosts, bypassing standard IDS/IPS systems.

• DNScat2 (UDP Protocol Abuse):

  • DNScat2 utilizes DNS queries (UDP protocol) to establish covert communication channels and exfiltrate data.

  • Attackers employed DNScat2 in multiple documented breaches, successfully evading monitoring solutions focused on HTTP and HTTPS traffic.

• Advanced Persistent Threat (APT) Groups:

  • APT29 (Cozy Bear) and APT28 (Fancy Bear) have historically leveraged lower-layer protocol tunneling and covert channels to evade detection, perform reconnaissance, and exfiltrate sensitive data from targeted networks.

  • These sophisticated adversaries frequently employ customized implementations of ICMP and UDP tunneling to remain undetected and maintain long-term access.

These examples underscore the critical importance of monitoring and detecting Non-Application Layer Protocol abuse to prevent severe security implications and mitigate potential damage from sophisticated cyber-attacks.