T1095

Non-Application Layer Protocol

Adversaries may use OSI non-application layer protocols for C2 communications to evade network defenses that focus on application-layer monitoring. This includes ICMP tunneling (embedding C2 data in ping request/reply payloads), raw UDP sockets that bypass application-layer fingerprinting, SOCKS proxy chaining to obscure true traffic routing and destination, and custom binary protocols over raw TCP connections. ICMP is required in all IP-compatible host implementations but is significantly undermonitored compared to TCP and UDP application protocols, making it an attractive covert channel. Notable threat actors leveraging this technique include Gamaredon Group using SOCKS5 over port 9050, APT32's WINDSHIELD malware using TCP raw sockets, TSCookie (BlackTech) and Anchor (TrickBot infrastructure) using ICMP for C2, and PlugX being configured for raw TCP or UDP. FRP (a popular proxy tool) supports TCP, KCP, QUIC, and UDP multiplexing. In ESXi environments, adversaries may use the Virtual Machine Communication Interface (VMCI) to create covert channels between guest VMs and the ESXi host that are invisible to external network monitoring tools including tcpdump, netstat, nmap, and Wireshark, as documented in Google Cloud's 2023 analysis of UNC3886.

Microsoft Sentinel / Defender

kusto

let SocksProxyPorts = dynamic([1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128]);
let LegitICMPProcesses = dynamic(["ping.exe", "tracert.exe", "pathping.exe", "fping.exe", "hping3"]);
let LegitUDPProcesses = dynamic([
    "svchost.exe", "chrome.exe", "firefox.exe", "msedge.exe",
    "teams.exe", "zoom.exe", "slack.exe", "skype.exe", "discord.exe",
    "lsass.exe", "dns.exe", "avast.exe", "MsMpEng.exe", "wininit.exe"
]);
let CommonUDPPorts = dynamic([53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 8801, 8802, 3478, 3479, 19302, 19303, 4096]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| extend IsSocksPort = RemotePort in (SocksProxyPorts)
| extend IsUnexpectedICMP = (
    Protocol == "Icmp"
    and not (InitiatingProcessFileName in~ (LegitICMPProcesses))
)
| extend IsUnusualUDP = (
    Protocol == "Udp"
    and RemoteIPType == "Public"
    and not (RemotePort in (CommonUDPPorts))
    and not (InitiatingProcessFileName in~ (LegitUDPProcesses))
)
| where IsSocksPort or IsUnexpectedICMP or IsUnusualUDP
| extend DetectionSignal = case(
    IsSocksPort and IsUnexpectedICMP, "SOCKS_And_ICMP_Combined",
    IsUnexpectedICMP, strcat("ICMP_From_Unexpected_Process_", InitiatingProcessFileName),
    IsSocksPort, strcat("SOCKS_Proxy_Port_", tostring(RemotePort)),
    IsUnusualUDP, strcat("Unusual_UDP_Port_", tostring(RemotePort)),
    "Unknown"
)
| extend RiskScore = case(
    IsSocksPort and IsUnexpectedICMP, 95,
    IsUnexpectedICMP, 85,
    IsSocksPort, 75,
    IsUnusualUDP, 60,
    50
)
| project
    Timestamp, DeviceName, AccountName,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    InitiatingProcessParentFileName, InitiatingProcessParentCommandLine,
    RemoteIP, RemotePort, Protocol, LocalPort,
    SentBytes, ReceivedBytes,
    DetectionSignal, RiskScore
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Network Traffic: Network Traffic Content Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Tor Browser and other privacy-focused browsers legitimately connect to SOCKS/Onion network on ports 9050 and 1080 — add process-level allowlist for tor.exe and the Tor Browser executable
Custom enterprise middleware and industrial control systems using raw UDP for inter-service heartbeats or telemetry on non-standard ports
VoIP, video conferencing, and media streaming applications (Zoom, Teams, WebEx) may negotiate UDP media channels on non-standard high ports
WireGuard, OpenVPN, and other VPN clients operate over non-standard UDP ports; the default WireGuard port 51820 is excluded but custom deployments use arbitrary ports
Network monitoring and security scanning tools (nmap, Nessus agents, Zabbix, PRTG) generate ICMP and unusual UDP as part of active health checks

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval dest_port_num = tonumber(DestinationPort)
| eval protocol_lower = lower(Protocol)
| eval process_lower = lower(Image)
// Signal 1: SOCKS proxy port connections from non-browser processes
| eval is_socks = if(
    dest_port_num IN(1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
    AND NOT match(process_lower, "(chrome|firefox|msedge|opera|brave|tor|proxifier)"),
    1, 0)
// Signal 2: UDP on non-standard ports from non-system processes
| eval is_unusual_udp = if(
    protocol_lower="udp"
    AND NOT dest_port_num IN(53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802)
    AND NOT match(process_lower, "(svchost|lsass|dns|chrome|firefox|msedge|teams|zoom|slack|skype|discord|avast|msmpeng)")
    AND (Initiated="true" OR Initiated="1"),
    1, 0)
// Signal 3: Non-loopback ICMP in Sysmon (captured via raw socket events on some configs)
| eval is_unexpected_icmp = if(
    protocol_lower="icmp"
    AND NOT match(process_lower, "(ping|tracert|pathping|fping|hping)"),
    1, 0)
| where is_socks=1 OR is_unusual_udp=1 OR is_unexpected_icmp=1
| eval risk_score = case(
    is_unexpected_icmp=1 AND is_socks=1, 95,
    is_unexpected_icmp=1, 85,
    is_socks=1, 75,
    is_unusual_udp=1, 60,
    50)
| eval detection_signal = case(
    is_socks=1, "SOCKS_Proxy_Port_".dest_port_num,
    is_unexpected_icmp=1, "ICMP_From_Unexpected_Process",
    is_unusual_udp=1, "Unusual_UDP_Port_".dest_port_num,
    "Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
    DestinationIp, dest_port_num, protocol_lower, SourceIp, SourcePort,
    detection_signal, risk_score
| sort - risk_score, - _time

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Process: Process Creation Sysmon Event ID 3 (Network Connection)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Tor Browser and privacy tools legitimately connect to SOCKS proxy ports — scope the is_socks filter to specific high-value server hosts where browser traffic is unexpected
Custom enterprise applications using UDP for service mesh communication, health checks, or telemetry on non-standard ports in microservice environments
Gaming engines and streaming applications dynamically negotiate UDP media ports above 1024 that may not be in the allowlist
Security tools performing active network discovery (vulnerability scanners, network inventory agents) generate unusual UDP and ICMP as part of their scan logic
VPN clients with custom port configurations (wireguard on non-51820, OpenVPN on non-1194) appear as unusual UDP traffic from the vpn client process

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
    sourceip,
    destinationip,
    destinationport,
    protocolname(protocolid) AS protocol,
    username,
    "Application" AS process_name,
    logsourcename(logsourceid) AS log_source,
    CASE
        WHEN protocolid = 1
             AND LOWER("Application") NOT ILIKE ANY ('%ping%', '%tracert%', '%pathping%', '%fping%', '%hping%')
             AND destinationport IN (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
        THEN 95
        WHEN protocolid = 1
             AND LOWER("Application") NOT ILIKE ANY ('%ping%', '%tracert%', '%pathping%', '%fping%', '%hping%')
        THEN 85
        WHEN destinationport IN (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
             AND protocolid = 6
             AND LOWER("Application") NOT ILIKE ANY ('%chrome%', '%firefox%', '%msedge%', '%opera%', '%brave%', '%tor%', '%proxifier%')
        THEN 75
        WHEN protocolid = 17
             AND destinationport NOT IN (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303)
             AND LOWER("Application") NOT ILIKE ANY ('%svchost%', '%lsass%', '%chrome%', '%firefox%', '%msedge%', '%teams%', '%zoom%', '%slack%', '%skype%', '%discord%', '%avast%', '%msmpeng%')
        THEN 60
        ELSE 50
    END AS risk_score,
    CASE
        WHEN destinationport IN (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
             AND LOWER("Application") NOT ILIKE ANY ('%chrome%', '%firefox%', '%msedge%', '%opera%', '%brave%', '%tor%', '%proxifier%')
        THEN CONCAT('SOCKS_Proxy_Port_', CAST(destinationport AS VARCHAR(10)))
        WHEN protocolid = 1
             AND LOWER("Application") NOT ILIKE ANY ('%ping%', '%tracert%', '%pathping%', '%fping%', '%hping%')
        THEN 'ICMP_From_Unexpected_Process'
        WHEN protocolid = 17
             AND destinationport NOT IN (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303)
        THEN CONCAT('Unusual_UDP_Port_', CAST(destinationport AS VARCHAR(10)))
        ELSE 'Unknown'
    END AS detection_signal
FROM events
WHERE
    -- Adjust LOGSOURCETYPEID values to match your environment's Sysmon/Windows endpoint DSM IDs
    LOGSOURCETYPEID IN (13, 45, 96)
    AND (
        (
            destinationport IN (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
            AND protocolid = 6
            AND LOWER("Application") NOT ILIKE ANY ('%chrome%', '%firefox%', '%msedge%', '%opera%', '%brave%', '%tor%', '%proxifier%')
        )
        OR
        (
            protocolid = 1
            AND LOWER("Application") NOT ILIKE ANY ('%ping%', '%tracert%', '%pathping%', '%fping%', '%hping%')
        )
        OR
        (
            protocolid = 17
            AND destinationport NOT IN (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303)
            AND LOWER("Application") NOT ILIKE ANY ('%svchost%', '%lsass%', '%chrome%', '%firefox%', '%msedge%', '%teams%', '%zoom%', '%slack%', '%skype%', '%discord%', '%avast%', '%msmpeng%')
        )
    )
LAST 24 HOURS
ORDER BY risk_score DESC, devicetime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log DSM Microsoft Sysmon DSM

Required Tables

events

False Positives

Authorized internal penetration testing or red team exercises using SOCKS proxies via Cobalt Strike, Metasploit, or similar frameworks will trigger SOCKS proxy port detection
IoT devices, industrial control systems, and OT network equipment using custom UDP-based protocols or proprietary ICMP-based keepalive/heartbeat mechanisms not on the allowlist
Network monitoring and management agents using SNMP traps (UDP 162), custom NMS protocols, or ICMP-based circuit testing from non-standard process names

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=3
| parse "<Data Name='Image'>*</Data>" as process_image nodrop
| parse "<Data Name='DestinationPort'>*</Data>" as dest_port nodrop
| parse "<Data Name='Protocol'>*</Data>" as protocol nodrop
| parse "<Data Name='DestinationIp'>*</Data>" as dest_ip nodrop
| parse "<Data Name='SourceIp'>*</Data>" as src_ip nodrop
| parse "<Data Name='CommandLine'>*</Data>" as cmdline nodrop
| parse "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse "<Data Name='User'>*</Data>" as user nodrop
| parse "<Data Name='Initiated'>*</Data>" as initiated nodrop
| eval dest_port_num = num(dest_port)
| eval process_lower = toLowerCase(process_image)
| eval protocol_lower = toLowerCase(protocol)
| eval is_socks = if(
    dest_port_num in (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
    and !(process_lower matches ".*(?:chrome|firefox|msedge|opera|brave|tor|proxifier).*"),
    1, 0)
| eval is_unusual_udp = if(
    protocol_lower = "udp"
    and !(dest_port_num in (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303))
    and !(process_lower matches ".*(?:svchost|lsass|dns|chrome|firefox|msedge|teams|zoom|slack|skype|discord|avast|msmpeng).*")
    and initiated = "true",
    1, 0)
| eval is_unexpected_icmp = if(
    protocol_lower = "icmp"
    and !(process_lower matches ".*(?:ping|tracert|pathping|fping|hping).*"),
    1, 0)
| where is_socks = 1 or is_unusual_udp = 1 or is_unexpected_icmp = 1
| eval risk_score = if(is_unexpected_icmp = 1 and is_socks = 1, 95,
    if(is_unexpected_icmp = 1, 85,
    if(is_socks = 1, 75,
    if(is_unusual_udp = 1, 60, 50))))
| eval detection_signal = if(is_socks = 1, concat("SOCKS_Proxy_Port_", dest_port),
    if(is_unexpected_icmp = 1, "ICMP_From_Unexpected_Process",
    if(is_unusual_udp = 1, concat("Unusual_UDP_Port_", dest_port), "Unknown")))
| fields _messageTime, Computer, user, process_image, cmdline, parent_image, dest_ip, dest_port_num, protocol_lower, src_ip, detection_signal, risk_score
| sort by risk_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Installed Collector

Required Tables

_sourceCategory=windows/sysmon (Sysmon Event ID 3)

False Positives

Tor Browser and other authorized anonymization tools that legitimately route through SOCKS ports 9050 and 9150 — add process names to exclusion regex if sanctioned in your environment
Custom enterprise applications with proprietary UDP-based communication frameworks (real-time telemetry, proprietary clustering protocols) using non-standard high ports
Synthetic monitoring and availability testing agents (Pingdom agents, custom health-check scripts) executing ICMP probes under non-standard process names

Google Chronicle / SecOps

yaral

rule t1095_non_application_layer_protocol_c2 {
  meta:
    author = "Detection Engineering"
    description = "Detects C2 via non-application layer protocols: SOCKS proxy port connections, unexpected ICMP, and anomalous outbound UDP. MITRE ATT&CK T1095 - Non-Application Layer Protocol."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1095"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"

    (
      // Signal 1: TCP connection to SOCKS proxy ports from non-browser process
      (
        $e.target.port in (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128) and
        $e.network.ip_protocol = "TCP" and
        not re.regex($e.principal.process.file.full_path, `(?i)(?:chrome|firefox|msedge|opera|brave|tor\.exe|proxifier)`)
      )
      or
      // Signal 2: ICMP from a process other than standard ping/trace utilities
      (
        $e.network.ip_protocol = "ICMP" and
        not re.regex($e.principal.process.file.full_path, `(?i)(?:ping\.exe|tracert\.exe|pathping\.exe|fping|hping)`)
      )
      or
      // Signal 3: Outbound UDP to non-standard ports from non-system processes
      (
        $e.network.ip_protocol = "UDP" and
        not $e.target.port in (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303) and
        not re.regex($e.principal.process.file.full_path, `(?i)(?:svchost\.exe|lsass\.exe|chrome\.exe|firefox\.exe|msedge\.exe|teams\.exe|zoom\.exe|slack\.exe|skype\.exe|discord\.exe|avast\.exe|msmpeng\.exe)`)
      )
    )

  outcome:
    $hostname = $e.principal.hostname
    $process_path = $e.principal.process.file.full_path
    $cmdline = $e.principal.process.command_line
    $parent_process = $e.principal.process.parent_process.file.full_path
    $dest_ip = $e.target.ip
    $dest_port = $e.target.port
    $ip_protocol = $e.network.ip_protocol
    $username = $e.principal.user.userid
    $bytes_sent = sum($e.network.sent_bytes)
    $bytes_received = sum($e.network.received_bytes)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM NETWORK_CONNECTION events Windows Endpoint via Chronicle Forwarder CrowdStrike Falcon via Chronicle Integration

Required Tables

NETWORK_CONNECTION (UDM event type)

False Positives

Tor Browser legitimately connects on ports 9050 and 9150 — if Tor usage is authorized, add the Tor Browser process path to the exclusion regex
Enterprise network management platforms using ICMP for circuit-level testing and path MTU discovery when run under custom monitoring agent process names
Custom UDP-based real-time applications such as game server clients, proprietary telemetry collectors, or industrial IoT sensors communicating on non-standard high UDP ports

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NetworkConnectIP4"
| RemotePort := parseFloat(RemotePort)
| lower(ImageFileName, as="process_lower")
// Signal 1: SOCKS proxy port connection from non-browser process
| case {
    RemotePort in (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
      and not match(field=process_lower, regex="chrome|firefox|msedge|opera|brave|tor\.exe|proxifier")
    | is_socks := "true" ;
    * | is_socks := "false"
  }
// Signal 2: Unusual outbound UDP to non-standard ports
| case {
    Protocol = "UDP"
      and not RemotePort in (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303)
      and not match(field=process_lower, regex="svchost\.exe|lsass\.exe|chrome\.exe|firefox\.exe|msedge\.exe|teams\.exe|zoom\.exe|slack\.exe|skype\.exe|discord\.exe|avast\.exe|msmpeng\.exe")
    | is_unusual_udp := "true" ;
    * | is_unusual_udp := "false"
  }
// Signal 3: ICMP from non-ping utility
| case {
    Protocol = "ICMP"
      and not match(field=process_lower, regex="ping\.exe|tracert\.exe|pathping\.exe|fping|hping")
    | is_unexpected_icmp := "true" ;
    * | is_unexpected_icmp := "false"
  }
| where is_socks = "true" or is_unusual_udp = "true" or is_unexpected_icmp = "true"
| case {
    is_unexpected_icmp = "true" and is_socks = "true" | risk_score := 95 ;
    is_unexpected_icmp = "true"                       | risk_score := 85 ;
    is_socks = "true"                                 | risk_score := 75 ;
    is_unusual_udp = "true"                           | risk_score := 60 ;
    *                                                 | risk_score := 50
  }
| case {
    is_socks = "true"          | detection_signal := concat("SOCKS_Proxy_Port_", string(RemotePort)) ;
    is_unexpected_icmp = "true" | detection_signal := "ICMP_From_Unexpected_Process" ;
    is_unusual_udp = "true"    | detection_signal := concat("Unusual_UDP_Port_", string(RemotePort)) ;
    *                          | detection_signal := "Unknown"
  }
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, RemoteAddressIP4, RemotePort, Protocol, LocalAddressIP4, LocalPort, detection_signal, risk_score])
| sort(field=risk_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon Insight XDR Network Telemetry

Required Tables

NetworkConnectIP4 NetworkConnectIP6

False Positives

Authorized red team or penetration testing engagements using Cobalt Strike, Sliver, or Metasploit with SOCKS proxy pivoting will trigger SOCKS port detection — validate against change management records
SSH dynamic port forwarding (ssh -D) creates a local SOCKS listener; the SSH client process connecting to the remote server will appear as an outbound connection on port 22 but the forwarded traffic through the SOCKS listener may generate secondary NetworkConnectIP4 events
CrowdStrike Falcon sensor itself and other security tool agents may periodically generate network connections on unusual ports during cloud sync, threat intelligence lookups, or update checks under their own process names

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1095 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Non-Application Layer Protocol

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Command and Control

Popular Detections