Detect Non-Application Layer Protocol in Google Chronicle
Adversaries may use OSI non-application layer protocols for C2 communications to evade network defenses that focus on application-layer monitoring. This includes ICMP tunneling (embedding C2 data in ping request/reply payloads), raw UDP sockets that bypass application-layer fingerprinting, SOCKS proxy chaining to obscure true traffic routing and destination, and custom binary protocols over raw TCP connections. ICMP is required in all IP-compatible host implementations but is significantly undermonitored compared to TCP and UDP application protocols, making it an attractive covert channel. Notable threat actors leveraging this technique include Gamaredon Group using SOCKS5 over port 9050, APT32's WINDSHIELD malware using TCP raw sockets, TSCookie (BlackTech) and Anchor (TrickBot infrastructure) using ICMP for C2, and PlugX being configured for raw TCP or UDP. FRP (a popular proxy tool) supports TCP, KCP, QUIC, and UDP multiplexing. In ESXi environments, adversaries may use the Virtual Machine Communication Interface (VMCI) to create covert channels between guest VMs and the ESXi host that are invisible to external network monitoring tools including tcpdump, netstat, nmap, and Wireshark, as documented in Google Cloud's 2023 analysis of UNC3886.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1095 Non-Application Layer Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1095/
YARA-L Detection Query
rule t1095_non_application_layer_protocol_c2 {
meta:
author = "Detection Engineering"
description = "Detects C2 via non-application layer protocols: SOCKS proxy port connections, unexpected ICMP, and anomalous outbound UDP. MITRE ATT&CK T1095 - Non-Application Layer Protocol."
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1095"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
(
// Signal 1: TCP connection to SOCKS proxy ports from non-browser process
(
$e.target.port in (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128) and
$e.network.ip_protocol = "TCP" and
not re.regex($e.principal.process.file.full_path, `(?i)(?:chrome|firefox|msedge|opera|brave|tor\.exe|proxifier)`)
)
or
// Signal 2: ICMP from a process other than standard ping/trace utilities
(
$e.network.ip_protocol = "ICMP" and
not re.regex($e.principal.process.file.full_path, `(?i)(?:ping\.exe|tracert\.exe|pathping\.exe|fping|hping)`)
)
or
// Signal 3: Outbound UDP to non-standard ports from non-system processes
(
$e.network.ip_protocol = "UDP" and
not $e.target.port in (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303) and
not re.regex($e.principal.process.file.full_path, `(?i)(?:svchost\.exe|lsass\.exe|chrome\.exe|firefox\.exe|msedge\.exe|teams\.exe|zoom\.exe|slack\.exe|skype\.exe|discord\.exe|avast\.exe|msmpeng\.exe)`)
)
)
outcome:
$hostname = $e.principal.hostname
$process_path = $e.principal.process.file.full_path
$cmdline = $e.principal.process.command_line
$parent_process = $e.principal.process.parent_process.file.full_path
$dest_ip = $e.target.ip
$dest_port = $e.target.port
$ip_protocol = $e.network.ip_protocol
$username = $e.principal.user.userid
$bytes_sent = sum($e.network.sent_bytes)
$bytes_received = sum($e.network.received_bytes)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1095 Non-Application Layer Protocol C2 using UDM NETWORK_CONNECTION events. Three signals are evaluated: TCP connections to known SOCKS proxy ports from non-browser processes, ICMP activity from non-standard initiating processes, and outbound UDP to non-standard ports from non-system processes. Outcome block captures process, network, and user context for analyst triage. Compatible with Chronicle UDM events sourced from Windows endpoint telemetry, EDR connectors, and network flow data.
Data Sources
Required Tables
False Positives & Tuning
- Tor Browser legitimately connects on ports 9050 and 9150 — if Tor usage is authorized, add the Tor Browser process path to the exclusion regex
- Enterprise network management platforms using ICMP for circuit-level testing and path MTU discovery when run under custom monitoring agent process names
- Custom UDP-based real-time applications such as game server clients, proprietary telemetry collectors, or industrial IoT sensors communicating on non-standard high UDP ports
Other platforms for T1095
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ICMP Large Payload Flood (ICMP Tunnel Simulation)
Expected signal: Sysmon Event ID 3: Network connections with Protocol=ICMP, DestinationIp=8.8.8.8, Image=C:\Windows\System32\cmd.exe (or ping.exe as child). Windows Security Event ID 5156 (WFP permitted connection) with Protocol=1 (ICMP). Note: This test uses cmd.exe calling ping.exe, so the ICMP processes as ping.exe in most telemetry — to test the unexpected-process signal, replace with a script calling ping from PowerShell or a custom executable context.
- Test 2SOCKS5 Proxy Connection via PowerShell (Gamaredon-style)
Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9050, Protocol=tcp. Windows Security Event ID 5156 (WFP) for the connection attempt. The connection will fail with a refused error but the event fires before the refusal. For external SOCKS detection, substitute 127.0.0.1 with any public test IP.
- Test 3Custom UDP Beacon to Non-Standard Port (Raw UDP C2 Simulation)
Expected signal: Sysmon Event ID 3: 20 network connection events with Image=python3.exe (or python.exe), Protocol=udp, DestinationIp=8.8.8.8, DestinationPort=4444. Windows Filtering Platform Event ID 5156 for each UDP send. Note: UDP packets to 8.8.8.8:4444 will be dropped by Google but the outbound events still fire.
- Test 4ICMP Tunnel Tool Execution (ptunnel-ng simulation on Linux)
Expected signal: auditd SYSCALL records for socket() with AF_INET and SOCK_RAW type (raw socket creation). syslog/kern.log: ICMP outbound traffic from hping3 process. If Zeek is deployed on network: icmp.log entries with unusual payload length (64 bytes + ICMP header) and high frequency (2 packets/second). Linux /proc/net/icmp shows active ICMP sockets during execution.
- Test 5SOCKS5 Proxy Connection via Netcat (Unix)
Expected signal: auditd SYSCALL: connect() syscall from ncat process to 127.0.0.1:9050. If SOCKS proxy is listening, a subsequent connection to example.com:80 is initiated. syslog: ncat network activity. Linux endpoint agent (Elastic Agent, Falcon sensor): network connection event with destination port 9050.
References (13)
- https://attack.mitre.org/techniques/T1095/
- https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- http://support.microsoft.com/KB/170292
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://symantec-enterprise-blogs.security.com/threat-intelligence/shuckworm-ukraine-usb-worm
- https://www.cybereason.com/blog/the-anchor-project-and-trickbot-linking-c2-infrastructure
- https://github.com/esnet/iperf
- https://nmap.org/ncat/
- https://github.com/jamesbarlow/icmptunnel
- https://unit42.paloaltonetworks.com/unit42-oceanlotus-apt32-rc4-backdoor-custom-loader-cyberattack/
- https://www.welivesecurity.com/2021/06/10/gelsemium-when-threat-actors-go-gardening/
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
Unlock Pro Content
Get the full detection package for T1095 including response playbook, investigation guide, and atomic red team tests.