T1095 Elastic Security · Elastic

Detect Non-Application Layer Protocol in Elastic Security

Adversaries may use OSI non-application layer protocols for C2 communications to evade network defenses that focus on application-layer monitoring. This includes ICMP tunneling (embedding C2 data in ping request/reply payloads), raw UDP sockets that bypass application-layer fingerprinting, SOCKS proxy chaining to obscure true traffic routing and destination, and custom binary protocols over raw TCP connections. ICMP is required in all IP-compatible host implementations but is significantly undermonitored compared to TCP and UDP application protocols, making it an attractive covert channel. Notable threat actors leveraging this technique include Gamaredon Group using SOCKS5 over port 9050, APT32's WINDSHIELD malware using TCP raw sockets, TSCookie (BlackTech) and Anchor (TrickBot infrastructure) using ICMP for C2, and PlugX being configured for raw TCP or UDP. FRP (a popular proxy tool) supports TCP, KCP, QUIC, and UDP multiplexing. In ESXi environments, adversaries may use the Virtual Machine Communication Interface (VMCI) to create covert channels between guest VMs and the ESXi host that are invisible to external network monitoring tools including tcpdump, netstat, nmap, and Wireshark, as documented in Google Cloud's 2023 analysis of UNC3886.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1095 Non-Application Layer Protocol
Canonical reference
https://attack.mitre.org/techniques/T1095/

Elastic Detection Query

Elastic Security (Elastic)
eql 
network where event.category == "network" and event.type in ("connection", "start") and
(
  (
    destination.port in (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128) and
    not process.name regex "(?i)(?:chrome|firefox|msedge|opera|brave|tor|proxifier)\.exe"
  ) or
  (
    network.transport == "icmp" and
    not process.name regex "(?i)(?:ping|tracert|pathping|fping|hping)(?:\.exe)?"
  ) or
  (
    network.transport == "udp" and
    not destination.port in (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303) and
    not process.name regex "(?i)(?:svchost|lsass|chrome|firefox|msedge|teams|zoom|slack|skype|discord|avast|msmpeng)\.exe"
  )
)
high severity high confidence

Detects T1095 Non-Application Layer Protocol C2 via three signals using Elastic ECS network event schema: (1) TCP connections to SOCKS proxy ports from non-browser processes, (2) ICMP network activity initiated by processes other than standard ping/traceroute utilities, and (3) outbound UDP to non-standard ports from non-system processes. Requires Elastic Endpoint Security or Winlogbeat with Sysmon module ingesting network connection events.

Data Sources

Elastic Endpoint SecurityWinlogbeat with Sysmon ModulePacketbeat

Required Tables

logs-endpoint.events.network-*winlogbeat-*packetbeat-*

False Positives & Tuning

  • Security tools and network scanners (nmap, masscan, netcat) legitimately use raw sockets and ICMP for network discovery and may appear as unexpected ICMP or UDP sources
  • VPN clients such as OpenVPN, WireGuard, or corporate VPN agents may use non-standard UDP ports for tunnel negotiation not included in the standard allowlist
  • Development and test environments where custom applications or proxy tools (Burp Suite, Charles Proxy, mitmproxy) connect to local SOCKS listener ports as part of normal developer workflow
Download portable Sigma rule (.yml)

Other platforms for T1095

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ICMP Large Payload Flood (ICMP Tunnel Simulation)

    Expected signal: Sysmon Event ID 3: Network connections with Protocol=ICMP, DestinationIp=8.8.8.8, Image=C:\Windows\System32\cmd.exe (or ping.exe as child). Windows Security Event ID 5156 (WFP permitted connection) with Protocol=1 (ICMP). Note: This test uses cmd.exe calling ping.exe, so the ICMP processes as ping.exe in most telemetry — to test the unexpected-process signal, replace with a script calling ping from PowerShell or a custom executable context.

  2. Test 2SOCKS5 Proxy Connection via PowerShell (Gamaredon-style)

    Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9050, Protocol=tcp. Windows Security Event ID 5156 (WFP) for the connection attempt. The connection will fail with a refused error but the event fires before the refusal. For external SOCKS detection, substitute 127.0.0.1 with any public test IP.

  3. Test 3Custom UDP Beacon to Non-Standard Port (Raw UDP C2 Simulation)

    Expected signal: Sysmon Event ID 3: 20 network connection events with Image=python3.exe (or python.exe), Protocol=udp, DestinationIp=8.8.8.8, DestinationPort=4444. Windows Filtering Platform Event ID 5156 for each UDP send. Note: UDP packets to 8.8.8.8:4444 will be dropped by Google but the outbound events still fire.

  4. Test 4ICMP Tunnel Tool Execution (ptunnel-ng simulation on Linux)

    Expected signal: auditd SYSCALL records for socket() with AF_INET and SOCK_RAW type (raw socket creation). syslog/kern.log: ICMP outbound traffic from hping3 process. If Zeek is deployed on network: icmp.log entries with unusual payload length (64 bytes + ICMP header) and high frequency (2 packets/second). Linux /proc/net/icmp shows active ICMP sockets during execution.

  5. Test 5SOCKS5 Proxy Connection via Netcat (Unix)

    Expected signal: auditd SYSCALL: connect() syscall from ncat process to 127.0.0.1:9050. If SOCKS proxy is listening, a subsequent connection to example.com:80 is initiated. syslog: ncat network activity. Linux endpoint agent (Elastic Agent, Falcon sensor): network connection event with destination port 9050.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1095 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1090ProxyT1090.001Internal ProxyT1572Protocol TunnelingT1001Data ObfuscationT1573Encrypted ChannelT1041Exfiltration Over C2 ChannelT1205.002Socket FiltersT1548Abuse Elevation Control Mechanism

Same Tactic: Command and Control

Popular Detections