T1095 CrowdStrike LogScale · LogScale

Detect Non-Application Layer Protocol in CrowdStrike LogScale

Adversaries may use OSI non-application layer protocols for C2 communications to evade network defenses that focus on application-layer monitoring. This includes ICMP tunneling (embedding C2 data in ping request/reply payloads), raw UDP sockets that bypass application-layer fingerprinting, SOCKS proxy chaining to obscure true traffic routing and destination, and custom binary protocols over raw TCP connections. ICMP is required in all IP-compatible host implementations but is significantly undermonitored compared to TCP and UDP application protocols, making it an attractive covert channel. Notable threat actors leveraging this technique include Gamaredon Group using SOCKS5 over port 9050, APT32's WINDSHIELD malware using TCP raw sockets, TSCookie (BlackTech) and Anchor (TrickBot infrastructure) using ICMP for C2, and PlugX being configured for raw TCP or UDP. FRP (a popular proxy tool) supports TCP, KCP, QUIC, and UDP multiplexing. In ESXi environments, adversaries may use the Virtual Machine Communication Interface (VMCI) to create covert channels between guest VMs and the ESXi host that are invisible to external network monitoring tools including tcpdump, netstat, nmap, and Wireshark, as documented in Google Cloud's 2023 analysis of UNC3886.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1095 Non-Application Layer Protocol
Canonical reference
https://attack.mitre.org/techniques/T1095/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "NetworkConnectIP4"
| RemotePort := parseFloat(RemotePort)
| lower(ImageFileName, as="process_lower")
// Signal 1: SOCKS proxy port connection from non-browser process
| case {
    RemotePort in (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
      and not match(field=process_lower, regex="chrome|firefox|msedge|opera|brave|tor\.exe|proxifier")
    | is_socks := "true" ;
    * | is_socks := "false"
  }
// Signal 2: Unusual outbound UDP to non-standard ports
| case {
    Protocol = "UDP"
      and not RemotePort in (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303)
      and not match(field=process_lower, regex="svchost\.exe|lsass\.exe|chrome\.exe|firefox\.exe|msedge\.exe|teams\.exe|zoom\.exe|slack\.exe|skype\.exe|discord\.exe|avast\.exe|msmpeng\.exe")
    | is_unusual_udp := "true" ;
    * | is_unusual_udp := "false"
  }
// Signal 3: ICMP from non-ping utility
| case {
    Protocol = "ICMP"
      and not match(field=process_lower, regex="ping\.exe|tracert\.exe|pathping\.exe|fping|hping")
    | is_unexpected_icmp := "true" ;
    * | is_unexpected_icmp := "false"
  }
| where is_socks = "true" or is_unusual_udp = "true" or is_unexpected_icmp = "true"
| case {
    is_unexpected_icmp = "true" and is_socks = "true" | risk_score := 95 ;
    is_unexpected_icmp = "true"                       | risk_score := 85 ;
    is_socks = "true"                                 | risk_score := 75 ;
    is_unusual_udp = "true"                           | risk_score := 60 ;
    *                                                 | risk_score := 50
  }
| case {
    is_socks = "true"          | detection_signal := concat("SOCKS_Proxy_Port_", string(RemotePort)) ;
    is_unexpected_icmp = "true" | detection_signal := "ICMP_From_Unexpected_Process" ;
    is_unusual_udp = "true"    | detection_signal := concat("Unusual_UDP_Port_", string(RemotePort)) ;
    *                          | detection_signal := "Unknown"
  }
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, RemoteAddressIP4, RemotePort, Protocol, LocalAddressIP4, LocalPort, detection_signal, risk_score])
| sort(field=risk_score, order=desc)
high severity high confidence

CrowdStrike LogScale query using Falcon NetworkConnectIP4 events to detect T1095 Non-Application Layer Protocol C2. Evaluates three risk-scored signals: TCP connections to SOCKS proxy ports from non-browser processes, ICMP from processes other than standard ping/traceroute utilities, and outbound UDP on non-standard ports from non-system processes. Uses LogScale case blocks for signal classification and risk scoring. Requires Falcon Insight XDR with network telemetry enabled.

Data Sources

CrowdStrike Falcon EDRCrowdStrike LogScale (Humio)Falcon Insight XDR Network Telemetry

Required Tables

NetworkConnectIP4NetworkConnectIP6

False Positives & Tuning

  • Authorized red team or penetration testing engagements using Cobalt Strike, Sliver, or Metasploit with SOCKS proxy pivoting will trigger SOCKS port detection — validate against change management records
  • SSH dynamic port forwarding (ssh -D) creates a local SOCKS listener; the SSH client process connecting to the remote server will appear as an outbound connection on port 22 but the forwarded traffic through the SOCKS listener may generate secondary NetworkConnectIP4 events
  • CrowdStrike Falcon sensor itself and other security tool agents may periodically generate network connections on unusual ports during cloud sync, threat intelligence lookups, or update checks under their own process names
Download portable Sigma rule (.yml)

Other platforms for T1095

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ICMP Large Payload Flood (ICMP Tunnel Simulation)

    Expected signal: Sysmon Event ID 3: Network connections with Protocol=ICMP, DestinationIp=8.8.8.8, Image=C:\Windows\System32\cmd.exe (or ping.exe as child). Windows Security Event ID 5156 (WFP permitted connection) with Protocol=1 (ICMP). Note: This test uses cmd.exe calling ping.exe, so the ICMP processes as ping.exe in most telemetry — to test the unexpected-process signal, replace with a script calling ping from PowerShell or a custom executable context.

  2. Test 2SOCKS5 Proxy Connection via PowerShell (Gamaredon-style)

    Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9050, Protocol=tcp. Windows Security Event ID 5156 (WFP) for the connection attempt. The connection will fail with a refused error but the event fires before the refusal. For external SOCKS detection, substitute 127.0.0.1 with any public test IP.

  3. Test 3Custom UDP Beacon to Non-Standard Port (Raw UDP C2 Simulation)

    Expected signal: Sysmon Event ID 3: 20 network connection events with Image=python3.exe (or python.exe), Protocol=udp, DestinationIp=8.8.8.8, DestinationPort=4444. Windows Filtering Platform Event ID 5156 for each UDP send. Note: UDP packets to 8.8.8.8:4444 will be dropped by Google but the outbound events still fire.

  4. Test 4ICMP Tunnel Tool Execution (ptunnel-ng simulation on Linux)

    Expected signal: auditd SYSCALL records for socket() with AF_INET and SOCK_RAW type (raw socket creation). syslog/kern.log: ICMP outbound traffic from hping3 process. If Zeek is deployed on network: icmp.log entries with unusual payload length (64 bytes + ICMP header) and high frequency (2 packets/second). Linux /proc/net/icmp shows active ICMP sockets during execution.

  5. Test 5SOCKS5 Proxy Connection via Netcat (Unix)

    Expected signal: auditd SYSCALL: connect() syscall from ncat process to 127.0.0.1:9050. If SOCKS proxy is listening, a subsequent connection to example.com:80 is initiated. syslog: ncat network activity. Linux endpoint agent (Elastic Agent, Falcon sensor): network connection event with destination port 9050.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1095 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1090ProxyT1090.001Internal ProxyT1572Protocol TunnelingT1001Data ObfuscationT1573Encrypted ChannelT1041Exfiltration Over C2 ChannelT1205.002Socket FiltersT1548Abuse Elevation Control Mechanism

Same Tactic: Command and Control

Popular Detections