T1095 IBM QRadar · QRadar

Detect Non-Application Layer Protocol in IBM QRadar

Adversaries may use OSI non-application layer protocols for C2 communications to evade network defenses that focus on application-layer monitoring. This includes ICMP tunneling (embedding C2 data in ping request/reply payloads), raw UDP sockets that bypass application-layer fingerprinting, SOCKS proxy chaining to obscure true traffic routing and destination, and custom binary protocols over raw TCP connections. ICMP is required in all IP-compatible host implementations but is significantly undermonitored compared to TCP and UDP application protocols, making it an attractive covert channel. Notable threat actors leveraging this technique include Gamaredon Group using SOCKS5 over port 9050, APT32's WINDSHIELD malware using TCP raw sockets, TSCookie (BlackTech) and Anchor (TrickBot infrastructure) using ICMP for C2, and PlugX being configured for raw TCP or UDP. FRP (a popular proxy tool) supports TCP, KCP, QUIC, and UDP multiplexing. In ESXi environments, adversaries may use the Virtual Machine Communication Interface (VMCI) to create covert channels between guest VMs and the ESXi host that are invisible to external network monitoring tools including tcpdump, netstat, nmap, and Wireshark, as documented in Google Cloud's 2023 analysis of UNC3886.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1095 Non-Application Layer Protocol
Canonical reference
https://attack.mitre.org/techniques/T1095/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
    sourceip,
    destinationip,
    destinationport,
    protocolname(protocolid) AS protocol,
    username,
    "Application" AS process_name,
    logsourcename(logsourceid) AS log_source,
    CASE
        WHEN protocolid = 1
             AND LOWER("Application") NOT ILIKE ANY ('%ping%', '%tracert%', '%pathping%', '%fping%', '%hping%')
             AND destinationport IN (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
        THEN 95
        WHEN protocolid = 1
             AND LOWER("Application") NOT ILIKE ANY ('%ping%', '%tracert%', '%pathping%', '%fping%', '%hping%')
        THEN 85
        WHEN destinationport IN (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
             AND protocolid = 6
             AND LOWER("Application") NOT ILIKE ANY ('%chrome%', '%firefox%', '%msedge%', '%opera%', '%brave%', '%tor%', '%proxifier%')
        THEN 75
        WHEN protocolid = 17
             AND destinationport NOT IN (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303)
             AND LOWER("Application") NOT ILIKE ANY ('%svchost%', '%lsass%', '%chrome%', '%firefox%', '%msedge%', '%teams%', '%zoom%', '%slack%', '%skype%', '%discord%', '%avast%', '%msmpeng%')
        THEN 60
        ELSE 50
    END AS risk_score,
    CASE
        WHEN destinationport IN (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
             AND LOWER("Application") NOT ILIKE ANY ('%chrome%', '%firefox%', '%msedge%', '%opera%', '%brave%', '%tor%', '%proxifier%')
        THEN CONCAT('SOCKS_Proxy_Port_', CAST(destinationport AS VARCHAR(10)))
        WHEN protocolid = 1
             AND LOWER("Application") NOT ILIKE ANY ('%ping%', '%tracert%', '%pathping%', '%fping%', '%hping%')
        THEN 'ICMP_From_Unexpected_Process'
        WHEN protocolid = 17
             AND destinationport NOT IN (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303)
        THEN CONCAT('Unusual_UDP_Port_', CAST(destinationport AS VARCHAR(10)))
        ELSE 'Unknown'
    END AS detection_signal
FROM events
WHERE
    -- Adjust LOGSOURCETYPEID values to match your environment's Sysmon/Windows endpoint DSM IDs
    LOGSOURCETYPEID IN (13, 45, 96)
    AND (
        (
            destinationport IN (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
            AND protocolid = 6
            AND LOWER("Application") NOT ILIKE ANY ('%chrome%', '%firefox%', '%msedge%', '%opera%', '%brave%', '%tor%', '%proxifier%')
        )
        OR
        (
            protocolid = 1
            AND LOWER("Application") NOT ILIKE ANY ('%ping%', '%tracert%', '%pathping%', '%fping%', '%hping%')
        )
        OR
        (
            protocolid = 17
            AND destinationport NOT IN (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303)
            AND LOWER("Application") NOT ILIKE ANY ('%svchost%', '%lsass%', '%chrome%', '%firefox%', '%msedge%', '%teams%', '%zoom%', '%slack%', '%skype%', '%discord%', '%avast%', '%msmpeng%')
        )
    )
LAST 24 HOURS
ORDER BY risk_score DESC, devicetime DESC
high severity medium confidence

QRadar AQL query detecting T1095 Non-Application Layer Protocol C2 using the events table against Windows endpoint and Sysmon log sources. Uses protocolid (1=ICMP, 6=TCP, 17=UDP) to detect: SOCKS proxy port TCP connections from non-browser processes, ICMP from non-ping utilities, and unusual outbound UDP to non-standard ports from non-system processes. LOGSOURCETYPEID values (13, 45, 96) are examples and must be adjusted to match your QRadar environment's Windows/Sysmon DSM IDs.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log DSMMicrosoft Sysmon DSM

Required Tables

events

False Positives & Tuning

  • Authorized internal penetration testing or red team exercises using SOCKS proxies via Cobalt Strike, Metasploit, or similar frameworks will trigger SOCKS proxy port detection
  • IoT devices, industrial control systems, and OT network equipment using custom UDP-based protocols or proprietary ICMP-based keepalive/heartbeat mechanisms not on the allowlist
  • Network monitoring and management agents using SNMP traps (UDP 162), custom NMS protocols, or ICMP-based circuit testing from non-standard process names
Download portable Sigma rule (.yml)

Other platforms for T1095

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ICMP Large Payload Flood (ICMP Tunnel Simulation)

    Expected signal: Sysmon Event ID 3: Network connections with Protocol=ICMP, DestinationIp=8.8.8.8, Image=C:\Windows\System32\cmd.exe (or ping.exe as child). Windows Security Event ID 5156 (WFP permitted connection) with Protocol=1 (ICMP). Note: This test uses cmd.exe calling ping.exe, so the ICMP processes as ping.exe in most telemetry — to test the unexpected-process signal, replace with a script calling ping from PowerShell or a custom executable context.

  2. Test 2SOCKS5 Proxy Connection via PowerShell (Gamaredon-style)

    Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9050, Protocol=tcp. Windows Security Event ID 5156 (WFP) for the connection attempt. The connection will fail with a refused error but the event fires before the refusal. For external SOCKS detection, substitute 127.0.0.1 with any public test IP.

  3. Test 3Custom UDP Beacon to Non-Standard Port (Raw UDP C2 Simulation)

    Expected signal: Sysmon Event ID 3: 20 network connection events with Image=python3.exe (or python.exe), Protocol=udp, DestinationIp=8.8.8.8, DestinationPort=4444. Windows Filtering Platform Event ID 5156 for each UDP send. Note: UDP packets to 8.8.8.8:4444 will be dropped by Google but the outbound events still fire.

  4. Test 4ICMP Tunnel Tool Execution (ptunnel-ng simulation on Linux)

    Expected signal: auditd SYSCALL records for socket() with AF_INET and SOCK_RAW type (raw socket creation). syslog/kern.log: ICMP outbound traffic from hping3 process. If Zeek is deployed on network: icmp.log entries with unusual payload length (64 bytes + ICMP header) and high frequency (2 packets/second). Linux /proc/net/icmp shows active ICMP sockets during execution.

  5. Test 5SOCKS5 Proxy Connection via Netcat (Unix)

    Expected signal: auditd SYSCALL: connect() syscall from ncat process to 127.0.0.1:9050. If SOCKS proxy is listening, a subsequent connection to example.com:80 is initiated. syslog: ncat network activity. Linux endpoint agent (Elastic Agent, Falcon sensor): network connection event with destination port 9050.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1095 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1090ProxyT1090.001Internal ProxyT1572Protocol TunnelingT1001Data ObfuscationT1573Encrypted ChannelT1041Exfiltration Over C2 ChannelT1205.002Socket FiltersT1548Abuse Elevation Control Mechanism

Same Tactic: Command and Control

Popular Detections