T1095 Microsoft Sentinel · KQL

Detect Non-Application Layer Protocol in Microsoft Sentinel

Adversaries may use OSI non-application layer protocols for C2 communications to evade network defenses that focus on application-layer monitoring. This includes ICMP tunneling (embedding C2 data in ping request/reply payloads), raw UDP sockets that bypass application-layer fingerprinting, SOCKS proxy chaining to obscure true traffic routing and destination, and custom binary protocols over raw TCP connections. ICMP is required in all IP-compatible host implementations but is significantly undermonitored compared to TCP and UDP application protocols, making it an attractive covert channel. Notable threat actors leveraging this technique include Gamaredon Group using SOCKS5 over port 9050, APT32's WINDSHIELD malware using TCP raw sockets, TSCookie (BlackTech) and Anchor (TrickBot infrastructure) using ICMP for C2, and PlugX being configured for raw TCP or UDP. FRP (a popular proxy tool) supports TCP, KCP, QUIC, and UDP multiplexing. In ESXi environments, adversaries may use the Virtual Machine Communication Interface (VMCI) to create covert channels between guest VMs and the ESXi host that are invisible to external network monitoring tools including tcpdump, netstat, nmap, and Wireshark, as documented in Google Cloud's 2023 analysis of UNC3886.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1095 Non-Application Layer Protocol
Canonical reference
https://attack.mitre.org/techniques/T1095/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SocksProxyPorts = dynamic([1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128]);
let LegitICMPProcesses = dynamic(["ping.exe", "tracert.exe", "pathping.exe", "fping.exe", "hping3"]);
let LegitUDPProcesses = dynamic([
    "svchost.exe", "chrome.exe", "firefox.exe", "msedge.exe",
    "teams.exe", "zoom.exe", "slack.exe", "skype.exe", "discord.exe",
    "lsass.exe", "dns.exe", "avast.exe", "MsMpEng.exe", "wininit.exe"
]);
let CommonUDPPorts = dynamic([53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 8801, 8802, 3478, 3479, 19302, 19303, 4096]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| extend IsSocksPort = RemotePort in (SocksProxyPorts)
| extend IsUnexpectedICMP = (
    Protocol == "Icmp"
    and not (InitiatingProcessFileName in~ (LegitICMPProcesses))
)
| extend IsUnusualUDP = (
    Protocol == "Udp"
    and RemoteIPType == "Public"
    and not (RemotePort in (CommonUDPPorts))
    and not (InitiatingProcessFileName in~ (LegitUDPProcesses))
)
| where IsSocksPort or IsUnexpectedICMP or IsUnusualUDP
| extend DetectionSignal = case(
    IsSocksPort and IsUnexpectedICMP, "SOCKS_And_ICMP_Combined",
    IsUnexpectedICMP, strcat("ICMP_From_Unexpected_Process_", InitiatingProcessFileName),
    IsSocksPort, strcat("SOCKS_Proxy_Port_", tostring(RemotePort)),
    IsUnusualUDP, strcat("Unusual_UDP_Port_", tostring(RemotePort)),
    "Unknown"
)
| extend RiskScore = case(
    IsSocksPort and IsUnexpectedICMP, 95,
    IsUnexpectedICMP, 85,
    IsSocksPort, 75,
    IsUnusualUDP, 60,
    50
)
| project
    Timestamp, DeviceName, AccountName,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    InitiatingProcessParentFileName, InitiatingProcessParentCommandLine,
    RemoteIP, RemotePort, Protocol, LocalPort,
    SentBytes, ReceivedBytes,
    DetectionSignal, RiskScore
| sort by RiskScore desc, Timestamp desc
high severity medium confidence

Multi-signal detection for non-application layer protocol C2 using Microsoft Defender for Endpoint DeviceNetworkEvents. Identifies three primary attack patterns: (1) connections to SOCKS proxy ports (1080, 9050, etc.) from non-browser processes, targeting malware like Gamaredon Group tooling that tunnels C2 through SOCKS5; (2) ICMP traffic generated by processes other than standard ping utilities, indicating potential ICMP tunneling as used by TSCookie and Anchor; (3) high-frequency or unusual UDP traffic to non-standard ports from non-network-utility processes, indicating custom UDP C2 protocols. Risk scoring prioritizes multi-signal findings and ICMP from unexpected processes. Note: ICMP visibility in DeviceNetworkEvents depends on MDE sensor version and platform; network-layer visibility (firewall/IDS) provides more complete ICMP coverage.

Data Sources

Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic ContentMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives & Tuning

  • Tor Browser and other privacy-focused browsers legitimately connect to SOCKS/Onion network on ports 9050 and 1080 — add process-level allowlist for tor.exe and the Tor Browser executable
  • Custom enterprise middleware and industrial control systems using raw UDP for inter-service heartbeats or telemetry on non-standard ports
  • VoIP, video conferencing, and media streaming applications (Zoom, Teams, WebEx) may negotiate UDP media channels on non-standard high ports
  • WireGuard, OpenVPN, and other VPN clients operate over non-standard UDP ports; the default WireGuard port 51820 is excluded but custom deployments use arbitrary ports
  • Network monitoring and security scanning tools (nmap, Nessus agents, Zabbix, PRTG) generate ICMP and unusual UDP as part of active health checks
Download portable Sigma rule (.yml)

Other platforms for T1095

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ICMP Large Payload Flood (ICMP Tunnel Simulation)

    Expected signal: Sysmon Event ID 3: Network connections with Protocol=ICMP, DestinationIp=8.8.8.8, Image=C:\Windows\System32\cmd.exe (or ping.exe as child). Windows Security Event ID 5156 (WFP permitted connection) with Protocol=1 (ICMP). Note: This test uses cmd.exe calling ping.exe, so the ICMP processes as ping.exe in most telemetry — to test the unexpected-process signal, replace with a script calling ping from PowerShell or a custom executable context.

  2. Test 2SOCKS5 Proxy Connection via PowerShell (Gamaredon-style)

    Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9050, Protocol=tcp. Windows Security Event ID 5156 (WFP) for the connection attempt. The connection will fail with a refused error but the event fires before the refusal. For external SOCKS detection, substitute 127.0.0.1 with any public test IP.

  3. Test 3Custom UDP Beacon to Non-Standard Port (Raw UDP C2 Simulation)

    Expected signal: Sysmon Event ID 3: 20 network connection events with Image=python3.exe (or python.exe), Protocol=udp, DestinationIp=8.8.8.8, DestinationPort=4444. Windows Filtering Platform Event ID 5156 for each UDP send. Note: UDP packets to 8.8.8.8:4444 will be dropped by Google but the outbound events still fire.

  4. Test 4ICMP Tunnel Tool Execution (ptunnel-ng simulation on Linux)

    Expected signal: auditd SYSCALL records for socket() with AF_INET and SOCK_RAW type (raw socket creation). syslog/kern.log: ICMP outbound traffic from hping3 process. If Zeek is deployed on network: icmp.log entries with unusual payload length (64 bytes + ICMP header) and high frequency (2 packets/second). Linux /proc/net/icmp shows active ICMP sockets during execution.

  5. Test 5SOCKS5 Proxy Connection via Netcat (Unix)

    Expected signal: auditd SYSCALL: connect() syscall from ncat process to 127.0.0.1:9050. If SOCKS proxy is listening, a subsequent connection to example.com:80 is initiated. syslog: ncat network activity. Linux endpoint agent (Elastic Agent, Falcon sensor): network connection event with destination port 9050.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1095 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1090ProxyT1090.001Internal ProxyT1572Protocol TunnelingT1001Data ObfuscationT1573Encrypted ChannelT1041Exfiltration Over C2 ChannelT1205.002Socket FiltersT1548Abuse Elevation Control Mechanism

Same Tactic: Command and Control

Popular Detections