Detect Non-Application Layer Protocol in Splunk
Adversaries may use OSI non-application layer protocols for C2 communications to evade network defenses that focus on application-layer monitoring. This includes ICMP tunneling (embedding C2 data in ping request/reply payloads), raw UDP sockets that bypass application-layer fingerprinting, SOCKS proxy chaining to obscure true traffic routing and destination, and custom binary protocols over raw TCP connections. ICMP is required in all IP-compatible host implementations but is significantly undermonitored compared to TCP and UDP application protocols, making it an attractive covert channel. Notable threat actors leveraging this technique include Gamaredon Group using SOCKS5 over port 9050, APT32's WINDSHIELD malware using TCP raw sockets, TSCookie (BlackTech) and Anchor (TrickBot infrastructure) using ICMP for C2, and PlugX being configured for raw TCP or UDP. FRP (a popular proxy tool) supports TCP, KCP, QUIC, and UDP multiplexing. In ESXi environments, adversaries may use the Virtual Machine Communication Interface (VMCI) to create covert channels between guest VMs and the ESXi host that are invisible to external network monitoring tools including tcpdump, netstat, nmap, and Wireshark, as documented in Google Cloud's 2023 analysis of UNC3886.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1095 Non-Application Layer Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1095/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval dest_port_num = tonumber(DestinationPort)
| eval protocol_lower = lower(Protocol)
| eval process_lower = lower(Image)
// Signal 1: SOCKS proxy port connections from non-browser processes
| eval is_socks = if(
dest_port_num IN(1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
AND NOT match(process_lower, "(chrome|firefox|msedge|opera|brave|tor|proxifier)"),
1, 0)
// Signal 2: UDP on non-standard ports from non-system processes
| eval is_unusual_udp = if(
protocol_lower="udp"
AND NOT dest_port_num IN(53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802)
AND NOT match(process_lower, "(svchost|lsass|dns|chrome|firefox|msedge|teams|zoom|slack|skype|discord|avast|msmpeng)")
AND (Initiated="true" OR Initiated="1"),
1, 0)
// Signal 3: Non-loopback ICMP in Sysmon (captured via raw socket events on some configs)
| eval is_unexpected_icmp = if(
protocol_lower="icmp"
AND NOT match(process_lower, "(ping|tracert|pathping|fping|hping)"),
1, 0)
| where is_socks=1 OR is_unusual_udp=1 OR is_unexpected_icmp=1
| eval risk_score = case(
is_unexpected_icmp=1 AND is_socks=1, 95,
is_unexpected_icmp=1, 85,
is_socks=1, 75,
is_unusual_udp=1, 60,
50)
| eval detection_signal = case(
is_socks=1, "SOCKS_Proxy_Port_".dest_port_num,
is_unexpected_icmp=1, "ICMP_From_Unexpected_Process",
is_unusual_udp=1, "Unusual_UDP_Port_".dest_port_num,
"Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
DestinationIp, dest_port_num, protocol_lower, SourceIp, SourcePort,
detection_signal, risk_score
| sort - risk_score, - _timeDetects non-application layer protocol C2 using Sysmon Event ID 3 (Network Connection) logs. Identifies SOCKS proxy port usage from non-browser processes (targeting Gamaredon-style SOCKS5 C2), unusual UDP to non-standard ports from unexpected process contexts (custom UDP C2 protocols), and ICMP from non-ping utilities where Sysmon captures it via raw socket activity. The query provides process-level context (Image, CommandLine, ParentImage) critical for analyst triage. For environments without Sysmon, substitute with WinEventLog:Security (Event ID 5156, Windows Filtering Platform) for connection-level data, though process correlation will be limited.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Tor Browser and privacy tools legitimately connect to SOCKS proxy ports — scope the is_socks filter to specific high-value server hosts where browser traffic is unexpected
- Custom enterprise applications using UDP for service mesh communication, health checks, or telemetry on non-standard ports in microservice environments
- Gaming engines and streaming applications dynamically negotiate UDP media ports above 1024 that may not be in the allowlist
- Security tools performing active network discovery (vulnerability scanners, network inventory agents) generate unusual UDP and ICMP as part of their scan logic
- VPN clients with custom port configurations (wireguard on non-51820, OpenVPN on non-1194) appear as unusual UDP traffic from the vpn client process
Other platforms for T1095
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ICMP Large Payload Flood (ICMP Tunnel Simulation)
Expected signal: Sysmon Event ID 3: Network connections with Protocol=ICMP, DestinationIp=8.8.8.8, Image=C:\Windows\System32\cmd.exe (or ping.exe as child). Windows Security Event ID 5156 (WFP permitted connection) with Protocol=1 (ICMP). Note: This test uses cmd.exe calling ping.exe, so the ICMP processes as ping.exe in most telemetry — to test the unexpected-process signal, replace with a script calling ping from PowerShell or a custom executable context.
- Test 2SOCKS5 Proxy Connection via PowerShell (Gamaredon-style)
Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9050, Protocol=tcp. Windows Security Event ID 5156 (WFP) for the connection attempt. The connection will fail with a refused error but the event fires before the refusal. For external SOCKS detection, substitute 127.0.0.1 with any public test IP.
- Test 3Custom UDP Beacon to Non-Standard Port (Raw UDP C2 Simulation)
Expected signal: Sysmon Event ID 3: 20 network connection events with Image=python3.exe (or python.exe), Protocol=udp, DestinationIp=8.8.8.8, DestinationPort=4444. Windows Filtering Platform Event ID 5156 for each UDP send. Note: UDP packets to 8.8.8.8:4444 will be dropped by Google but the outbound events still fire.
- Test 4ICMP Tunnel Tool Execution (ptunnel-ng simulation on Linux)
Expected signal: auditd SYSCALL records for socket() with AF_INET and SOCK_RAW type (raw socket creation). syslog/kern.log: ICMP outbound traffic from hping3 process. If Zeek is deployed on network: icmp.log entries with unusual payload length (64 bytes + ICMP header) and high frequency (2 packets/second). Linux /proc/net/icmp shows active ICMP sockets during execution.
- Test 5SOCKS5 Proxy Connection via Netcat (Unix)
Expected signal: auditd SYSCALL: connect() syscall from ncat process to 127.0.0.1:9050. If SOCKS proxy is listening, a subsequent connection to example.com:80 is initiated. syslog: ncat network activity. Linux endpoint agent (Elastic Agent, Falcon sensor): network connection event with destination port 9050.
References (13)
- https://attack.mitre.org/techniques/T1095/
- https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- http://support.microsoft.com/KB/170292
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://symantec-enterprise-blogs.security.com/threat-intelligence/shuckworm-ukraine-usb-worm
- https://www.cybereason.com/blog/the-anchor-project-and-trickbot-linking-c2-infrastructure
- https://github.com/esnet/iperf
- https://nmap.org/ncat/
- https://github.com/jamesbarlow/icmptunnel
- https://unit42.paloaltonetworks.com/unit42-oceanlotus-apt32-rc4-backdoor-custom-loader-cyberattack/
- https://www.welivesecurity.com/2021/06/10/gelsemium-when-threat-actors-go-gardening/
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
Unlock Pro Content
Get the full detection package for T1095 including response playbook, investigation guide, and atomic red team tests.