Detect Non-Application Layer Protocol in Sumo Logic CSE
Adversaries may use OSI non-application layer protocols for C2 communications to evade network defenses that focus on application-layer monitoring. This includes ICMP tunneling (embedding C2 data in ping request/reply payloads), raw UDP sockets that bypass application-layer fingerprinting, SOCKS proxy chaining to obscure true traffic routing and destination, and custom binary protocols over raw TCP connections. ICMP is required in all IP-compatible host implementations but is significantly undermonitored compared to TCP and UDP application protocols, making it an attractive covert channel. Notable threat actors leveraging this technique include Gamaredon Group using SOCKS5 over port 9050, APT32's WINDSHIELD malware using TCP raw sockets, TSCookie (BlackTech) and Anchor (TrickBot infrastructure) using ICMP for C2, and PlugX being configured for raw TCP or UDP. FRP (a popular proxy tool) supports TCP, KCP, QUIC, and UDP multiplexing. In ESXi environments, adversaries may use the Virtual Machine Communication Interface (VMCI) to create covert channels between guest VMs and the ESXi host that are invisible to external network monitoring tools including tcpdump, netstat, nmap, and Wireshark, as documented in Google Cloud's 2023 analysis of UNC3886.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1095 Non-Application Layer Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1095/
Sumo Detection Query
_sourceCategory=windows/sysmon EventCode=3
| parse "<Data Name='Image'>*</Data>" as process_image nodrop
| parse "<Data Name='DestinationPort'>*</Data>" as dest_port nodrop
| parse "<Data Name='Protocol'>*</Data>" as protocol nodrop
| parse "<Data Name='DestinationIp'>*</Data>" as dest_ip nodrop
| parse "<Data Name='SourceIp'>*</Data>" as src_ip nodrop
| parse "<Data Name='CommandLine'>*</Data>" as cmdline nodrop
| parse "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse "<Data Name='User'>*</Data>" as user nodrop
| parse "<Data Name='Initiated'>*</Data>" as initiated nodrop
| eval dest_port_num = num(dest_port)
| eval process_lower = toLowerCase(process_image)
| eval protocol_lower = toLowerCase(protocol)
| eval is_socks = if(
dest_port_num in (1080, 1081, 4145, 9050, 9051, 9150, 8118, 9999, 1082, 1083, 3128)
and !(process_lower matches ".*(?:chrome|firefox|msedge|opera|brave|tor|proxifier).*"),
1, 0)
| eval is_unusual_udp = if(
protocol_lower = "udp"
and !(dest_port_num in (53, 67, 68, 123, 161, 162, 443, 500, 4500, 5353, 5355, 51820, 1194, 3478, 3479, 8801, 8802, 19302, 19303))
and !(process_lower matches ".*(?:svchost|lsass|dns|chrome|firefox|msedge|teams|zoom|slack|skype|discord|avast|msmpeng).*")
and initiated = "true",
1, 0)
| eval is_unexpected_icmp = if(
protocol_lower = "icmp"
and !(process_lower matches ".*(?:ping|tracert|pathping|fping|hping).*"),
1, 0)
| where is_socks = 1 or is_unusual_udp = 1 or is_unexpected_icmp = 1
| eval risk_score = if(is_unexpected_icmp = 1 and is_socks = 1, 95,
if(is_unexpected_icmp = 1, 85,
if(is_socks = 1, 75,
if(is_unusual_udp = 1, 60, 50))))
| eval detection_signal = if(is_socks = 1, concat("SOCKS_Proxy_Port_", dest_port),
if(is_unexpected_icmp = 1, "ICMP_From_Unexpected_Process",
if(is_unusual_udp = 1, concat("Unusual_UDP_Port_", dest_port), "Unknown")))
| fields _messageTime, Computer, user, process_image, cmdline, parent_image, dest_ip, dest_port_num, protocol_lower, src_ip, detection_signal, risk_score
| sort by risk_score desc, _messageTime descSumo Logic query targeting Sysmon Event ID 3 (Network Connection Detected) to detect T1095 Non-Application Layer Protocol C2. Parses raw XML event fields and evaluates three signals: SOCKS proxy port connections from non-browser processes, ICMP from non-ping utilities, and unusual outbound UDP from non-system processes on non-standard ports. Risk-scored for triage. Requires Windows Sysmon logs forwarded via Sumo Logic Installed Collector with the sourceCategory set to windows/sysmon or adjusted to match your environment.
Data Sources
Required Tables
False Positives & Tuning
- Tor Browser and other authorized anonymization tools that legitimately route through SOCKS ports 9050 and 9150 — add process names to exclusion regex if sanctioned in your environment
- Custom enterprise applications with proprietary UDP-based communication frameworks (real-time telemetry, proprietary clustering protocols) using non-standard high ports
- Synthetic monitoring and availability testing agents (Pingdom agents, custom health-check scripts) executing ICMP probes under non-standard process names
Other platforms for T1095
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ICMP Large Payload Flood (ICMP Tunnel Simulation)
Expected signal: Sysmon Event ID 3: Network connections with Protocol=ICMP, DestinationIp=8.8.8.8, Image=C:\Windows\System32\cmd.exe (or ping.exe as child). Windows Security Event ID 5156 (WFP permitted connection) with Protocol=1 (ICMP). Note: This test uses cmd.exe calling ping.exe, so the ICMP processes as ping.exe in most telemetry — to test the unexpected-process signal, replace with a script calling ping from PowerShell or a custom executable context.
- Test 2SOCKS5 Proxy Connection via PowerShell (Gamaredon-style)
Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9050, Protocol=tcp. Windows Security Event ID 5156 (WFP) for the connection attempt. The connection will fail with a refused error but the event fires before the refusal. For external SOCKS detection, substitute 127.0.0.1 with any public test IP.
- Test 3Custom UDP Beacon to Non-Standard Port (Raw UDP C2 Simulation)
Expected signal: Sysmon Event ID 3: 20 network connection events with Image=python3.exe (or python.exe), Protocol=udp, DestinationIp=8.8.8.8, DestinationPort=4444. Windows Filtering Platform Event ID 5156 for each UDP send. Note: UDP packets to 8.8.8.8:4444 will be dropped by Google but the outbound events still fire.
- Test 4ICMP Tunnel Tool Execution (ptunnel-ng simulation on Linux)
Expected signal: auditd SYSCALL records for socket() with AF_INET and SOCK_RAW type (raw socket creation). syslog/kern.log: ICMP outbound traffic from hping3 process. If Zeek is deployed on network: icmp.log entries with unusual payload length (64 bytes + ICMP header) and high frequency (2 packets/second). Linux /proc/net/icmp shows active ICMP sockets during execution.
- Test 5SOCKS5 Proxy Connection via Netcat (Unix)
Expected signal: auditd SYSCALL: connect() syscall from ncat process to 127.0.0.1:9050. If SOCKS proxy is listening, a subsequent connection to example.com:80 is initiated. syslog: ncat network activity. Linux endpoint agent (Elastic Agent, Falcon sensor): network connection event with destination port 9050.
References (13)
- https://attack.mitre.org/techniques/T1095/
- https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- http://support.microsoft.com/KB/170292
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://symantec-enterprise-blogs.security.com/threat-intelligence/shuckworm-ukraine-usb-worm
- https://www.cybereason.com/blog/the-anchor-project-and-trickbot-linking-c2-infrastructure
- https://github.com/esnet/iperf
- https://nmap.org/ncat/
- https://github.com/jamesbarlow/icmptunnel
- https://unit42.paloaltonetworks.com/unit42-oceanlotus-apt32-rc4-backdoor-custom-loader-cyberattack/
- https://www.welivesecurity.com/2021/06/10/gelsemium-when-threat-actors-go-gardening/
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
Unlock Pro Content
Get the full detection package for T1095 including response playbook, investigation guide, and atomic red team tests.