Detect Protocol Tunneling in Google Chronicle
Detects adversaries tunneling network communications within a separate protocol to evade detection and bypass network filtering. This detection identifies common tunneling techniques including SSH port forwarding via Plink or OpenSSH (-L/-R/-D flags), dedicated tunneling utilities (Chisel, Iodine, ptunnel, dnscat2, socat), DNS-over-HTTPS (DoH) encapsulation for C2 traffic, and native Windows netsh portproxy tunneling. Protocol tunneling allows attackers to route blocked protocols (SMB, RDP) through permitted channels, establish covert C2 channels, and bypass network appliances — as observed in Magic Hound (Plink RDP tunneling), FIN6 (Plink SSH tunnels), and FIN13 (Java-based web shell tunneling).
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1572 Protocol Tunneling
- Canonical reference
- https://attack.mitre.org/techniques/T1572/
YARA-L Detection Query
rule protocol_tunneling_detection {
meta:
author = "Detection Engineering"
description = "Detects protocol tunneling via known tunneling tools (T1572)"
severity = "HIGH"
tactic = "TA0011"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)(plink|chisel|ligolo|iodine|ptunnel|dns2tcp|dnscat|httptunnel|socat)`) nocase or
re.regex($e.target.process.command_line, `(?i)(\s-R\s.*:.*:|\s-L\s.*:.*:|\s-D\s|socks5|socks4|dns-tunnel|--socks)`) nocase
)
condition:
$e
}Chronicle YARA-L rule detecting protocol tunneling via known tool execution and SSH tunnel arguments.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate SSH tunneling by system administrators for database access, jump-host traversal, or remote maintenance tasks
- IT automation tools (Ansible, Puppet, SaltStack) that use SSH tunnels for agent communication and configuration management
- Developers using SSH port forwarding to reach internal services, Kubernetes API servers, or staging databases
- Corporate DNS-over-HTTPS policy enforcement by approved endpoint agents or custom DNS clients
- VPN clients or network monitoring agents that legitimately encapsulate traffic within other protocols
Other platforms for T1572
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SSH Local Port Forwarding via OpenSSH
Expected signal: Sysmon Event ID 1 (process create): Image=ssh, CommandLine contains '-N -L 8443:localhost:443'; Sysmon Event ID 3 (network): DestinationPort=22, Image=ssh
- Test 2Plink SSH RDP Tunnel (Windows)
Expected signal: Sysmon Event ID 1 or Windows Security 4688: Image=plink.exe, CommandLine contains '-ssh -N -L 13389:127.0.0.1:3389'; Sysmon Event ID 3: outbound TCP to port 22
- Test 3Windows Netsh Portproxy Rule Creation
Expected signal: Sysmon Event ID 1: Image=netsh.exe, CommandLine contains 'portproxy add v4tov4'; Sysmon Event ID 12/13: registry key creation under HKLM\SYSTEM\CurrentControlSet\Services\PortProxy
- Test 4Chisel Reverse Tunnel Server Startup (Linux)
Expected signal: Sysmon/auditd process create: process name 'chisel' with '--reverse --socks5 --port 8443' in command line; network bind event on port 8443
References (9)
- https://attack.mitre.org/techniques/T1572/
- https://www.ssh.com/academy/ssh/tunneling
- https://github.com/jpillora/chisel
- https://github.com/L-codes/Neo-reGeorg
- https://www.bleepingcomputer.com/news/security/godlua-malware-uses-dns-over-https-to-hide-command-and-control-communications/
- https://www.mandiant.com/resources/blog/fin6-cybercrime-group-expands-operations
- https://sygnia.co/blog/sygnia-investigation-elephant-beetle
- https://www.sentinelone.com/labs/aoqin-dragon-spelunking-a-nearly-decade-old-campaign-targeting-southeast-asia/
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity/
Unlock Pro Content
Get the full detection package for T1572 including response playbook, investigation guide, and atomic red team tests.