T1572 IBM QRadar · QRadar

Detect Protocol Tunneling in IBM QRadar

Detects adversaries tunneling network communications within a separate protocol to evade detection and bypass network filtering. This detection identifies common tunneling techniques including SSH port forwarding via Plink or OpenSSH (-L/-R/-D flags), dedicated tunneling utilities (Chisel, Iodine, ptunnel, dnscat2, socat), DNS-over-HTTPS (DoH) encapsulation for C2 traffic, and native Windows netsh portproxy tunneling. Protocol tunneling allows attackers to route blocked protocols (SMB, RDP) through permitted channels, establish covert C2 channels, and bypass network appliances — as observed in Magic Hound (Plink RDP tunneling), FIN6 (Plink SSH tunnels), and FIN13 (Java-based web shell tunneling).

MITRE ATT&CK

Tactic
Command and Control
Technique
T1572 Protocol Tunneling
Canonical reference
https://attack.mitre.org/techniques/T1572/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  CASE WHEN LOWER("Image") LIKE ANY ('%plink%','%chisel%','%iodine%','%dnscat%') THEN 10
       WHEN "CommandLine" ILIKE ANY ('% -R %:%:%','% -D %','%socks5%','%dns-tunnel%') THEN 9
       ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
  AND (
    LOWER(coalesce("Image","")) LIKE ANY
      ('%plink%','%chisel%','%ligolo%','%iodine%','%ptunnel%','%dns2tcp%','%dnscat%',
       '%httptunnel%','%htc%','%hts%','%socat%')
    OR "CommandLine" ILIKE ANY ('% -R %:%:%','% -L %:%:%','% -D %','%socks5%','%socks4%',
                                  '%dns-tunnel%','%--socks%')
  )
ORDER BY RiskScore DESC, EventTime DESC
high severity medium confidence

Detects protocol tunneling via known tunneling tools and SSH tunnel arguments in QRadar.

Data Sources

Windows SysmonWindows Security Event Log

Required Tables

events

False Positives & Tuning

  • Legitimate SSH tunneling by system administrators for database access, jump-host traversal, or remote maintenance tasks
  • IT automation tools (Ansible, Puppet, SaltStack) that use SSH tunnels for agent communication and configuration management
  • Developers using SSH port forwarding to reach internal services, Kubernetes API servers, or staging databases
  • Corporate DNS-over-HTTPS policy enforcement by approved endpoint agents or custom DNS clients
  • VPN clients or network monitoring agents that legitimately encapsulate traffic within other protocols
Download portable Sigma rule (.yml)

Other platforms for T1572

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SSH Local Port Forwarding via OpenSSH

    Expected signal: Sysmon Event ID 1 (process create): Image=ssh, CommandLine contains '-N -L 8443:localhost:443'; Sysmon Event ID 3 (network): DestinationPort=22, Image=ssh

  2. Test 2Plink SSH RDP Tunnel (Windows)

    Expected signal: Sysmon Event ID 1 or Windows Security 4688: Image=plink.exe, CommandLine contains '-ssh -N -L 13389:127.0.0.1:3389'; Sysmon Event ID 3: outbound TCP to port 22

  3. Test 3Windows Netsh Portproxy Rule Creation

    Expected signal: Sysmon Event ID 1: Image=netsh.exe, CommandLine contains 'portproxy add v4tov4'; Sysmon Event ID 12/13: registry key creation under HKLM\SYSTEM\CurrentControlSet\Services\PortProxy

  4. Test 4Chisel Reverse Tunnel Server Startup (Linux)

    Expected signal: Sysmon/auditd process create: process name 'chisel' with '--reverse --socks5 --port 8443' in command line; network bind event on port 8443

Last updated: 2026-03-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1572 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1090ProxyT1071Application Layer ProtocolT1573.001Symmetric CryptographyT1568.002Domain Generation AlgorithmsT1219Remote Access ToolsT1021.001Remote Desktop ProtocolT1001.003Protocol or Service Impersonation

Same Tactic: Command and Control

Popular Detections