Detect Protocol Tunneling in Microsoft Sentinel
Detects adversaries tunneling network communications within a separate protocol to evade detection and bypass network filtering. This detection identifies common tunneling techniques including SSH port forwarding via Plink or OpenSSH (-L/-R/-D flags), dedicated tunneling utilities (Chisel, Iodine, ptunnel, dnscat2, socat), DNS-over-HTTPS (DoH) encapsulation for C2 traffic, and native Windows netsh portproxy tunneling. Protocol tunneling allows attackers to route blocked protocols (SMB, RDP) through permitted channels, establish covert C2 channels, and bypass network appliances — as observed in Magic Hound (Plink RDP tunneling), FIN6 (Plink SSH tunnels), and FIN13 (Java-based web shell tunneling).
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1572 Protocol Tunneling
- Canonical reference
- https://attack.mitre.org/techniques/T1572/
KQL Detection Query
let TunnelingTools = dynamic(["plink.exe", "plink", "chisel.exe", "chisel", "ligolo.exe", "ligolo", "iodine.exe", "iodine", "ptunnel.exe", "ptunnel", "dns2tcp", "dnscat", "dnscat2", "httptunnel", "htc", "hts", "socat"]);
let DoHProviders = dynamic(["cloudflare-dns.com", "dns.google", "doh.opendns.com", "dns.quad9.net", "mozilla.cloudflare-dns.com", "doh.dns.apple.com"]);
let BrowserProcesses = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "brave.exe", "opera.exe", "iexplore.exe", "safari", "vivaldi.exe", "chromium"]);
let SystemProcesses = dynamic(["svchost.exe", "MsMpEng.exe", "services.exe", "wininit.exe", "dnscrypt-proxy.exe", "stubby.exe"]);
// Branch 1: Known tunneling tool execution
let KnownTools = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ (TunnelingTools)
| extend DetectionBranch = "KnownTunnelingTool"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionBranch;
// Branch 2: SSH with port-forwarding flags (OpenSSH, Plink)
let SSHTunneling = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ ("ssh.exe", "ssh", "plink.exe", "plink")
and (
ProcessCommandLine has "-L " or
ProcessCommandLine has "-R " or
ProcessCommandLine has "-D " or
ProcessCommandLine has "-w " or
ProcessCommandLine has "LocalForward" or
ProcessCommandLine has "RemoteForward"
)
| extend DetectionBranch = "SSHPortForwarding"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionBranch;
// Branch 3: Netsh portproxy (native Windows tunneling)
let NetshProxy = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName =~ "netsh.exe"
and ProcessCommandLine has "portproxy"
and ProcessCommandLine has "add"
| extend DetectionBranch = "NetshPortProxy"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionBranch;
// Branch 4: DoH from non-browser, non-system processes
let DoHConnections = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where RemotePort == 443
and RemoteUrl has_any (DoHProviders)
and InitiatingProcessFileName !in~ (BrowserProcesses)
and InitiatingProcessFileName !in~ (SystemProcesses)
| extend DetectionBranch = "DNSoverHTTPS", AccountName = InitiatingProcessAccountName, FileName = InitiatingProcessFileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessFileName = "", InitiatingProcessCommandLine = ""
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath = RemoteUrl, DetectionBranch;
union KnownTools, SSHTunneling, NetshProxy, DoHConnections
| sort by TimeGenerated descDetects protocol tunneling across four patterns: (1) known tunneling tool execution (Chisel, Plink, Iodine, ptunnel, dnscat2, socat), (2) SSH binaries invoked with port-forwarding flags (-L/-R/-D/-w), (3) Windows netsh portproxy rule creation, and (4) DNS-over-HTTPS connections from non-browser and non-OS processes. Each result includes a DetectionBranch field for triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate SSH tunneling by system administrators for database access, jump-host traversal, or remote maintenance tasks
- IT automation tools (Ansible, Puppet, SaltStack) that use SSH tunnels for agent communication and configuration management
- Developers using SSH port forwarding to reach internal services, Kubernetes API servers, or staging databases
- Corporate DNS-over-HTTPS policy enforcement by approved endpoint agents or custom DNS clients
- VPN clients or network monitoring agents that legitimately encapsulate traffic within other protocols
Other platforms for T1572
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SSH Local Port Forwarding via OpenSSH
Expected signal: Sysmon Event ID 1 (process create): Image=ssh, CommandLine contains '-N -L 8443:localhost:443'; Sysmon Event ID 3 (network): DestinationPort=22, Image=ssh
- Test 2Plink SSH RDP Tunnel (Windows)
Expected signal: Sysmon Event ID 1 or Windows Security 4688: Image=plink.exe, CommandLine contains '-ssh -N -L 13389:127.0.0.1:3389'; Sysmon Event ID 3: outbound TCP to port 22
- Test 3Windows Netsh Portproxy Rule Creation
Expected signal: Sysmon Event ID 1: Image=netsh.exe, CommandLine contains 'portproxy add v4tov4'; Sysmon Event ID 12/13: registry key creation under HKLM\SYSTEM\CurrentControlSet\Services\PortProxy
- Test 4Chisel Reverse Tunnel Server Startup (Linux)
Expected signal: Sysmon/auditd process create: process name 'chisel' with '--reverse --socks5 --port 8443' in command line; network bind event on port 8443
References (9)
- https://attack.mitre.org/techniques/T1572/
- https://www.ssh.com/academy/ssh/tunneling
- https://github.com/jpillora/chisel
- https://github.com/L-codes/Neo-reGeorg
- https://www.bleepingcomputer.com/news/security/godlua-malware-uses-dns-over-https-to-hide-command-and-control-communications/
- https://www.mandiant.com/resources/blog/fin6-cybercrime-group-expands-operations
- https://sygnia.co/blog/sygnia-investigation-elephant-beetle
- https://www.sentinelone.com/labs/aoqin-dragon-spelunking-a-nearly-decade-old-campaign-targeting-southeast-asia/
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity/
Unlock Pro Content
Get the full detection package for T1572 including response playbook, investigation guide, and atomic red team tests.