T1572 Splunk · SPL

Detect Protocol Tunneling in Splunk

Detects adversaries tunneling network communications within a separate protocol to evade detection and bypass network filtering. This detection identifies common tunneling techniques including SSH port forwarding via Plink or OpenSSH (-L/-R/-D flags), dedicated tunneling utilities (Chisel, Iodine, ptunnel, dnscat2, socat), DNS-over-HTTPS (DoH) encapsulation for C2 traffic, and native Windows netsh portproxy tunneling. Protocol tunneling allows attackers to route blocked protocols (SMB, RDP) through permitted channels, establish covert C2 channels, and bypass network appliances — as observed in Magic Hound (Plink RDP tunneling), FIN6 (Plink SSH tunnels), and FIN13 (Java-based web shell tunneling).

MITRE ATT&CK

Tactic
Command and Control
Technique
T1572 Protocol Tunneling
Canonical reference
https://attack.mitre.org/techniques/T1572/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=3 OR EventCode=22)
| eval image_lower=lower(coalesce(Image, ""))
| eval cmdline=coalesce(CommandLine, "")
| eval dest_port=coalesce(DestinationPort, "")
| eval dns_query=coalesce(QueryName, "")
| eval score=0
| eval score=score + if(match(image_lower, "(plink|chisel|ligolo|iodine|ptunnel|dns2tcp|dnscat|httptunnel|socat)"), 70, 0)
| eval score=score + if(match(cmdline, "(-L |-R |-D |-w )") AND match(image_lower, "(ssh|putty|plink)"), 60, 0)
| eval score=score + if(match(cmdline, "portproxy") AND match(image_lower, "netsh"), 55, 0)
| eval score=score + if(match(cmdline, "(--reverse|--socks5|--tls-skip-verify)") AND match(image_lower, "chisel"), 85, 0)
| eval score=score + if(dest_port="22" AND NOT match(image_lower, "(ssh|scp|sftp|putty|winscp|filezilla|git|rsync)"), 40, 0)
| eval score=score + if(match(dns_query, "(cloudflare-dns\.com|dns\.google|doh\.opendns|quad9\.net)") AND NOT match(image_lower, "(chrome|firefox|msedge|brave|opera|iexplore|safari|svchost|dnscrypt|stubby)"), 50, 0)
| where score > 0
| eval technique="T1572 Protocol Tunneling"
| eval detection_confidence=case(score >= 70, "high", score >= 50, "medium", true(), "low")
| table _time, host, User, image_lower, cmdline, dest_port, dns_query, score, detection_confidence, technique
| sort - score, - _time
high severity medium confidence

Scores process creation (EventCode=1), network connections (EventCode=3), and DNS queries (EventCode=22) against known tunneling tool names, SSH port-forwarding flags, netsh portproxy arguments, unexpected processes connecting on port 22, and non-browser DNS-over-HTTPS queries. Score >= 70 indicates high confidence; 50-69 medium confidence.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Administrative SSH tunneling sessions for legitimate infrastructure maintenance
  • IT automation platforms (Ansible, Terraform SSH providers) using SSH port forwarding
  • Developers proxying database or API traffic through SSH tunnels to development environments
  • Corporate applications using DNS-over-HTTPS for privacy or bypassing local DNS restrictions
  • Security scanning tools or network monitoring agents that make connections on port 22 for asset discovery
Download portable Sigma rule (.yml)

Other platforms for T1572

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SSH Local Port Forwarding via OpenSSH

    Expected signal: Sysmon Event ID 1 (process create): Image=ssh, CommandLine contains '-N -L 8443:localhost:443'; Sysmon Event ID 3 (network): DestinationPort=22, Image=ssh

  2. Test 2Plink SSH RDP Tunnel (Windows)

    Expected signal: Sysmon Event ID 1 or Windows Security 4688: Image=plink.exe, CommandLine contains '-ssh -N -L 13389:127.0.0.1:3389'; Sysmon Event ID 3: outbound TCP to port 22

  3. Test 3Windows Netsh Portproxy Rule Creation

    Expected signal: Sysmon Event ID 1: Image=netsh.exe, CommandLine contains 'portproxy add v4tov4'; Sysmon Event ID 12/13: registry key creation under HKLM\SYSTEM\CurrentControlSet\Services\PortProxy

  4. Test 4Chisel Reverse Tunnel Server Startup (Linux)

    Expected signal: Sysmon/auditd process create: process name 'chisel' with '--reverse --socks5 --port 8443' in command line; network bind event on port 8443

Last updated: 2026-03-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1572 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1090ProxyT1071Application Layer ProtocolT1573.001Symmetric CryptographyT1568.002Domain Generation AlgorithmsT1219Remote Access ToolsT1021.001Remote Desktop ProtocolT1001.003Protocol or Service Impersonation

Same Tactic: Command and Control

Popular Detections