title: Non-Application Layer Protocol (T1095)
id: df00tech-t1095
status: experimental
description: "Adversaries may use OSI non-application layer protocols for C2 communications to evade network defenses that focus on application-layer monitoring. This includes ICMP tunneling (embedding C2 data in ping request/reply payloads), raw UDP sockets that bypass application-layer fingerprinting, SOCKS proxy chaining to obscure true traffic routing and destination, and custom binary protocols over raw TCP connections. ICMP is required in all IP-compatible host implementations but is significantly undermonitored compared to TCP and UDP application protocols, making it an attractive covert channel. Notable threat actors leveraging this technique include Gamaredon Group using SOCKS5 over port 9050, APT32's WINDSHIELD malware using TCP raw sockets, TSCookie (BlackTech) and Anchor (TrickBot infrastructure) using ICMP for C2, and PlugX being configured for raw TCP or UDP. FRP (a popular proxy tool) supports TCP, KCP, QUIC, and UDP multiplexing. In ESXi environments, adversaries may use the Virtual Machine Communication Interface (VMCI) to create covert channels between guest VMs and the ESXi host that are invisible to external network monitoring tools including tcpdump, netstat, nmap, and Wireshark, as documented in Google Cloud's 2023 analysis of UNC3886."
references:
  - https://attack.mitre.org/techniques/T1095/
  - https://df00tech.com/detections/T1095
author: df00tech
date: 2026/04/13
tags:
  - attack.t1095
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Tor Browser and other privacy-focused browsers legitimately connect to SOCKS/Onion network on ports 9050 and 1080 — add process-level allowlist for tor.exe and the Tor Browser executable
  - Custom enterprise middleware and industrial control systems using raw UDP for inter-service heartbeats or telemetry on non-standard ports
  - "VoIP, video conferencing, and media streaming applications (Zoom, Teams, WebEx) may negotiate UDP media channels on non-standard high ports"
  - "WireGuard, OpenVPN, and other VPN clients operate over non-standard UDP ports; the default WireGuard port 51820 is excluded but custom deployments use arbitrary ports"
  - "Network monitoring and security scanning tools (nmap, Nessus agents, Zabbix, PRTG) generate ICMP and unusual UDP as part of active health checks"
level: high