title: Protocol Tunneling (T1572)
id: df00tech-t1572
status: experimental
description: "Detects adversaries tunneling network communications within a separate protocol to evade detection and bypass network filtering. This detection identifies common tunneling techniques including SSH port forwarding via Plink or OpenSSH (-L/-R/-D flags), dedicated tunneling utilities (Chisel, Iodine, ptunnel, dnscat2, socat), DNS-over-HTTPS (DoH) encapsulation for C2 traffic, and native Windows netsh portproxy tunneling. Protocol tunneling allows attackers to route blocked protocols (SMB, RDP) through permitted channels, establish covert C2 channels, and bypass network appliances — as observed in Magic Hound (Plink RDP tunneling), FIN6 (Plink SSH tunnels), and FIN13 (Java-based web shell tunneling)."
references:
  - https://attack.mitre.org/techniques/T1572/
  - https://df00tech.com/detections/T1572
author: df00tech
date: 2026/03/19
tags:
  - attack.t1572
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate SSH tunneling by system administrators for database access, jump-host traversal, or remote maintenance tasks"
  - "IT automation tools (Ansible, Puppet, SaltStack) that use SSH tunnels for agent communication and configuration management"
  - "Developers using SSH port forwarding to reach internal services, Kubernetes API servers, or staging databases"
  - Corporate DNS-over-HTTPS policy enforcement by approved endpoint agents or custom DNS clients
  - VPN clients or network monitoring agents that legitimately encapsulate traffic within other protocols
level: high