Home/ATT&CK Technique/Protocol Tunneling
ATT&CK Technique

Protocol Tunneling

T1572 · command-and-control

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN).

Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.

Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets. Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol or Service Impersonation to further conceal C2 communications and infrastructure.

ESXiLinuxmacOSWindows

Actors Using This

14
iranAgrius
unknown_likely_russia_alignedAnubis Ransomware
chinaAPT10
chinaAPT31
iranOilRig
chinaAPT40
russia_speaking_cybercrime8Base
russia_speaking_cybercrimeBianLian
unknown_likely_russia_aligned_eldorado_lineageBlackLock Ransomware
unknown_likely_russia_alignedBrain Cipher
ransomware_raas_independent_emergenceCactus
unknown_likely_russia_aligned_alphv_lineageCicada3301
chinaEarth Estries
unknown_likely_russia_alignedEldorado Ransomware

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1608.004 · Drive-by Target ×2.48
execution earlier
T1569.002 · Service Execution ×2.80T1047 · Windows Management Instrumentation ×2.48
credential-access earlier
T1003.003 · NTDS ×3.50T1555.004 · Windows Credential Manager ×2.48
discovery earlier
T1049 · System Network Connections Discovery ×2.85T1069.001 · Local Groups ×2.40
lateral-movement earlier
T1570 · Lateral Tool Transfer ×2.16
collection earlier
T1602 · Data from Configuration Repository ×3.31
command-and-control same
T1008 · Fallback Channels ×3.31T1219 · Remote Access Tools ×3.11T1071.003 · Mail Protocols ×2.38
exfiltration later
T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ×2.98
impact later
T1531 · Account Access Removal ×3.31
other same
T1562.002 · Disable Windows Event Logging ×2.94

Atomic Tests

7
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindowsDNS over HTTPS Large Query Volume
This test simulates an infected host sending a large volume of DoH queries to a command and control server. The intent of this test is to trigger threshold based detection on the number of DoH queries either from a single source system or to a single targe domain. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout in a JSON format. 
for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest "#{doh_server}?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}" -UseBasicParsing).Content }
powershellwindowsDNS over HTTPS Regular Beaconing
This test simulates an infected host beaconing via DoH queries to a command and control server at regular intervals over time. This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout in a JSON format. 
Set-Location "PathToAtomicsFolder"
.\T1572\src\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
powershellwindowsDNS over HTTPS Long Domain Query
This test simulates an infected host returning data to a command and control server using long domain names. The simulation involves sending DoH queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DoH queries for long domain names over a set threshold. Upon execution, DNS information about the domain will be displayed for each callout in a JSON format. 
Set-Location "PathToAtomicsFolder"
.\T1572\src\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
powershellelevatedwindowsrun ngrok
Download and run ngrok. Create tunnel to chosen port. 
C:\Users\Public\ngrok\ngrok.exe config add-authtoken #{api_token} | Out-Null
Start-Job -ScriptBlock { C:\Users\Public\ngrok\ngrok.exe tcp #{port_num} } | Out-Null
Start-Sleep -s 5 
Stop-Job -Name Job1 | Out-Null
bashlinux, macosMicrosoft Dev tunnels (Linux/macOS)
Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels. This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc. Reference: - [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview) - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/) 
#{binary_path} host -p #{port} &
shlinux, macosVSCode tunnels (Linux/macOS)
Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet. This atomic will generate a dev tunnel binding it to the local service running on the provided port. Reference: - [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels) - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/) 
nohup code tunnel --accept-server-license-terms #{additional_args} >/dev/null 2>&1 &
shlinux, macosCloudflare tunnels (Linux/macOS)
Cloudflared can be used for exposing local development environment/services/files over the internet. This atomic will generate a dev tunnel binding it to the local service running on the provided port. Reference: - [Cloudflared Docs](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/cloudflared/) 
nohup #{binary_path} tunnel --url #{url_to_tunnel} #{additional_args} >/dev/null 2>&1 &

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1031Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

M1037Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration.

Ingress Traffic Filtering
  • Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
  • Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.
Egress Traffic Filtering
  • Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
  • Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.
Protocol-Based Filtering
  • Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
  • Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.
Network Segmentation
  • Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
  • Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.
Application Layer Filtering
  • Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
  • Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 23
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) 1,353
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-03, AC-04, CA-07, CM-02, CM-06, CM-07, SC-07, SI-03, SI-04, SI-10, SI-15
D3FEND11 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin