EXPLORE
Sign In
← Back to Explore
T1095

Non-Application Layer Protocol

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such a...

ESXiLinuxmacOSNetwork DevicesWindows
23
Detections
3
Sources
12
Threat Actors

BY SOURCE

18elastic3sigma2splunk_escu

PROCEDURES (16)

Persist3 detections

Auto-extracted: 3 detections for persist

Bypass2 detections

Auto-extracted: 2 detections for bypass

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Remote2 detections

Auto-extracted: 2 detections for remote

Tunnel2 detections

Auto-extracted: 2 detections for tunnel

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Container1 detections

Auto-extracted: 1 detections for container

Child Process1 detections

Auto-extracted: 1 detections for child process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

C21 detections

Auto-extracted: 1 detections for c2

Child Process1 detections

Auto-extracted: 1 detections for child process

C21 detections

Auto-extracted: 1 detections for c2

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (12)

APT3BackdoorDiplomacyBITTEREmber BearFIN6Gamaredon GroupHAFNIUMMetadorMustang PandaPLATINUMToddyCatUNC3886

DETECTIONS (23)

Detect Large ICMP Traffic
splunk_escu
File Transfer or Listener Established via Netcat
elasticmedium
IPSEC NAT Traversal Port Activity
elasticlow
Linux Proxy Socks Curl
splunk_escu
Netcat File Transfer or Listener Detected via Defend for Containers
elasticmedium
Netcat Listener Established via rlwrap
elasticmedium
Netcat The Powershell Version
sigmamedium
Network Activity Detected via cat
elasticmedium
Network Connection Initiated by Suspicious SSHD Child Process
elasticmedium
Network Connection via Recently Compiled Executable
elasticmedium
Potential Command Shell via NetCat
elastichigh
Potential Reverse Shell
elastichigh
Potential Reverse Shell Activity via Terminal
elastichigh
Potential Reverse Shell via Background Process
elastichigh
Potential Reverse Shell via Child
elastichigh
Potential Reverse Shell via Suspicious Binary
elastichigh
Potential Reverse Shell via Suspicious Child Process
elastichigh
Potential Reverse Shell via UDP
elasticmedium
PUA - Netcat Suspicious Execution
sigmahigh
Suspicious DNS Z Flag Bit Set
sigmamedium
Suspicious Interpreter Execution Detected via Defend for Containers
elasticmedium
Suspicious React Server Child Process
elastichigh
Web Server Exploitation Detected via Defend for Containers
elastichigh