EXPLORE
Sign In
← Back to Explore
T1572

Protocol Tunneling

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their...

ESXiLinuxmacOSWindows
51
Detections
4
Sources
14
Threat Actors

BY SOURCE

23sigma21elastic6splunk_escu1crowdstrike_cql

PROCEDURES (33)

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Tunnel3 detections

Auto-extracted: 3 detections for tunnel

Persist3 detections

Auto-extracted: 3 detections for persist

Persist3 detections

Auto-extracted: 3 detections for persist

Service3 detections

Auto-extracted: 3 detections for service

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Cloud2 detections

Auto-extracted: 2 detections for cloud

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Download2 detections

Auto-extracted: 2 detections for download

C22 detections

Auto-extracted: 2 detections for c2

Lateral2 detections

Auto-extracted: 2 detections for lateral

Bypass1 detections

Auto-extracted: 1 detections for bypass

Http1 detections

Auto-extracted: 1 detections for http

C21 detections

Auto-extracted: 1 detections for c2

Powershell1 detections

Auto-extracted: 1 detections for powershell

Dns1 detections

Auto-extracted: 1 detections for dns

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Powershell1 detections

Auto-extracted: 1 detections for powershell

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Lateral1 detections

Auto-extracted: 1 detections for lateral

Cloud1 detections

Auto-extracted: 1 detections for cloud

Dns1 detections

Auto-extracted: 1 detections for dns

Cloud1 detections

Auto-extracted: 1 detections for cloud

Unusual1 detections

Auto-extracted: 1 detections for unusual

Dns1 detections

Auto-extracted: 1 detections for dns

Download1 detections

Auto-extracted: 1 detections for download

Bypass1 detections

Auto-extracted: 1 detections for bypass

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

THREAT ACTORS (14)

ChimeraCinnamon TempestCobalt GroupEmber BearFIN13FIN6FIN7Fox KittenLeviathanMagic HoundMustang PandaOilRigSalt TyphoonScattered Spider

DETECTIONS (51)

Cloudflared Tunnel Connections Cleanup
sigmamedium
Cloudflared Tunnel Execution
sigmamedium
Cloudflared Tunnels Related DNS Requests
sigmamedium
Communication To LocaltoNet Tunneling Service Initiated
sigmahigh
Communication To LocaltoNet Tunneling Service Initiated - Linux
sigmahigh
Communication To Ngrok Tunneling Service - Linux
sigmahigh
Communication To Ngrok Tunneling Service Initiated
sigmahigh
Curl SOCKS Proxy Activity from Unusual Parent
elasticmedium
Curl SOCKS Proxy Detected via Defend for Containers
elasticmedium
DNS Query To Devtunnels Domain
sigmamedium
DNS Tunneling
elasticlow
IPSEC NAT Traversal Port Activity
elasticlow
IPv4/IPv6 Forwarding Activity
elasticlow
Kubectl Network Configuration Modification
elasticlow
Linux Ngrok Reverse Proxy Usage
splunk_escu
Linux SSH X11 Forwarding
elasticlow
Network Connection Initiated To BTunnels Domains
sigmamedium
Network Connection Initiated To Cloudflared Tunnels Domains
sigmamedium
Network Connection Initiated To DevTunnels Domain
sigmamedium
Network Connection Initiated To Visual Studio Code Tunnels Domain
sigmamedium
Ngrok Reverse Proxy on Network
splunk_escu
Okta Non-Standard VPN Usage
splunk_escu
Port Forwarding Activity Via SSH.EXE
sigmamedium
Port Forwarding Rule Addition
elasticmedium
Potential DNS Tunneling via NsLookup
elasticmedium
Potential Linux Tunneling and/or Port Forwarding
elasticmedium
Potential Linux Tunneling and/or Port Forwarding via Command Line
elasticmedium
Potential Linux Tunneling and/or Port Forwarding via SSH Option
elasticlow
Potential Protocol Tunneling via Chisel Client
elasticmedium
Potential Protocol Tunneling via Cloudflared
elasticmedium
Potential Protocol Tunneling via EarthWorm
elastichigh
Potential Protocol Tunneling via Yuze
elasticmedium
Potential RDP Tunneling Via Plink
sigmahigh
Potential RDP Tunneling Via SSH
sigmahigh
Potential Remote Desktop Tunneling Detected
elastichigh
Potential Traffic Tunneling using QEMU
elasticmedium
Potentially Suspicious Usage Of Qemu
sigmamedium
Process Initiated Network Connection To Ngrok Domain
sigmahigh
ProxyChains Activity
elasticmedium
PUA - 3Proxy Execution
sigmahigh
PUA - Ngrok Execution
sigmahigh
RDP Over Reverse SSH Tunnel
sigmahigh
RDP to HTTP or HTTPS Target Ports
sigmahigh
Remote Port Forwarding via Plink - Unauthorized RDP Tunneling Detection
crowdstrike_cql
Silence.EDA Detection
sigmacritical
Suspicious Plink Port Forwarding
sigmahigh
Suspicious Utility Launched via ProxyChains
elasticmedium
Tunneling and/or Port Forwarding Detected via Defend for Containers
elasticmedium
Windows Ngrok Reverse Proxy Usage
splunk_escu
Windows Protocol Tunneling with Plink
splunk_escu
Windows SSH Proxy Command
splunk_escu