# T1095 Non-Application Layer Protocol

-----------------------------------------------------------------------

## Technique Description

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

## Technique Detection

Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) 

Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Windows

  * Linux

  * macOS

  * Network

### Data Sources:

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Traffic Flow

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.(Citation: ESET BackdoorDiplomacy Jun 2021)| 
| HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used TCP for C2.(Citation: Microsoft HAFNIUM March 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used a custom protocol for command and control.(Citation: FoxIT Wocao December 2019)| 
| PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has used the IntelÂ® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.(Citation: Microsoft PLATINUM June 2017)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used Metasploit Bind and Reverse TCP stagers.(Citation: Trend Micro FIN6 October 2019)| 
| APT3 | An [APT3](https://attack.mitre.org/groups/G0022) downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used TCP for C2 communications.(Citation: FireEye APT29 Nov 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1095)

  * [Wikipedia Osi](http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29), Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.

  * [Cisco Synful Knock Evolution](https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices), Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.

  * [Microsoft Icmp](http://support.microsoft.com/KB/170292), Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.

  * [Cisco Blog Legacy Device Attacks](https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954), Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 6 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Emily Porras

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries have used tools such as custom Cobalt Strike beacons for C2 communitcations on a victim network.
- Adversaries will use non-application layer protocols (ICMP, TCP, UDP, SOCKS, SOL) to establish and utilize C2.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29 |  | 1, 2 |

## Detection Blindspots

 * Encrypted traffic will not allow for the examining of the payload. Data surrounding the connection will need to be analyzed.
 * Sensor placement may play a role in not being able to identify this TTP.

## Analytical References

 * [Not So Cozy - APT29 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html)
 * [Recorded Future - Cobalt Strike](https://www.recordedfuture.com/cobalt-strike-servers/)
 * [Github - Malleable C2 Profile](https://github.com/rsmudge/Malleable-C2-Profiles)
 * [Identifying Cobalt Strike](https://blog.fox-it.com/2019/02/26/iden]ifying-cobalt-strike-team-servers-in-the-wild/)
 * [Cobalt Strike - Malleable C2](https://www.cobaltstrike.com/help-malleable-c2)
 * [Atomic Red Team T1095 (redcanary)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md)
 * [List of Network Protocols - OSI Model (wikipedia)](https://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Identify network connections that are not SOAP, SSDP, TCAP, UPP, DHCP, DNS, HTTP, HTTPS, NFS, POP3, SMTP, SNMP, FTP, NTP, IRC, TELNET, SSH, TFTP

#### Analytic 1

  * **Information:** Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_id : 3 AND process.name : *```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes
 - Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.
 - Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
 - Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.
 - Data size may assist in detecting possible communications if client sends more data than it receives. Databytes from source being greater than databytes being received from destination. (databytes.src > databytes.dst)
 - Close attention should be paid to detination ports that are not common, example: 8443, 5454, 5353, as adversaries used these for custom C2 communications.
 - Zeek may be a better tool to hunt for this TTP

#### Analytic 1

  * **Information:** Identify C2 communications by analyzing traffic patterns and packet size.        
 
  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:**  
      * Identify the possible host that is reached out to by filtering for http.host in correlation with databyte size and protocol. If connections are seen over non encrypted protocols such as http, identify successful connections with a status code of 200 and the initial GET request with a possible follow on POST request.
      * Identify possible data size from client to server that may indicate possible C2 communications. A client sends larger data than it request should be investigated, databytes.src > databytes.dst.
  * **Query Arkime:**  
    - `protocols == [ssl,tls] && ip.dst != [10/8, 172.16/12, 192.168/16] && http.host == [host of interest]`
    - `databytes.src [== or >= or <=] [databyte number]`
    - `databytes.dst [== or >= or <=] [databyte number]`
    - `http.statuscode == 200 (if connections have been observed over non-encrypted http)`
    - `http.method == [GET, POST]` 

   * **Query Kibana:** 
    - `srcIp: [internal IP address] AND srcDataBytes: [databyte number] AND dstDataBytes: [databyte number] AND dstIp: [External IP address]`
    - `protocol: (tls or ssl) AND NOT dstIp: (10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16) AND http.host: [host of interest]`

#### Analytic 2

  * **Information:** Identify C2 communications by analyzing traffic patterns and packet size.        
 
  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:**  Use Zeek to analyze dpd.log and conn.log
  
  * **Zeek:**
    - Analyze dpd.log
        * uuid - connection unique ID
        * analyzer - the analyzer that generated the violation
        * failure_reason - the textual reason for the analysis failure
    - Analyze conn.log
        * uuid - unique identifier of connection
        * service - application protocol ID sent over connection
        * orgi_bytes - number of payload bytes orginator sent (sender)
        * resp_btyes - number of payload bytes responder sent (receiver)
        * history - connection stat history

#### Analytic 2

  * **Information:** Identify C2 communications by analyzing traffic patterns and packet size.        
 
  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:**  Use Zeek to analyze dpd.log and conn.log
  
  * **Zeek:**
    - Analyze dpd.log
        * uuid - connection unique ID
        * analyzer - the analyzer that generated the violation
        * failure_reason - the textual reason for the analysis failure
    - Analyze conn.log
        * uuid - unique identifier of connection
        * service - application protocol ID sent over connection
        * orgi_bytes - number of payload bytes orginator sent (sender)
        * resp_btyes - number of payload bytes responder sent (receiver)
        * history - connection stat history

* **Tools**
  Arkime example:

    What am I looking for: The null value after the http version and status code.
      The <font color="blue">Highlighted Portion</font> in the first image is showing the hex data in Moloch where there are no spaces separating the HTTP code from the message.

![T1095](../../Images/T1095_Non-Application_Layer_Protocol.png)

  Typically in legitimate HTTP traffic there are no empty or null spaces in the response header.

  Here you can see that there are null spaces between the HTTP Code and the mesage as well as directly after the message. The <font color="red">20 hex byte</font> was highlighted by the report this image was pulled from without the required context.

![T1095pt2](../../Images/T1095_Non-Application_Layer_Protocol1.png)


  Compromised host's that are looking to connect to C2 infrastructure may look for these empty spaces in HTTP headers as means to verify a successful connection. This is especially useful as a means to not draw attention to alternate means of establishing encrypted communications when actual commands are being passed to the host. As a result of these packets force hunters to sift through large amounts of legitimate connections looking for "nothing".