Non-Application Layer Protocol

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts. However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

ID: T2080
Sub-techniques:  No sub-techniques
Version: 1.0
Created: 03 December 2023
Last Modified: 03 December 2023
ATT&CK Reference:  T1095

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.