Show in Graph
Common Information
Type Value
Value 
Standard Non-Application Layer Protocol - T1095
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. (Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), and transport layer protocols, such as the User Datagram Protocol (UDP). ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. Detection: Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Platforms: Linux, macOS, Windows Requires Network: Yes
Details Published Attributes CTI Title
Details Website 2022-10-11 97 POLONIUM targets Israel with Creepy malware | WeLiveSecurity
Details Website 2022-10-05 29 SafeBreach Coverage for US-CERT Alert (AA22-277A) – Use of Impacket and CovalentStealer to Steal Sensitive Data
Details Website 2022-10-04 34 Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization | CISA
Details Website 2022-09-27 21 Anomali Cyber Watch: Sandworm Uses HTML Smuggling and Commodity RATs, BlackCat Ransomware Adds New Features, Domain Shadowing Is Rarely Detected, and More
Details Website 2022-09-26 81 PlugX: A Talisman to Behold
Details Website 2022-09-12 74 Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free - Arctic Wolf
Details Website 2022-08-24 20 Defending in a hostile environment: Key findings from the BlackHat NOC
Details Website 2022-08-16 50 Anomali Cyber Watch: Ransomware Module Added to SOVA Android Trojan, Bitter APT Targets Mobile Phones with Dracarys, China-Sponsored TA428 Deploys Six Backdoors at Once, and More
Details Website 2022-08-16 53 Phishing Site used to Spread Typhon Stealer
Details Website 2022-08-02 57 Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More
Details Website 2022-08-01 27 Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor | Qualys Security Blog
Details Website 2022-07-20 122 Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities | Mandiant
Details Website 2022-07-13 35 A peek behind the BPFDoor — Elastic Security Labs
Details Website 2022-06-02 99 To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions | Mandiant
Details Website 2022-06-01 50 Analyzing AsyncRAT distributed in Colombia | Welcome to Jstnk webpage
Details Website 2022-05-17 679 Space Pirates: analyzing the tools and connections of a new hacker group
Details Website 2022-05-02 39 UNC3524: Eye Spy on Your Email | Mandiant
Details Website 2022-05-02 39 UNC3524: Eye Spy on Your Email | Mandiant
Details Website 2022-04-28 128 Tracking APT29 Phishing Campaigns | Atlassian Trello
Details Website 2022-04-27 202 A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity | WeLiveSecurity
Details Website 2022-03-25 121 Mustang Panda’s Hodur : Vieux trucs, nouvelle variante de Korplug | WeLiveSecurity
Details Website 2022-03-16 53 Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant
Details Website 2022-02-23 314 (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware | Mandiant
Details Website 2022-01-01 288 Shadowpad/technical-indicators at main · SentineLabs/Shadowpad
Details Website 2021-12-14 56 Tropic Trooper Targets Transportation and Government Organizations