![]() ![]() Industroyer attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel. Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers. įunnyDream can connect to HTTP proxies via TCP to create a tunnel to C2. įox Kitten has used protocol tunneling for communication and RDP activity on compromised hosts through the use of open source tools such as Ngrok and custom tool SSHMinion. įLIPSIDE uses RDP to tunnel traffic from a victim environment. įIN6 used the Plink command-line utility to create SSH tunnels to C2 servers. ĭuqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols. Ĭyclops Blink can use DNS over HTTPS (DoH) to resolve C2 nodes. ĭuring CostaRicto, the threat actors set up remote SSH tunneling into the victim's environment from a malicious domain. All protocols use their standard assigned ports. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. Ĭobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. Ĭobalt Group has used the Plink utility to create SSH tunnels. Ĭhimera has encapsulated Cobalt Strike's C2 protocol in DNS and HTTPS. Īdversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol Impersonation to further conceal C2 communications and infrastructure.īrute Ratel C4 can use DNS over HTTPS for C2. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets. Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel. There are various means to encapsulate a protocol within another protocol. Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling involves explicitly encapsulating a protocol within another. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.
0 Comments
Leave a Reply. |