Esc
Protocol Tunneling - T1572
(ATT&CK® Technique)
Definition
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1572["Protocol Tunneling"] --> |produces| OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; class T1572 OffensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic";
click T1572 href "/offensive-technique/attack/T1572/"; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1572["Protocol Tunneling"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1572["Protocol Tunneling"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1572["Protocol Tunneling"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1572["Protocol Tunneling"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1572["Protocol Tunneling"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1572["Protocol Tunneling"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1572["Protocol Tunneling"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1572["Protocol Tunneling"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1572["Protocol Tunneling"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1572["Protocol Tunneling"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";