detection.wiki

ATT&CK coverage › Technique

Protocol Tunneling T1572

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

Events covered

7 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Sysmon22DNSEvent (DNS query)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4625An account failed to log on.
Security-Auditing4688A new process has been created.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 24 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (15 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine9match 9 tunnel , -R , :3389, cleanup , -connector-id
Initiated8eq 8true
DestinationHostname7ends_with 6, match 1.localto.net, .localtonet.com, tunnel.in.ngrok.com, tunnel.sa.ngrok.com, tunnel.au.ngrok.com
Image7ends_with 7\ssh.exe, \svchost.exe, \plink.exe, \3proxy.exe, ngrok.exe
QueryName2ends_with 2.v2.argotunnel.com, trycloudflare.com, update.argotunnel.com, .devtunnels.ms
Description2eq 23proxy - tiny proxy server, Command-line SSH, Telnet, and Rlogin client
SourcePort2eq 23389
DnsQuery1is_not_null 1, match 1NgrokDomains
src_ip1in 1127.0.0.1, ::1
LogonType1eq 110
EventID1in 14624, 4625
dest_ip1cidr_match 1::1/128, 127.0.0.0/8
DestinationPort1eq 180, 443
ScriptBlockText1match 1$cmdargs, [Convert]::ToString($SYNOptions, 16), $Session.Dead = $True
dns.question.name1in 1"*.ngrok.io", "*.ngrok.com", "korgn.*.lennut.com"

Top indicator values (99 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Initiatedeqtrue840
CommandLinematch-config 23
CommandLinematch tunnel 23
CommandLinematch -R 24
Imageends_with\ssh.exe23
CommandLinematch:338923
Imageends_with\svchost.exe220
SourcePorteq338923
DnsQuerymatchNgrokDomains1
src_ipin::11
LogonTypeeq1014
src_ipin127.0.0.11
EventIDin46241
EventIDin46251
CommandLinematchcleanup 12
CommandLinematch-connector-id 12
CommandLinematch-credentials-contents 12
CommandLinematch-credentials-file 12
CommandLinematch-token 12
CommandLinematch run 12

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 21 rules

Splunk 1 rule

Kusto Query Language 2 rules