Protocol Tunneling T1572

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

Events covered

19 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 54 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (28 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine24contains 11, match 6, in 4, regex_match 3(?i)(\-\-dns)?((\s+)|(\=))?((server\=)|(host\=))?((\d{1,3..., (?i)(tcp\s+(139|445|3389|5985|5986))|(\.exe\s+|(authtoken..., (?i)\-(L|R|N|D|C)|IdentitiesOnly=yes|StrictHostKeyChecking=no|ssh, \d{1,5}:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}, \w+@\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
EventID18eq 17, in 11, 4688, 4104, 17, 18
process_name10eq 5, match 5(?i)ngrok\.exe, (?i)^ssh\.exe, cloudflared.exe, ngrok.exe, nslookup.exe
Image9ends_with 9\plink.exe, \ssh.exe, \svchost.exe, \3proxy.exe, \httptunnel.exe
Initiated8eq 8true
DestinationHostname7ends_with 6, contains 1.btunnel.co.in, .devtunnels.ms, .localto.net, .localtonet.com, .ngrok-free.app
Type5eq 5
event.type5eq 5start, change
process.args4eq 3, ends_with 1, starts_with 1-L, -R, -c, -l, -q=
OriginalFileName3eq 3cloudflared.exe, plink, vpnbridge*.exe
QueryName3ends_with 2, contains 1, is_not_null 1.devtunnels.ms, .v2.argotunnel.com, korgn, lennut.com, ngrok
Description2eq 23proxy - tiny proxy server, Command-line SSH, Telnet, and Rlogin client
DestinationPort2eq 2443, 7844, 80
SourcePort2eq 23389
Company1contains 1softether

Top indicator values (195 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Initiatedeq
true
848
EventIDeq
1
6232
EventIDeq
4688
5312
EventIDeq
4104
4268
event.typeeq
start
4241
CommandLinematch
(?i)(tcp\s+(139|445|3389|5985|5986))|(\.exe\s+|(authtoken\s|start\s+--all))|(...
33
CommandLinematch
(?i)\-(L|R|N|D|C)|IdentitiesOnly=yes|StrictHostKeyChecking=no|ssh
33
CommandLinematch
\d{1,5}:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}
33
CommandLinematch
\w+@\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
33
CommandLineregex_match
(?i)(\-\-dns)?((\s+)|(\=))?((server\=)|(host\=))?((\d{1,3}\.\d{1,3}\.\d{1,3}\...
33
process_namematch
(?i)ngrok\.exe
33
process_namematch
(?i)^ssh\.exe
22
CommandLinecontains
-r
26
CommandLinecontains
tunnel
23
CommandLinecontains
-config
23
CommandLinecontains
:3389
23
CommandLinecontains
-blockdev
1
CommandLinecontains
-cdrom
1
CommandLinecontains
-p 22
1
CommandLinecontains
-p 443
1
CommandLinecontains
authtoken
1
CommandLinecontains
http
1
CommandLinecontains
run
12
CommandLinecontains
start
12
CommandLinecontains
tcp
1
CommandLinein
*http*
22
Imageends_with
\plink.exe
23
Imageends_with
\ssh.exe
23
Imageends_with
\svchost.exe
228
SourcePorteq
3389
23

Exclusions (3 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
-blockdev
1
CommandLinecontains
-cdrom
1
CommandLinecontains
type=virt
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 24 rules

Elastic 5 rules

Splunk 23 rules

Kusto 2 rules