detection.wiki

Non-Application Layer Protocol T1095

Tactic: Command & Control

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

Events covered

8 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 5140A network share object was accessed.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
ESFexecProcess Execution (Notify)
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
PowerShellEvent ID 400Event ID 400

Authoring guide

Patterns shared across the 42 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (57 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
event.type17eq 16, in 1start, process_started
process_name17eq 9, in 8, wildcard 4, starts_with 2bash, csh, dash, awk, busybox
EventType15eq 9, in 9exec, connection_attempted, connection_accepted, ProcessRollup2, exec_event
host.os.type13eq 13
process.args11wildcard 7, contains 6, eq 5, in 3, match 1, ne 1, starts_with 1*/bin/*sh*, *import*pty*spawn*, *import*subprocess*call*, -*e*, -*l*
EventID8eq 81, 4104, 4688, 5156, 4625
parent_process_name8eq 4, in 4, wildcard 2, starts_with 1bash, csh, dash, socat, *.cgi
dest_ip6is_not_null 6, ne 1127.0.0.1, ::1
CommandLine5regex_match 3, contains 1, in 1, match 1(?i)(\-\-dns)?((\s+)|(\=))?((server\=)|(host\=))?((\d{1,3..., --lua-exec , --sh-exec , -l --proxy-type http , (?i)socks\d\w?:\/\/ | --(pre)?proxy
Image4starts_with 2, ends_with 1, wildcard 1./, ./*, /bin/lua, /bin/perl, /bin/php
Type4eq 4Detection
process.parent.args4contains 3, wildcard 2, eq 1exec, *--port*, *-Dsolr.solr.home=*, */app/*.js*, -*l*
DstPortNumber3is_not_null 2, in 110034, 14433, 14444
Protocol3eq 3, contains 2*, networkprotocol, udp
Query3in 2, contains 1api.2ip.ua, api.ipify.org, canireachthe.net, dyn.com, dynu.com

Top indicator values (788 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
16606
EventTypeeq
exec
8171
EventTypein
exec
6171
EventTypein
connection_attempted
512
EventTypein
connection_accepted
46
EventTypein
start
4134
EventTypein
ProcessRollup2
3117
EventTypein
exec_event
3139
process_namein
bash
688
process_namein
dash
678
process_namein
sh
683
process_namein
zsh
682
process_namein
csh
471
process_namein
fish
472
process_namein
ksh
473
process_namein
tcsh
469
process_namein
busybox
336
CommandLineregex_match
(?i)(\-\-dns)?((\s+)|(\=))?((server\=)|(host\=))?((\d{1,3}\.\d{1,3}\.\d{1,3}\...
33
process.argscontains
socket
35
process.argseq
-c
330
process.argseq
-e
315
process.argseq
-r
311
process_nameeq
bash
37
process_nameeq
csh
35
process_nameeq
dash
37
process_nameeq
fish
35
process_nameeq
ksh
36
process_nameeq
sh
38
process_nameeq
tcsh
36
process_nameeq
zsh
37

Exclusions (154 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
dest_ipcidr_match
127.0.0.0/8
8
dest_ipcidr_match
169.254.0.0/16
8
dest_ipcidr_match
224.0.0.0/4
7
dest_ipcidr_match
::1
7
dest_ipcidr_match
10.0.0.0/8
3
dest_ipcidr_match
172.16.0.0/12
3
dest_ipcidr_match
192.168.0.0/16
3
dest_ipcidr_match
100.64.0.0/10
2
dest_ipcidr_match
192.0.0.0/24
2
dest_ipcidr_match
192.0.0.0/29
2
dest_ipcidr_match
192.0.0.10/32
2
dest_ipcidr_match
192.0.0.170/32
2
dest_ipcidr_match
192.0.0.171/32
2
dest_ipcidr_match
192.0.0.8/32
2
dest_ipcidr_match
192.0.0.9/32
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 3 rules

Elastic 18 rules

Splunk 10 rules

Kusto 10 rules

Panther 1 rule