Description
Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
In ESXi environments, adversaries may leverage the Virtual Machine Communication Interface (VMCI) for communication between guest virtual machines and the ESXi host. This traffic is similar to client-server communications on traditional network sockets but is localized to the physical machine running the ESXi host, meaning it does not traverse external networks (routers, switches). This results in communications that are invisible to external monitoring and standard networking tools like tcpdump, netstat, nmap, and Wireshark. By adding a VMCI backdoor to a compromised ESXi host, adversaries may persistently regain access from any guest VM to the compromised ESXi host’s backdoor, regardless of network segmentation or firewall rules in place.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)
Platforms
Mitigations (4)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
AuditM1047
Periodically investigate ESXi hosts for open VMCI ports. Running the lsof -A command and inspecting results with a type of SOCKET_VMCI will reveal processes that have open VMCI ports.(Citation: Google Cloud Threat Intelligence ESXi Hardening 2023)
Filter Network TrafficM1037
Filter network traffic to prevent use of protocols across the network boundary that are unnecessary. If VMCI is not required in ESXi environments, consider restricting guest virtual machines from accessing VMCI services.(Citation: Broadcom VMCI Firewall)
Network SegmentationM1030
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.
Threat Groups (12)
| ID | Group | Context |
|---|---|---|
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used SOCKS5 over port 9050 for C2 communication.(Citation: SymantecCarbonBlack_ShuckwormU... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) uses socket-based tunneling utilities for command and control purposes such as NetCat and Go Simpl... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has used a passive backdoor that receives commands with UDP packets.(Citation: Kaspersky ToddyCat Ch... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized TCP-based reverse shells using cmd.exe.(Citation: Cisco Talos MUSTANG PANDA PLUGX ... |
| G1013 | Metador | [Metador](https://attack.mitre.org/groups/G1013) has used TCP for C2.(Citation: SentinelLabs Metador Sept 2022) |
| G0068 | PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has deployed backdoors that communicate over TCP to compromised network devices and over VMCI to ESXi... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used Metasploit Bind and Reverse TCP stagers.(Citation: Trend Micro FIN6 October 2019) |
| G0135 | BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionali... |
| G0022 | APT3 | An [APT3](https://attack.mitre.org/groups/G0022) downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap) |
| G1002 | BITTER | [BITTER](https://attack.mitre.org/groups/G1002) has used TCP for C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used TCP for C2.(Citation: Microsoft HAFNIUM March 2020) |
Associated Software (88)
| ID | Name | Type | Context |
|---|---|---|---|
| S1144 | FRP | Tool | [FRP](https://attack.mitre.org/software/S1144) can communicate over TCP, TCP stream multiplexing, KERN Communications Protocol (KCP), QUIC, and UDP.(C... |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has used a custom binary protocol over port 443 for C2 traffic.(Citation: Unit42 OceanLotu... |
| S0504 | Anchor | Malware | [Anchor](https://attack.mitre.org/software/S0504) has used ICMP in C2 communications.(Citation: Cyberreason Anchor December 2019) |
| S0076 | FakeM | Malware | Some variants of [FakeM](https://attack.mitre.org/software/S0076) use SSL to communicate with C2 servers.(Citation: Scarlet Mimic Jan 2016) |
| S0456 | Aria-body | Malware | [Aria-body](https://attack.mitre.org/software/S0456) has used TCP in C2 communications.(Citation: CheckPoint Naikon May 2020) |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) has the ability to use TCP and UDP for communication.(Citation: Trend Micro DRBControl February 2... |
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) has used a custom JSON-based protocol for its C&C communications.(Citation: ESET DazzleSpy Jan 2022) |
| S0155 | WINDSHIELD | Malware | [WINDSHIELD](https://attack.mitre.org/software/S0155) C2 traffic can communicate via TCP raw sockets.(Citation: FireEye APT32 May 2017) |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) has the ability to use TCP and UDP in C2 communications.(Citation: ESET Gelsemium June 2021) |
| S1204 | cd00r | Malware | [cd00r](https://attack.mitre.org/software/S1204) can monitor incoming C2 communications sent over TCP to the compromised host.(Citation: Hartrell cd00... |
| S0436 | TSCookie | Malware | [TSCookie](https://attack.mitre.org/software/S0436) can use ICMP to receive information on the destination server.(Citation: JPCert BlackTech Malware ... |
| S1100 | Ninja | Malware | [Ninja](https://attack.mitre.org/software/S1100) can forward TCP packets between the C2 and a remote host.(Citation: Kaspersky ToddyCat June 2022)(Cit... |
| S1203 | J-magic | Malware | [J-magic](https://attack.mitre.org/software/S1203) can monitor incoming C2 communications sent over TCP to the compromised host.(Citation: Lumen J-Mag... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) can be configured to use raw TCP or UDP for command and control.(Citation: Eset PlugX Korplug Mustang... |
| S1029 | AuTo Stealer | Malware | [AuTo Stealer](https://attack.mitre.org/software/S1029) can use TCP to communicate with command and control servers.(Citation: MalwareBytes SideCopy D... |
| S1105 | COATHANGER | Malware | [COATHANGER](https://attack.mitre.org/software/S1105) uses ICMP for transmitting configuration information to and from its command and control server.... |
| S1121 | LITTLELAMB.WOOLTEA | Malware | [LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) can function as a stand-alone backdoor communicating over the `/tmp/clientsDownload.sock... |
| S1189 | Neo-reGeorg | Malware | [Neo-reGeorg](https://attack.mitre.org/software/S1189) can create multiple TCP connections for a single session.(Citation: GitHub Neo-reGeorg 2019) |
| S0055 | RARSTONE | Malware | [RARSTONE](https://attack.mitre.org/software/S0055) uses SSL to encrypt its communication with its C2 server.(Citation: Aquino RARSTONE) |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can communicate through custom methodologies for UDP, ICMP, and TCP that use distinct sessions to... |
References
- Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.
- Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.
- Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
- Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.
Frequently Asked Questions
What is T1095 (Non-Application Layer Protocol)?
T1095 is a MITRE ATT&CK technique named 'Non-Application Layer Protocol'. It belongs to the Command and Control tactic(s). Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation:...
How can T1095 be detected?
Detection of T1095 (Non-Application Layer Protocol) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1095?
There are 4 documented mitigations for T1095. Key mitigations include: Network Intrusion Prevention, Audit, Filter Network Traffic, Network Segmentation.
Which threat groups use T1095?
Known threat groups using T1095 include: Gamaredon Group, Ember Bear, ToddyCat, Mustang Panda, Metador, PLATINUM, UNC3886, FIN6.