Description
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)(Citation: Sygnia Abyss Locker 2025)
Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)
Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol or Service Impersonation to further conceal C2 communications and infrastructure.
Platforms
Mitigations (2)
Filter Network TrafficM1037
Consider filtering network traffic to untrusted or known bad domains and resources.
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Threat Groups (15)
| ID | Group | Context |
|---|---|---|
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has utilized web shells and Java tools for tunneling capabilities to and from compromised assets.(Citat... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used Plink to tunnel RDP over SSH.(Citation: DFIR Phosphorus November 2021) |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) used the Plink command-line utility to create SSH tunnels to C2 servers.(Citation: FireEye FIN6 April 20... |
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has modified device configurations to create and use Generic Routing Encapsulation (GRE) tunnels... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has tunneled C2 traffic via OpenSSH.(Citation: BlackBerry_FIN7_April2024) |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has used ProxyChains to tunnel protocols to internal networks.(Citation: CISA GRU29155 2024) |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has encapsulated [Cobalt Strike](https://attack.mitre.org/software/S0154)'s C2 protocol in DNS and HT... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used the Plink utility and other tools to create tunnels to C2 servers.(Citation: Unit42 OilRig Pl... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used protocol tunneling for communication and RDP activity on compromised hosts through the us... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used the Plink utility to create SSH tunnels.(Citation: Talos Cobalt Group July 2018)(Citati... |
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has used the Iox and NPS proxy and tunneling tools in combination create multiple connectio... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has used tunneling tools to facilitate destructive attacks on compromised devices.(Citation: C... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged OpenSSH (sshd.exe) to execute commands, transfer files and spread across the envi... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has installed protocol-tunneling tools on VMware vCenter and adversary-controlled VMs, inclu... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used protocol tunneling to further conceal C2 communications and infrastructure.(Citation: CISA... |
Associated Software (21)
| ID | Name | Type | Context |
|---|---|---|---|
| S1189 | Neo-reGeorg | Malware | [Neo-reGeorg](https://attack.mitre.org/software/S1189) can tunnel data in and out of targeted networks.(Citation: GitHub Neo-reGeorg 2019) |
| S1027 | Heyoka Backdoor | Malware | [Heyoka Backdoor](https://attack.mitre.org/software/S1027) can use spoofed DNS requests to create a bidirectional tunnel between a compromised host an... |
| S1187 | reGeorg | Malware | [reGeorg](https://attack.mitre.org/software/S1187) can tunnel TCP sessions including RDP, SSH, and SMB through HTTP.(Citation: Fortinet reGeorg MAR 20... |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can run a custom binary protocol under HTTPS for C2.(Citation: ESET Turla Lunar toolset May 2024) |
| S0038 | Duqu | Malware | [Duqu](https://attack.mitre.org/software/S0038) uses a custom command and control protocol that communicates over commonly used ports, and is frequent... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has created SSH tunnels to facilitate C2 communications.(Citation: CISA SPAWNCHIMERA RESURGE F... |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) can connect to HTTP proxies via TCP to create a tunnel to C2.(Citation: Bitdefender FunnyDream C... |
| S1020 | Kevin | Malware | [Kevin](https://attack.mitre.org/software/S1020) can use a custom protocol tunneled through DNS or HTTP.(Citation: Kaspersky Lyceum October 2021) |
| S0604 | Industroyer | Malware | [Industroyer](https://attack.mitre.org/software/S0604) attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel.(Citation: Drag... |
| S1144 | FRP | Tool | [FRP](https://attack.mitre.org/software/S1144) can tunnel SSH and Unix Domain Socket communications over TCP between external nodes and exposed resour... |
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) can use DNS over HTTPS for C2.(Citation: Palo Alto Brute Ratel July 2022)(Citation: Trend Mi... |
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has utilized a SOCKS proxy to tunnel access within the victim network and exfiltrate files from ... |
| S1015 | Milan | Malware | [Milan](https://attack.mitre.org/software/S1015) can use a custom protocol tunneled through DNS or HTTP.(Citation: Kaspersky Lyceum October 2021) |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) has the ability to communicate over custom communications methodologies that ride over common netw... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In ad... |
| S0508 | ngrok | Tool | [ngrok](https://attack.mitre.org/software/S0508) can tunnel RDP and other services securely over internet connections.(Citation: FireEye Maze May 2020... |
| S0699 | Mythic | Tool | [Mythic](https://attack.mitre.org/software/S0699) can use SOCKS proxies to tunnel traffic through another protocol.(Citation: Mythc Documentation) |
| S0173 | FLIPSIDE | Malware | [FLIPSIDE](https://attack.mitre.org/software/S0173) uses RDP to tunnel traffic from a victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016) |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) can hide its IP lookup by using DNS over HTTPS (DoH) for C2.(Citation: Trend Micro Earth Kasha U... |
| S0650 | QakBot | Malware | The [QakBot](https://attack.mitre.org/software/S0650) proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.(Citation: Kaspersky ... |
References
- Abigail See, Zhongyuan (Aaron) Hau, Ren Jie Yow, Yoav Mazor, Omer Kidron, and Oren Biderman. (2025, February 4). The Anatomy of Abyss Locker Ransomware Attack. Retrieved April 4, 2025.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Gatlan, S. (2019, July 3). New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS. Retrieved March 15, 2020.
- SSH.COM. (n.d.). SSH tunnel. Retrieved March 15, 2020.
Frequently Asked Questions
What is T1572 (Protocol Tunneling)?
T1572 is a MITRE ATT&CK technique named 'Protocol Tunneling'. It belongs to the Command and Control tactic(s). Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneli...
How can T1572 be detected?
Detection of T1572 (Protocol Tunneling) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1572?
There are 2 documented mitigations for T1572. Key mitigations include: Filter Network Traffic, Network Intrusion Prevention.
Which threat groups use T1572?
Known threat groups using T1572 include: FIN13, Magic Hound, FIN6, Salt Typhoon, FIN7, Ember Bear, Chimera, OilRig.