Protocol Tunneling (T1572) is a MITRE ATT&CK technique in the Command and Control tactic. SOC analysts detect it by monitoring for Firewall, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering. Tunneling involves explicitly encapsulating a network protocol within another. This behavior may conceal malicious traffic by blending it in with existing traffic and/or provide an outer layer of encryption. Tunneling may be used by adversaries in conjunction with proxy use, which can obfuscate traffic by requiring it to pass through a third system. Common tunneling techniques include SSH tunneling to bypass network controls, DNS tunneling for covert data exfiltration and command receipt, ICMP tunneling, and using protocols like HTTP, HTTPS, and WebSocket to encapsulate other protocols within allowed traffic. Protocol tunneling is particularly effective in environments where egress filtering blocks direct connections but allows common protocols like DNS and HTTPS.
“Protocol Tunneling is documented as technique T1572 in the MITRE ATT&CK knowledge base under the Command and Control tactic. Detection requires visibility into Firewall, SIEM telemetry.”
The following detection strategies help SOC analysts identify Protocol Tunneling activity. These methods apply across Firewall, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor DNS traffic for volume anomalies and subdomain length distributions, as DNS tunneling generates significantly higher query volumes and longer subdomain strings than normal DNS usage patterns.
Detect ICMP tunneling by monitoring ICMP packet sizes and payloads, as legitimate ICMP ping traffic has predictable small payloads while ICMP tunneling tools use maximum-size ICMP packets with encoded data.
Alert on SSH connections from servers and workstations that should not be creating outbound SSH sessions, particularly when the SSH port is 22 on non-standard server ranges indicating masquerading as legitimate SSH.
Monitor for protocol anomalies in allowed traffic flows, including HTTP requests with abnormally large headers, unusually high-frequency keep-alive connections, and WebSocket connections with consistent binary payload patterns.
Analyze outbound traffic for signs of data encapsulation including base64-encoded content in protocol fields not designed to carry data, non-standard use of protocol features, and statistical anomalies in traffic patterns.
These realistic alert examples show what Protocol Tunneling looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
DNS tunneling detected from internal server 10.0.5.234: generating 2,400 DNS TXT record queries per hour to subdomains of cdn-resource.net with base64-encoded subdomain labels averaging 58 characters. Total data throughput estimated at 1.2MB/hour over DNS. Traditional DNS queries from this server average 200 per hour with short hostnames. Pattern matches iodine or dnscat2 DNS tunneling tools.
Network monitoring detected ICMP echo request/reply traffic between internal workstation 192.168.12.45 and external IP 185.220.101.88 with payload sizes of 1440 bytes (maximum ICMP payload). Normal ping traffic uses 32-64 byte payloads. The traffic has been ongoing for 6 hours at 200 packets per minute. This pattern is characteristic of ICMP tunneling tools used for covert command-and-control communication.
SSH connection established from finance workstation FIN-WS-011 to external server on port 22 with persistent connection maintained for 4 hours. Local port forwarding configuration detected tunneling internal network traffic through the SSH connection. The destination server is hosted on a commercial VPS provider and the workstation user has no legitimate reason to establish SSH tunnels to external infrastructure.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Protocol Tunneling. Build detection skills with zero consequences — free forever.
Command and Control (C2) refers to the infrastructure and communication channels adversaries use to remotely direct malw…
Read more GlossaryNetwork Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Read more GlossaryAn Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more ToolThe Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more PlaybookWhen network monitoring detects periodic outbound connections to suspicious external hosts, unusual DNS patterns, or tra…
Read more PlaybookWhen DNS monitoring detects anomalous query patterns, high-entropy subdomains, unusually long query strings, excessive T…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read moreWe use cookies to improve your experience and measure usage. Learn more