Home/ MITRE Matrix/ Command and Control/ T1095

T1095Non-Application Layer Protocol

T1095 — Non-Application Layer Protocol is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 9 detection use cases covering it and 6 threat-intel articles citing it.

Command and Control

View on the matrix → Filter Detection Library MITRE official spec ↗

9Use cases

6Articles

0Sub-techniques

1Tactic

Use cases covering this technique (9)

Linux Proxy Socks Curl ESCU actions · alerting P Detect Large ICMP Traffic ESCU actions · alerting P Detect Large Outbound ICMP Packets ESCU actions · alerting P [LLM] GS-Netcat reverse shell — host beacons to gs.thc.org Global Socket relay Bespoke c2 · alerting DSΣPDDCS [LLM] Argamal RAT C2 Beacon — 186.158.223.35 / freeddns / kozow / ignorelist / UDP-57441 / TCP-3747 Bespoke c2 · alerting DSΣPDDCS [LLM] Reverse shell from 9router-spawned shell — outbound TCP from node-child bash Bespoke c2 · hunting DSPDDCS [LLM] AdaptixC2 'shadowcore' / Mythic C2 traffic to UAT-8616 infrastructure 194.163.175.135 Bespoke c2 · hunting DSΣPDDCS [LLM] Beaconing to GopherWhisper C2 IP 43.231.113.50 (incl. SSLORDoor raw TLS/443) Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound TCP beacon to BlokTrooper Socket.IO C2 195.201.104.53:6931/6936/6939 Bespoke c2 · alerting DSΣPDDCS

Articles citing this technique (6)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07

high Argamal: Malware hidden in hentai games art-137

crit [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes art-251

crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302

crit GopherWhisper: A burrow full of malware art-362

crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459