Home/ MITRE Matrix/ Command and Control/ T1572

T1572Protocol Tunneling

T1572 — Protocol Tunneling is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 22 detection use cases covering it and 9 threat-intel articles citing it.

Command and Control

View on the matrix → Filter Detection Library MITRE official spec ↗

22Use cases

9Articles

0Sub-techniques

1Tactic

Use cases covering this technique (22)

[WEEKLY] Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Internal actions · alerting DSPDD [WEEKLY] Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internal install · alerting DSΣPDD Cisco IOS XE Tunnel Interface Configuration ESCU actions · hunting P Okta Non-Standard VPN Usage ESCU actions · alerting P Linux Ngrok Reverse Proxy Usage ESCU actions · hunting P Windows Ngrok Reverse Proxy Usage ESCU actions · hunting P Windows Potential Cloudflared Network Connection ESCU actions · hunting P Windows Potential Cloudflared Tunnel Execution ESCU actions · hunting P Windows Protocol Tunneling with Plink ESCU actions · alerting P Windows SoftEther VPN Masquerading as Legitimate Binary ESCU actions · alerting P Windows SSH Proxy Command ESCU actions · hunting P Ngrok Reverse Proxy on Network ESCU actions · hunting P [LLM] Velvet Ant air-gap bridge — fcgiwrap/uptime spawning SSH from HTTP-driven FastCGI Bespoke actions · alerting DSΣPDDCS [LLM] SOCKS5 proxy masquerading as 'smbd -D' from non-Samba install path Bespoke c2 · alerting DSΣPDDCS [LLM] GIFTEDCROOK / Gamaredon C2 callback to article IOCs (IPs + workers.dev / trycloudflare / .ru domains) Bespoke c2 · hunting DSΣPDDCS [LLM] SilentCryptoMiner DNS tunneling to *.microsoft.com lookalike and known C2 .space domains Bespoke c2 · alerting DSΣPDDCS [LLM] OpenSSH reverse port-forward (-R) launched on a workstation - Cloud Atlas backup C2 Bespoke c2 · alerting DSΣPDDCS [LLM] Webworm 2025 IOC match — known C2 IPs (Vultr/IT7) and file hashes Bespoke c2 · hunting DSΣPDDCS [LLM] CL-STA-1132 EarthWorm staging download from 146.70.100.69:8000/php_sess Bespoke c2 · hunting DSΣPDD [LLM] GPT-Proxy backdoor C2 / Stage-2 download (sync.geeker.indevs.in, gibunxi4201/kube-node-diag) Bespoke c2 · alerting DSΣPDD [LLM] ScreenConnect client beaconing to ClawdBot attacker relay (meeting.bulletmailer.net:8041) Bespoke c2 · hunting DSΣPDDCS [LLM] rsocx SOCKS5 reverse proxy beacon to 31.172.71.5:8008 (Sandworm Poland C2) Bespoke c2 · alerting DSΣP

Articles citing this technique (9)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07

crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86

med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219

crit Webworm: New burrowing techniques art-240

crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325

high GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays art-367

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594

high ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 art-603