Network Evasion: Hiding in Plain Sight

Network security monitoring remains a critical layer of defense, but sophisticated attackers have developed numerous techniques to blend their malicious traffic with legitimate network activity. As a penetration tester, I regularly test network detection capabilities by simulating command-and-control communications that mimic normal traffic patterns. Understanding these evasion techniques is essential for defenders who want to improve their network monitoring and ensure their IDS, IPS, and NDR solutions provide meaningful coverage. This post covers multiple MITRE ATT&CK techniques including T1071 (Application Layer Protocol), T1572 (Protocol Tunneling), and T1573 (Encrypted Channel).

Protocol Abuse for Covert Channels

Attackers abuse legitimate protocols to create covert communication channels that blend with expected network traffic. Each protocol presents unique detection opportunities for defenders.

• DNS tunneling (T1071.004) - DNS is one of the most commonly abused protocols because it is almost universally allowed through firewalls. Attackers encode data into DNS queries and responses, using the query name field to exfiltrate data and TXT or CNAME records to receive commands. Defenders should monitor for unusually long DNS query names, high volumes of DNS queries to a single domain, queries for uncommon record types, and DNS traffic to non-standard resolvers. Tools like passive DNS monitoring and DNS analytics platforms can identify tunneling patterns that manual review would miss.
• HTTP and HTTPS as C2 channels (T1071.001) - Web traffic is the most natural cover for command-and-control communications because organizations generate enormous volumes of HTTP and HTTPS traffic daily. Attackers structure their C2 communications to look like normal web browsing, API calls, or content delivery requests. Defenders should look for connections that exhibit regular timing intervals, known as beaconing behavior, even if the traffic content appears legitimate. Statistical analysis of connection timing can reveal automated C2 communications that human-generated traffic patterns would never produce.
• ICMP tunneling - ICMP echo requests and replies can carry arbitrary data in their payload section. While the bandwidth is limited, ICMP tunneling can be effective for slow data exfiltration or command-and-control signaling. Defenders should monitor for ICMP packets with unusual payload sizes, as normal ping traffic uses small, consistent payloads. Any ICMP traffic with payloads larger than standard or containing non-repeating data patterns warrants investigation.
• WebSocket abuse - WebSocket connections establish persistent, full-duplex communication channels over HTTP. Once the initial handshake completes, data flows freely in both directions without the overhead of repeated HTTP requests. Attackers use WebSockets for real-time C2 communications that are difficult to inspect because the data stream is continuous. Defenders should monitor for WebSocket connections to unusual destinations and analyze the data patterns within established WebSocket sessions.

Traffic Blending Strategies

Beyond choosing common protocols, sophisticated attackers take additional steps to make their traffic indistinguishable from legitimate network activity.

• Mimicking legitimate application traffic - Advanced C2 frameworks can be configured to match the exact HTTP headers, user agents, URI patterns, and response structures of legitimate applications like Slack, Microsoft Teams, or Google services. Defenders need to verify that traffic claiming to be from specific applications actually connects to the correct infrastructure and matches expected behavioral patterns.
• Common user agent rotation - Attackers cycle through popular browser user agent strings to avoid standing out. Defenders should correlate user agents with actual browser installations on the endpoint. A process claiming to be Chrome but not running from the Chrome installation directory is suspicious.
• Domain fronting (T1090.004) - This technique routes traffic through legitimate CDN or cloud provider domains, making the destination appear to be a trusted service. The TLS SNI field shows a legitimate domain, but the HTTP Host header directs traffic to the attacker's server. While many cloud providers have restricted this technique, defenders should still monitor for discrepancies between SNI and Host header values when TLS inspection is available.
• Abuse of legitimate cloud services - Attackers use services like Google Drive, OneDrive, Dropbox, or Pastebin as dead-drop communication channels. Data is uploaded to the service by one component and downloaded by another. Defenders should baseline normal cloud service usage and alert on unusual patterns such as automated API access from unexpected processes or large data transfers to cloud storage from servers that do not normally use those services.

Encryption and Detection Challenges

Encryption is both a defender's friend and a challenge. While it protects legitimate communications, it also provides cover for malicious traffic.

• TLS for C2 traffic (T1573.002) - Most modern C2 frameworks use TLS encryption, making content inspection impossible without TLS interception. Defenders should consider deploying TLS inspection at the network perimeter for non-sensitive traffic while maintaining a clear policy about which traffic is and is not inspected. Even without inspecting content, metadata like certificate information, connection timing, and data volumes can reveal C2 activity.
• Certificate analysis - Attackers often use self-signed certificates or certificates from free providers. Defenders should monitor for TLS connections using certificates with short validity periods, missing organizational information, recently issued dates, or certificate authorities not commonly used in the environment. JA3 and JA3S fingerprinting can identify specific C2 frameworks based on their unique TLS handshake characteristics.
• Custom encryption layers - Some attackers add their own encryption on top of TLS, making even TLS-inspected traffic opaque. While this defeats content analysis, the mere presence of double encryption or unrecognizable data patterns within decrypted TLS streams is itself suspicious and worthy of investigation.

Detection and Defense Strategies

Effective network evasion detection requires combining multiple analysis methods. Here is the approach I recommend based on my testing experience across many organizations.

• Volume and timing analysis - C2 communications often exhibit regular timing patterns that differ from human-generated traffic. Implement beacon detection algorithms that identify connections occurring at regular intervals, even with jitter. Analyze data transfer volumes to identify unusual upload patterns that may indicate data exfiltration.
• JA3 and JA3S fingerprinting - These fingerprinting methods create hashes of TLS client and server hello parameters, allowing defenders to identify specific applications and frameworks regardless of the destination IP or domain. Maintain a baseline of expected JA3 fingerprints in your environment and alert on unknown or known-malicious fingerprints.
• DNS analytics - Deploy specialized DNS monitoring that analyzes query patterns, domain age, registration information, and query volume. New domains, high-entropy domain names, and domains with unusually high query volumes are all indicators of potential DNS tunneling or C2 activity.
• Network segmentation and monitoring - Limit which systems can communicate with the internet directly and force traffic through monitored chokepoints. Internal network monitoring can detect lateral movement and internal C2 relay communications that perimeter monitoring would miss.
• NetFlow and connection metadata analysis - Even when traffic content is encrypted, connection metadata provides valuable intelligence. Analyze flow data for unusual connection durations, data ratios, and connection patterns that deviate from established baselines.
• Deploy NDR solutions - Network Detection and Response platforms use machine learning to baseline normal traffic patterns and identify anomalies. These solutions complement signature-based IDS by detecting novel threats that do not match known patterns.

Building a Comprehensive Network Monitoring Program

The most effective network defense combines multiple detection methods into a layered monitoring architecture. During penetration tests, I evaluate each layer independently and together, identifying both individual detection gaps and systemic blind spots. Organizations that implement comprehensive DNS analytics, TLS metadata analysis, behavioral traffic modeling, and proper network segmentation consistently demonstrate the strongest resistance to network evasion techniques. Regular testing of these capabilities through purple team exercises ensures that detection remains effective as both the threat landscape and the network environment evolve over time.