AN1228: Analytic 1228
Detects application-layer tunneling or unauthorized app protocols like DNS-over-HTTPS, embedded C2 in TLS/HTTP headers, or misused SMB traffic crossing VLANs.
Analyst context for executives and security teams
AN1228 is a detection analytic for spotting unauthorized application-layer tunneling and protocol misuse on network devices, such as DNS-over-HTTPS, command-and-control-like content embedded in TLS/HTTP headers, or SMB traffic crossing VLAN boundaries. For leaders, the value is not that one signature exists, but that these behaviors can undermine network segmentation, egress control, and SOC visibility if encrypted or unexpected protocols are allowed without validation.
Executive priority
Prioritize this as a network visibility and control-assurance issue. Security leaders should ask whether the organization can prove which application protocols are allowed across VLANs and outbound paths, whether encrypted traffic patterns are monitored sufficiently for policy violations, and whether SOC teams have evidence to investigate tunneling without relying on payload inspection alone. This supports operational resilience, compliance evidence for segmentation and monitoring controls, and incident response readiness when suspicious traffic crosses trust boundaries.
Technical view
For SOC and detection teams, validate coverage on Network Devices for application-layer tunneling and unauthorized protocol use. Focus on whether network telemetry can identify DNS-over-HTTPS usage, unusual TLS or HTTP header patterns, and SMB crossing VLANs where it should not. Because ATT&CK provides no official detection logic, teams should treat AN1228 as a detection objective rather than a ready rule: define local allowlists, expected inter-VLAN flows, approved DoH resolvers if any, and normal SMB paths before alerting broadly.
Likely telemetry
- Network device logs and flow records
- Firewall and segmentation policy logs
- Proxy or secure web gateway logs where available
- DNS and DNS-over-HTTPS visibility indicators
- TLS metadata such as SNI, certificate, JA3/JA4-like fingerprints if collected
Detection direction
- Confirm which network devices actually collect application/protocol metadata versus only IP, port, and byte counts.
- Baseline approved SMB traffic between VLANs and alert on policy violations or unusual lateral paths.
- Identify sanctioned versus unsanctioned DNS-over-HTTPS destinations to reduce false positives from browsers, operating systems, or approved privacy tools.
- Look for mismatches between expected port/protocol use and observed application behavior, especially encrypted web traffic carrying unusual metadata.
- Tune detections around business-approved services, network zones, and segmentation rules; otherwise this analytic can create high noise.
Mitigation priorities
- Define and document allowed application protocols by network zone and VLAN.
- Enforce segmentation and egress policies so SMB and other sensitive protocols do not cross trust boundaries without business justification.
- Standardize approved DNS and DNS-over-HTTPS handling, including whether DoH is blocked, brokered, or limited to approved resolvers.
- Ensure network devices and monitoring tools retain enough metadata to support investigations of encrypted or tunneled traffic.
- Create SOC runbooks for unauthorized protocol findings, including owner validation, exception handling, and escalation to incident response when unexplained.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and no tactics or relationships were provided. Its practical value is in validating whether network monitoring can detect protocol misuse and application-layer tunneling across network devices, especially where encryption or segmentation boundaries complicate visibility.
Official detection logic is not provided, and there are no relationship mappings to specific techniques, software, groups, mitigations, or data components in the supplied content. Local network architecture, approved protocol policy, VLAN design, and telemetry retention are required to turn this into actionable detection coverage.
Analytic 1228
Detects application-layer tunneling or unauthorized app protocols like DNS-over-HTTPS, embedded C2 in TLS/HTTP headers, or misused SMB traffic crossing VLANs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0f700dac96df… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1228Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.