badprotocol

Explanation

The badprotocol event is triggered when the Netography Fusion Portal identifies an invalid IP protocol being used on the network. IP packets encapsulate higher level protocols such as TCP and UDP. There are 256 possible protocols, but some values are reserved or unexpected, and those will trigger this event.

What to Look For

This event is most likely triggered by the use of an uncommon networking technology within your environment. Unexpected or unauthorized use of invalid IP protocols might indicate an attempt by an attacker to hide command and control traffic within a network.

Related MITRE ATT&CK Categories

Protocol Tunneling, Technique T1572 - Enterprise