Skip to content

Hide Navigation Hide TOC

Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c)

The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.

Data Collection Measures:

  • Network Packet Capture (Full Content Logging)
    • Wireshark / tcpdump / tshark
      • Full packet captures (PCAP files) for manual analysis or IDS correlation. tcpdump -i eth0 -w capture.pcap
    • Zeek (formerly Bro)
      • Extracts protocol headers and payload details into structured logs. echo "redef Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr capture.pcap local.zeek
    • Suricata / Snort (IDS/IPS with PCAP Logging)
      • Deep packet inspection (DPI) with signature-based and behavioral analysis. suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata
  • Host-Based Collection
    • Sysmon Event ID 22 – DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.
    • Sysmon Event ID 3 – Network Connection Initiated, Logs process-to-network connection relationships.
    • AuditD (Linux) – syscall=connect, Monitors outbound network requests from processes. auditctl -a always,exit -F arch=b64 -S connect -k network_activity
  • Cloud & SaaS Traffic Collection
    • AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.
    • Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.
Cluster A Galaxy A Cluster B Galaxy B Level
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern 1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exfiltration to Text Storage Sites - T1567.003 (ba04e672-da86-4e69-aa15-0eca5db25f43) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Social Media Accounts - T1586.001 (274770e0-2612-4ccf-a678-ef8e7bad365d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 1
Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Transmitted Data Manipulation - T1565.002 (d0613359-5781-4fd2-b5be-c269270be1f6) Attack Pattern 1
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
External Defacement - T1491.002 (0cfe31a7-81fc-472c-bc45-e2808d1066a3) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exploitation of Remote Services - T1428 (22379609-a99f-4a01-bd7e-70f3e105859d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern 1
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 1
Spearphishing Service - T1598.001 (f870408c-b1cd-49c7-a5c7-0ef0fc496cc6) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Transfer Data to Cloud Account - T1537 (d4bdbdea-eaec-4071-b4f9-5105e12ea4b6) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 1
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 1
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern 1
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern 1
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
DHCP Spoofing - T1557.003 (59ff91cd-1430-4075-8563-e6f15f4f9ff5) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component DNS Calculation - T1568.003 (83a766f8-1501-4b3a-a2de-2e2849e8dfc1) Attack Pattern 1
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern 1
Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Publish/Subscribe Protocols - T1071.005 (241f9ea8-f6ae-4f38-92f5-cef5b7e539dd) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 1
Evil Twin - T1557.004 (48b836c6-e4ca-435a-82a3-29c03e5b492e) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern 1
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern 1
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 1
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 1
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Hide Infrastructure - T1665 (eb897572-8979-4242-a089-56f294f4c91d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 1
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Content Injection - T1659 (43c9bc06-715b-42db-972f-52d25c09a20c) Attack Pattern 1
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern 2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 2
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 2
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 2
Exfiltration to Text Storage Sites - T1567.003 (ba04e672-da86-4e69-aa15-0eca5db25f43) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120) Attack Pattern 2
Social Media Accounts - T1586.001 (274770e0-2612-4ccf-a678-ef8e7bad365d) Attack Pattern Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern 2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 2
Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Transmitted Data Manipulation - T1565.002 (d0613359-5781-4fd2-b5be-c269270be1f6) Attack Pattern Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern External Defacement - T1491.002 (0cfe31a7-81fc-472c-bc45-e2808d1066a3) Attack Pattern 2
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Spearphishing Service - T1598.001 (f870408c-b1cd-49c7-a5c7-0ef0fc496cc6) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e) Attack Pattern 2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 2
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4) Attack Pattern Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern 2
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 2
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern 2
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 2
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
DHCP Spoofing - T1557.003 (59ff91cd-1430-4075-8563-e6f15f4f9ff5) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern 2
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern DNS Calculation - T1568.003 (83a766f8-1501-4b3a-a2de-2e2849e8dfc1) Attack Pattern 2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern 2
Publish/Subscribe Protocols - T1071.005 (241f9ea8-f6ae-4f38-92f5-cef5b7e539dd) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 2
Evil Twin - T1557.004 (48b836c6-e4ca-435a-82a3-29c03e5b492e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade) Attack Pattern Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 2