Skip to content

Hide Navigation Hide TOC

Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c)

The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.

Data Collection Measures:

  • Network Packet Capture (Full Content Logging)
    • Wireshark / tcpdump / tshark
      • Full packet captures (PCAP files) for manual analysis or IDS correlation. tcpdump -i eth0 -w capture.pcap
    • Zeek (formerly Bro)
      • Extracts protocol headers and payload details into structured logs. echo "redef Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr capture.pcap local.zeek
    • Suricata / Snort (IDS/IPS with PCAP Logging)
      • Deep packet inspection (DPI) with signature-based and behavioral analysis. suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata
  • Host-Based Collection
    • Sysmon Event ID 22 – DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.
    • Sysmon Event ID 3 – Network Connection Initiated, Logs process-to-network connection relationships.
    • AuditD (Linux) – syscall=connect, Monitors outbound network requests from processes. auditctl -a always,exit -F arch=b64 -S connect -k network_activity
  • Cloud & SaaS Traffic Collection
    • AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.
    • Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.
Cluster A Galaxy A Cluster B Galaxy B Level
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 1
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Content Injection - T1659 (43c9bc06-715b-42db-972f-52d25c09a20c) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration to Text Storage Sites - T1567.003 (ba04e672-da86-4e69-aa15-0eca5db25f43) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Social Media Accounts - T1586.001 (274770e0-2612-4ccf-a678-ef8e7bad365d) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Transmitted Data Manipulation - T1565.002 (d0613359-5781-4fd2-b5be-c269270be1f6) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component External Defacement - T1491.002 (0cfe31a7-81fc-472c-bc45-e2808d1066a3) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern 1
Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Exploitation of Remote Services - T1428 (22379609-a99f-4a01-bd7e-70f3e105859d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Spearphishing Service - T1598.001 (f870408c-b1cd-49c7-a5c7-0ef0fc496cc6) Attack Pattern 1
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Transfer Data to Cloud Account - T1537 (d4bdbdea-eaec-4071-b4f9-5105e12ea4b6) Attack Pattern 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern 1
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 1
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 1
Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern 1
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component DHCP Spoofing - T1557.003 (59ff91cd-1430-4075-8563-e6f15f4f9ff5) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component DNS Calculation - T1568.003 (83a766f8-1501-4b3a-a2de-2e2849e8dfc1) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Publish/Subscribe Protocols - T1071.005 (241f9ea8-f6ae-4f38-92f5-cef5b7e539dd) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 1
Evil Twin - T1557.004 (48b836c6-e4ca-435a-82a3-29c03e5b492e) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Network Traffic Content (3772e279-27d6-477a-9fe3-c6beb363594c) mitre-data-component Hide Infrastructure - T1665 (eb897572-8979-4242-a089-56f294f4c91d) Attack Pattern 1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Text Storage Sites - T1567.003 (ba04e672-da86-4e69-aa15-0eca5db25f43) Attack Pattern 2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120) Attack Pattern 2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 2
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern Social Media Accounts - T1586.001 (274770e0-2612-4ccf-a678-ef8e7bad365d) Attack Pattern 2
Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Transmitted Data Manipulation - T1565.002 (d0613359-5781-4fd2-b5be-c269270be1f6) Attack Pattern Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern External Defacement - T1491.002 (0cfe31a7-81fc-472c-bc45-e2808d1066a3) Attack Pattern 2
Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Service - T1598.001 (f870408c-b1cd-49c7-a5c7-0ef0fc496cc6) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 2
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4) Attack Pattern Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern 2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 2
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern 2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 2
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern DHCP Spoofing - T1557.003 (59ff91cd-1430-4075-8563-e6f15f4f9ff5) Attack Pattern 2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern 2
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern DNS Calculation - T1568.003 (83a766f8-1501-4b3a-a2de-2e2849e8dfc1) Attack Pattern 2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Publish/Subscribe Protocols - T1071.005 (241f9ea8-f6ae-4f38-92f5-cef5b7e539dd) Attack Pattern 2
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Evil Twin - T1557.004 (48b836c6-e4ca-435a-82a3-29c03e5b492e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 2
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 2