MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Network Monitoring

Monitor network traffic in order to detect adversary activity.

Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis.

ID: DTE0027
Tactics:  Detect Collect


DOS0198 There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.

Use Cases

DUC0089 A defender can monitor network traffic for anomalies associated with known MiTM behavior.
DUC0159 A defender can monitor for systems establishing connections using encapsulated protocols not commonly used together such as RDP tunneled over TCP.
DUC0198 The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.


DPR0047 Capture network logs for internet-facing devices and send those logs to a central collection location.
DPR0048 Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1021 Remote Services Lateral Movement
T1029 Scheduled Transfer Exfiltration
T1071 Application Layer Protocol Command and Control
T1205 Traffic Signaling Defense EvasionPersistenceCommand and Control
T1557 Man-in-the-Middle Credential AccessCollection
T1570 Lateral Tool Transfer Lateral Movement
T1571 Non-Standard Port Command and Control
T1572 Protocol Tunneling Command and Control
T1589 Gather Victim Identity Information Reconnaissance
T1590 Gather Victim Network Information Reconnaissance
T1595 Active Scanning Reconnaissance
T1599 Network Boundary Bridging Defense Evasion
T1600 Weaken Encryption Defense Evasion