MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
PCAP Collection
Collect full network traffic for future research and analysis.
PCAP Collection allows a defenders to use the data to examine an adversary’s network traffic more closely, including studying if it is encoded and/or encrypted. PCAP can be run through tools to replay the traffic to get a real-time view of what happened over the wire. These tools can also parse the traffic and send results to a SIEM for monitoring and alerting.
Opportunities
| ID | Description |
|---|---|
| DOS0116 | There is an opportunity to detect adversary activity that uses obfuscated communication. |
| DOS0170 | There is an opportunity to collect network data and analyze the adversary activity it contains. |
Use Cases
| ID | Description |
|---|---|
| DUC0116 | A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation. |
| DUC0170 | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
Procedures
| ID | Description |
|---|---|
| DPR0049 | Collect PCAP on a decoy network to improve visibility into an adversary's network activity. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1001 | Data Obfuscation | Command and Control |
| T1020 | Automated Exfiltration | Exfiltration |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1105 | Ingress Tool Transfer | Command and Control |