Collect full network traffic for future research and analysis.
PCAP Collection allows a defenders to use the data to examine an adversary’s network traffic more closely, including studying if it is encoded and/or encrypted. PCAP can be run through tools to replay the traffic to get a real-time view of what happened over the wire. These tools can also parse the traffic and send results to a SIEM for monitoring and alerting.
|DOS0116||There is an opportunity to detect adversary activity that uses obfuscated communication.|
|DOS0170||There is an opportunity to collect network data and analyze the adversary activity it contains.|
|DUC0116||A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation.|
|DUC0170||Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.|
|DPR0049||Collect PCAP on a decoy network to improve visibility into an adversary's network activity.|
|T1001||Data Obfuscation||Command and Control|
|T1030||Data Transfer Size Limits||Exfiltration|
|T1105||Ingress Tool Transfer||Command and Control|