MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Protocol Decoder
Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.
Protocol decoders are designed to read network traffic and contextualize all activity between the operator and the implant. These tools are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret.
Opportunities
| ID | Description |
|---|---|
| DOS0015 | There is an opportunity to use tools and controls to stop an adversary's activity. |
| DOS0249 | There is an opportunity to reveal data that the adversary has tried to protect from defenders |
Use Cases
| ID | Description |
|---|---|
| DUC0248 | Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications |
| DUC0249 | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
Procedures
| ID | Description |
|---|---|
| DPR0054 | Create and apply a decoder which allows you to view encrypted and/or encoded network traffic in a human-readable format. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1001 | Data Obfuscation | Command and Control |
| T1020 | Automated Exfiltration | Exfiltration |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1132 | Data Encoding | Command and Control |
| T1573 | Encrypted Channel | Command and Control |