MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Protocol Decoder

Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.

Protocol decoders are designed to read network traffic and contextualize all activity between the operator and the implant. These tools are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret.

ID: DTE0031
Tactics:  Detect Collect


DOS0015 There is an opportunity to use tools and controls to stop an adversary's activity.
DOS0249 There is an opportunity to reveal data that the adversary has tried to protect from defenders

Use Cases

DUC0248 Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications
DUC0249 Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.


DPR0054 Create and apply a decoder which allows you to view encrypted and/or encoded network traffic in a human-readable format.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1001 Data Obfuscation Command and Control
T1020 Automated Exfiltration Exfiltration
T1030 Data Transfer Size Limits Exfiltration
T1132 Data Encoding Command and Control
T1573 Encrypted Channel Command and Control