Skip to content

DS0029 Network Traffic

Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)

Item Value
ID DS0029
Platforms IaaS, Linux, Windows, macOS
Collection Layers Cloud Control Plane, Host, Network
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

Network Connection Creation

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)

Domain ID Name
enterprise T1020 Automated Exfiltration
enterprise T1020.001 Traffic Duplication
enterprise T1197 BITS Jobs
enterprise T1176 Browser Extensions
enterprise T1612 Build Image on Host
enterprise T1602 Data from Configuration Repository
enterprise T1602.001 SNMP (MIB Dump)
enterprise T1602.002 Network Device Configuration Dump
enterprise T1030 Data Transfer Size Limits
enterprise T1189 Drive-by Compromise
enterprise T1568 Dynamic Resolution
enterprise T1568.001 Fast Flux DNS
enterprise T1114 Email Collection
enterprise T1114.002 Remote Email Collection
enterprise T1048 Exfiltration Over Alternative Protocol
enterprise T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
enterprise T1041 Exfiltration Over C2 Channel
enterprise T1011 Exfiltration Over Other Network Medium
enterprise T1011.001 Exfiltration Over Bluetooth
enterprise T1008 Fallback Channels
enterprise T1105 Ingress Tool Transfer
enterprise T1104 Multi-Stage Channels
enterprise T1542 Pre-OS Boot
enterprise T1542.005 TFTP Boot
enterprise T1572 Protocol Tunneling
enterprise T1090 Proxy
enterprise T1090.001 Internal Proxy
enterprise T1090.002 External Proxy
enterprise T1090.003 Multi-hop Proxy
enterprise T1219 Remote Access Software
enterprise T1021 Remote Services
enterprise T1021.001 Remote Desktop Protocol
enterprise T1021.002 SMB/Windows Admin Shares
enterprise T1021.003 Distributed Component Object Model
enterprise T1021.004 SSH
enterprise T1021.005 VNC
enterprise T1021.006 Windows Remote Management
enterprise T1018 Remote System Discovery
enterprise T1496 Resource Hijacking
enterprise T1029 Scheduled Transfer
enterprise T1218 System Binary Proxy Execution
enterprise T1218.003 CMSTP
enterprise T1218.005 Mshta
enterprise T1218.007 Msiexec
enterprise T1218.010 Regsvr32
enterprise T1221 Template Injection
enterprise T1205 Traffic Signaling
enterprise T1205.001 Port Knocking
enterprise T1204 User Execution
enterprise T1204.001 Malicious Link
enterprise T1102 Web Service
enterprise T1102.002 Bidirectional Communication
enterprise T1102.003 One-Way Communication
enterprise T1047 Windows Management Instrumentation

Network Traffic Content

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Domain ID Name
enterprise T1595 Active Scanning
enterprise T1595.002 Vulnerability Scanning
enterprise T1595.003 Wordlist Scanning
enterprise T1557 Adversary-in-the-Middle
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
enterprise T1557.002 ARP Cache Poisoning
enterprise T1557.003 DHCP Spoofing
enterprise T1071 Application Layer Protocol
enterprise T1071.001 Web Protocols
enterprise T1071.002 File Transfer Protocols
enterprise T1071.003 Mail Protocols
enterprise T1071.004 DNS
enterprise T1020 Automated Exfiltration
enterprise T1612 Build Image on Host
enterprise T1586 Compromise Accounts
enterprise T1586.001 Social Media Accounts
enterprise T1132 Data Encoding
enterprise T1132.001 Standard Encoding
enterprise T1132.002 Non-Standard Encoding
enterprise T1602 Data from Configuration Repository
enterprise T1602.001 SNMP (MIB Dump)
enterprise T1602.002 Network Device Configuration Dump
enterprise T1565 Data Manipulation
enterprise T1565.002 Transmitted Data Manipulation
enterprise T1001 Data Obfuscation
enterprise T1001.001 Junk Data
enterprise T1001.002 Steganography
enterprise T1001.003 Protocol Impersonation
enterprise T1491 Defacement
enterprise T1491.001 Internal Defacement
enterprise T1491.002 External Defacement
enterprise T1189 Drive-by Compromise
enterprise T1568 Dynamic Resolution
enterprise T1568.003 DNS Calculation
enterprise T1573 Encrypted Channel
enterprise T1573.001 Symmetric Cryptography
enterprise T1573.002 Asymmetric Cryptography
enterprise T1499 Endpoint Denial of Service
enterprise T1499.001 OS Exhaustion Flood
enterprise T1499.002 Service Exhaustion Flood
enterprise T1499.003 Application Exhaustion Flood
enterprise T1499.004 Application or System Exploitation
enterprise T1585 Establish Accounts
enterprise T1585.001 Social Media Accounts
enterprise T1048 Exfiltration Over Alternative Protocol
enterprise T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
enterprise T1041 Exfiltration Over C2 Channel
enterprise T1011 Exfiltration Over Other Network Medium
enterprise T1011.001 Exfiltration Over Bluetooth
enterprise T1567 Exfiltration Over Web Service
enterprise T1567.001 Exfiltration to Code Repository
enterprise T1567.002 Exfiltration to Cloud Storage
enterprise T1190 Exploit Public-Facing Application
enterprise T1210 Exploitation of Remote Services
enterprise T1187 Forced Authentication
enterprise T1589 Gather Victim Identity Information
enterprise T1589.002 Email Addresses
enterprise T1615 Group Policy Discovery
enterprise T1070 Indicator Removal on Host
enterprise T1070.005 Network Share Connection Removal
enterprise T1105 Ingress Tool Transfer
enterprise T1534 Internal Spearphishing
enterprise T1570 Lateral Tool Transfer
enterprise T1599 Network Boundary Bridging
enterprise T1599.001 Network Address Translation Traversal
enterprise T1095 Non-Application Layer Protocol
enterprise T1571 Non-Standard Port
enterprise T1003 OS Credential Dumping
enterprise T1003.006 DCSync
enterprise T1566 Phishing
enterprise T1566.001 Spearphishing Attachment
enterprise T1566.002 Spearphishing Link
enterprise T1566.003 Spearphishing via Service
enterprise T1598 Phishing for Information
enterprise T1598.001 Spearphishing Service
enterprise T1598.002 Spearphishing Attachment
enterprise T1598.003 Spearphishing Link
enterprise T1572 Protocol Tunneling
enterprise T1090 Proxy
enterprise T1090.001 Internal Proxy
enterprise T1090.002 External Proxy
enterprise T1090.003 Multi-hop Proxy
enterprise T1090.004 Domain Fronting
enterprise T1219 Remote Access Software
enterprise T1563 Remote Service Session Hijacking
enterprise T1563.001 SSH Hijacking
enterprise T1563.002 RDP Hijacking
enterprise T1207 Rogue Domain Controller
enterprise T1505 Server Software Component
enterprise T1505.003 Web Shell
enterprise T1033 System Owner/User Discovery
enterprise T1221 Template Injection
enterprise T1205 Traffic Signaling
enterprise T1204 User Execution
enterprise T1204.001 Malicious Link
enterprise T1102 Web Service
enterprise T1102.001 Dead Drop Resolver
enterprise T1102.002 Bidirectional Communication
enterprise T1102.003 One-Way Communication

Network Traffic Flow

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Domain ID Name
enterprise T1595 Active Scanning
enterprise T1595.001 Scanning IP Blocks
enterprise T1595.002 Vulnerability Scanning
enterprise T1557 Adversary-in-the-Middle
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
enterprise T1557.002 ARP Cache Poisoning
enterprise T1557.003 DHCP Spoofing
enterprise T1071 Application Layer Protocol
enterprise T1071.001 Web Protocols
enterprise T1071.002 File Transfer Protocols
enterprise T1071.003 Mail Protocols
enterprise T1071.004 DNS
enterprise T1020 Automated Exfiltration
enterprise T1020.001 Traffic Duplication
enterprise T1612 Build Image on Host
enterprise T1565 Data Manipulation
enterprise T1565.002 Transmitted Data Manipulation
enterprise T1030 Data Transfer Size Limits
enterprise T1568 Dynamic Resolution
enterprise T1568.001 Fast Flux DNS
enterprise T1568.002 Domain Generation Algorithms
enterprise T1499 Endpoint Denial of Service
enterprise T1499.001 OS Exhaustion Flood
enterprise T1499.002 Service Exhaustion Flood
enterprise T1499.003 Application Exhaustion Flood
enterprise T1499.004 Application or System Exploitation
enterprise T1048 Exfiltration Over Alternative Protocol
enterprise T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
enterprise T1041 Exfiltration Over C2 Channel
enterprise T1011 Exfiltration Over Other Network Medium
enterprise T1011.001 Exfiltration Over Bluetooth
enterprise T1567 Exfiltration Over Web Service
enterprise T1567.001 Exfiltration to Code Repository
enterprise T1567.002 Exfiltration to Cloud Storage
enterprise T1133 External Remote Services
enterprise T1008 Fallback Channels
enterprise T1187 Forced Authentication
enterprise T1105 Ingress Tool Transfer
enterprise T1534 Internal Spearphishing
enterprise T1570 Lateral Tool Transfer
enterprise T1104 Multi-Stage Channels
enterprise T1599 Network Boundary Bridging
enterprise T1599.001 Network Address Translation Traversal
enterprise T1498 Network Denial of Service
enterprise T1498.001 Direct Network Flood
enterprise T1498.002 Reflection Amplification
enterprise T1046 Network Service Discovery
enterprise T1095 Non-Application Layer Protocol
enterprise T1571 Non-Standard Port
enterprise T1003 OS Credential Dumping
enterprise T1003.006 DCSync
enterprise T1566 Phishing
enterprise T1566.001 Spearphishing Attachment
enterprise T1566.002 Spearphishing Link
enterprise T1566.003 Spearphishing via Service
enterprise T1598 Phishing for Information
enterprise T1598.001 Spearphishing Service
enterprise T1598.002 Spearphishing Attachment
enterprise T1598.003 Spearphishing Link
enterprise T1572 Protocol Tunneling
enterprise T1090 Proxy
enterprise T1090.001 Internal Proxy
enterprise T1090.002 External Proxy
enterprise T1090.003 Multi-hop Proxy
enterprise T1219 Remote Access Software
enterprise T1563 Remote Service Session Hijacking
enterprise T1563.001 SSH Hijacking
enterprise T1563.002 RDP Hijacking
enterprise T1021 Remote Services
enterprise T1021.001 Remote Desktop Protocol
enterprise T1021.002 SMB/Windows Admin Shares
enterprise T1496 Resource Hijacking
enterprise T1029 Scheduled Transfer
enterprise T1505 Server Software Component
enterprise T1505.003 Web Shell
enterprise T1033 System Owner/User Discovery
enterprise T1205 Traffic Signaling
enterprise T1205.001 Port Knocking
enterprise T1102 Web Service
enterprise T1102.001 Dead Drop Resolver
enterprise T1102.002 Bidirectional Communication
enterprise T1102.003 One-Way Communication

References

Back to top