Skip to content

DS0029 Network Traffic

Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)

Item Value
ID DS0029
Platforms Android, IaaS, Linux, Windows, iOS, macOS
Collection Layers Cloud Control Plane, Host, Network
Version 1.1
Created 20 October 2021
Last Modified 20 April 2023

Data Components

Network Connection Creation

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Domain ID Name
mobile T1638 Adversary-in-the-Middle
enterprise T1020 Automated Exfiltration
enterprise T1020.001 Traffic Duplication
enterprise T1197 BITS Jobs
enterprise T1176 Browser Extensions
enterprise T1612 Build Image on Host
enterprise T1602 Data from Configuration Repository
enterprise T1602.001 SNMP (MIB Dump)
enterprise T1602.002 Network Device Configuration Dump
enterprise T1039 Data from Network Shared Drive
enterprise T1030 Data Transfer Size Limits
enterprise T1189 Drive-by Compromise
ics T0817 Drive-by Compromise
enterprise T1568 Dynamic Resolution
enterprise T1568.001 Fast Flux DNS
enterprise T1114 Email Collection
enterprise T1114.002 Remote Email Collection
enterprise T1048 Exfiltration Over Alternative Protocol
enterprise T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
enterprise T1041 Exfiltration Over C2 Channel
enterprise T1011 Exfiltration Over Other Network Medium
enterprise T1011.001 Exfiltration Over Bluetooth
enterprise T1567 Exfiltration Over Web Service
enterprise T1567.002 Exfiltration to Cloud Storage
enterprise T1133 External Remote Services
enterprise T1008 Fallback Channels
enterprise T1105 Ingress Tool Transfer
enterprise T1104 Multi-Stage Channels
enterprise T1542 Pre-OS Boot
enterprise T1542.005 TFTP Boot
enterprise T1572 Protocol Tunneling
enterprise T1090 Proxy
enterprise T1090.001 Internal Proxy
enterprise T1090.002 External Proxy
enterprise T1090.003 Multi-hop Proxy
enterprise T1219 Remote Access Software
enterprise T1021 Remote Services
enterprise T1021.001 Remote Desktop Protocol
enterprise T1021.002 SMB/Windows Admin Shares
enterprise T1021.003 Distributed Component Object Model
enterprise T1021.004 SSH
enterprise T1021.005 VNC
enterprise T1021.006 Windows Remote Management
ics T0886 Remote Services
enterprise T1018 Remote System Discovery
enterprise T1496 Resource Hijacking
enterprise T1029 Scheduled Transfer
enterprise T1218 System Binary Proxy Execution
enterprise T1218.003 CMSTP
enterprise T1218.005 Mshta
enterprise T1218.007 Msiexec
enterprise T1218.010 Regsvr32
enterprise T1221 Template Injection
enterprise T1205 Traffic Signaling
enterprise T1205.001 Port Knocking
enterprise T1205.002 Socket Filters
enterprise T1204 User Execution
enterprise T1204.001 Malicious Link
ics T0863 User Execution
enterprise T1102 Web Service
enterprise T1102.002 Bidirectional Communication
enterprise T1102.003 One-Way Communication
mobile T1481 Web Service
mobile T1481.002 Bidirectional Communication
enterprise T1047 Windows Management Instrumentation

Network Traffic Content

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Domain ID Name
enterprise T1087 Account Discovery
enterprise T1087.002 Domain Account
ics T0800 Activate Firmware Update Mode
enterprise T1595 Active Scanning
enterprise T1595.002 Vulnerability Scanning
enterprise T1595.003 Wordlist Scanning
enterprise T1557 Adversary-in-the-Middle
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
enterprise T1557.002 ARP Cache Poisoning
enterprise T1557.003 DHCP Spoofing
ics T0830 Adversary-in-the-Middle
enterprise T1071 Application Layer Protocol
enterprise T1071.001 Web Protocols
enterprise T1071.002 File Transfer Protocols
enterprise T1071.003 Mail Protocols
enterprise T1071.004 DNS
ics T0802 Automated Collection
enterprise T1020 Automated Exfiltration
ics T0806 Brute Force I/O
enterprise T1612 Build Image on Host
ics T0892 Change Credential
ics T0858 Change Operating Mode
ics T0885 Commonly Used Port
enterprise T1586 Compromise Accounts
enterprise T1586.001 Social Media Accounts
ics T0884 Connection Proxy
enterprise T1132 Data Encoding
enterprise T1132.001 Standard Encoding
enterprise T1132.002 Non-Standard Encoding
enterprise T1602 Data from Configuration Repository
enterprise T1602.001 SNMP (MIB Dump)
enterprise T1602.002 Network Device Configuration Dump
enterprise T1039 Data from Network Shared Drive
enterprise T1565 Data Manipulation
enterprise T1565.002 Transmitted Data Manipulation
enterprise T1001 Data Obfuscation
enterprise T1001.001 Junk Data
enterprise T1001.002 Steganography
enterprise T1001.003 Protocol Impersonation
enterprise T1491 Defacement
enterprise T1491.001 Internal Defacement
enterprise T1491.002 External Defacement
ics T0812 Default Credentials
ics T0814 Denial of Service
ics T0868 Detect Operating Mode
ics T0816 Device Restart/Shutdown
enterprise T1482 Domain Trust Discovery
mobile T1407 Download New Code at Runtime
enterprise T1189 Drive-by Compromise
ics T0817 Drive-by Compromise
enterprise T1568 Dynamic Resolution
enterprise T1568.003 DNS Calculation
enterprise T1573 Encrypted Channel
enterprise T1573.001 Symmetric Cryptography
enterprise T1573.002 Asymmetric Cryptography
enterprise T1499 Endpoint Denial of Service
enterprise T1499.001 OS Exhaustion Flood
enterprise T1499.002 Service Exhaustion Flood
enterprise T1499.003 Application Exhaustion Flood
enterprise T1499.004 Application or System Exploitation
enterprise T1585 Establish Accounts
enterprise T1585.001 Social Media Accounts
enterprise T1048 Exfiltration Over Alternative Protocol
enterprise T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
enterprise T1041 Exfiltration Over C2 Channel
enterprise T1011 Exfiltration Over Other Network Medium
enterprise T1011.001 Exfiltration Over Bluetooth
enterprise T1567 Exfiltration Over Web Service
enterprise T1567.001 Exfiltration to Code Repository
enterprise T1567.002 Exfiltration to Cloud Storage
enterprise T1567.003 Exfiltration to Text Storage Sites
enterprise T1190 Exploit Public-Facing Application
ics T0819 Exploit Public-Facing Application
enterprise T1210 Exploitation of Remote Services
mobile T1428 Exploitation of Remote Services
ics T0866 Exploitation of Remote Services
enterprise T1133 External Remote Services
enterprise T1187 Forced Authentication
enterprise T1589 Gather Victim Identity Information
enterprise T1589.002 Email Addresses
enterprise T1615 Group Policy Discovery
ics T0891 Hardcoded Credentials
enterprise T1070 Indicator Removal
enterprise T1070.005 Network Share Connection Removal
enterprise T1105 Ingress Tool Transfer
enterprise T1534 Internal Spearphishing
ics T0883 Internet Accessible Device
enterprise T1570 Lateral Tool Transfer
ics T0867 Lateral Tool Transfer
ics T0838 Modify Alarm Settings
ics T0836 Modify Parameter
ics T0889 Modify Program
ics T0839 Module Firmware
ics T0801 Monitor Process State
enterprise T1599 Network Boundary Bridging
enterprise T1599.001 Network Address Translation Traversal
enterprise T1095 Non-Application Layer Protocol
enterprise T1571 Non-Standard Port
enterprise T1003 OS Credential Dumping
enterprise T1003.006 DCSync
enterprise T1566 Phishing
enterprise T1566.001 Spearphishing Attachment
enterprise T1566.002 Spearphishing Link
enterprise T1566.003 Spearphishing via Service
enterprise T1598 Phishing for Information
enterprise T1598.001 Spearphishing Service
enterprise T1598.002 Spearphishing Attachment
enterprise T1598.003 Spearphishing Link
ics T0861 Point & Tag Identification
ics T0843 Program Download
ics T0845 Program Upload
enterprise T1572 Protocol Tunneling
enterprise T1090 Proxy
enterprise T1090.001 Internal Proxy
enterprise T1090.002 External Proxy
enterprise T1090.003 Multi-hop Proxy
enterprise T1090.004 Domain Fronting
enterprise T1219 Remote Access Software
enterprise T1563 Remote Service Session Hijacking
enterprise T1563.001 SSH Hijacking
enterprise T1563.002 RDP Hijacking
ics T0846 Remote System Discovery
ics T0888 Remote System Information Discovery
enterprise T1207 Rogue Domain Controller
ics T0848 Rogue Master
enterprise T1505 Server Software Component
enterprise T1505.003 Web Shell
ics T0865 Spearphishing Attachment
ics T0856 Spoof Reporting Message
ics T0869 Standard Application Layer Protocol
ics T0857 System Firmware
enterprise T1033 System Owner/User Discovery
enterprise T1221 Template Injection
enterprise T1205 Traffic Signaling
enterprise T1537 Transfer Data to Cloud Account
enterprise T1199 Trusted Relationship
ics T0855 Unauthorized Command Message
enterprise T1204 User Execution
enterprise T1204.001 Malicious Link
ics T0863 User Execution
enterprise T1102 Web Service
enterprise T1102.001 Dead Drop Resolver
enterprise T1102.002 Bidirectional Communication
enterprise T1102.003 One-Way Communication

Network Traffic Flow

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Domain ID Name
enterprise T1595 Active Scanning
enterprise T1595.001 Scanning IP Blocks
enterprise T1595.002 Vulnerability Scanning
enterprise T1557 Adversary-in-the-Middle
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
enterprise T1557.002 ARP Cache Poisoning
enterprise T1557.003 DHCP Spoofing
ics T0830 Adversary-in-the-Middle
ics T0878 Alarm Suppression
enterprise T1071 Application Layer Protocol
enterprise T1071.001 Web Protocols
enterprise T1071.002 File Transfer Protocols
enterprise T1071.003 Mail Protocols
enterprise T1071.004 DNS
enterprise T1020 Automated Exfiltration
enterprise T1020.001 Traffic Duplication
ics T0803 Block Command Message
ics T0804 Block Reporting Message
ics T0805 Block Serial COM
enterprise T1612 Build Image on Host
ics T0885 Commonly Used Port
ics T0884 Connection Proxy
enterprise T1565 Data Manipulation
enterprise T1565.002 Transmitted Data Manipulation
enterprise T1030 Data Transfer Size Limits
ics T0814 Denial of Service
ics T0816 Device Restart/Shutdown
enterprise T1568 Dynamic Resolution
enterprise T1568.001 Fast Flux DNS
enterprise T1568.002 Domain Generation Algorithms
enterprise T1499 Endpoint Denial of Service
enterprise T1499.001 OS Exhaustion Flood
enterprise T1499.002 Service Exhaustion Flood
enterprise T1499.003 Application Exhaustion Flood
enterprise T1499.004 Application or System Exploitation
enterprise T1048 Exfiltration Over Alternative Protocol
enterprise T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
enterprise T1041 Exfiltration Over C2 Channel
enterprise T1011 Exfiltration Over Other Network Medium
enterprise T1011.001 Exfiltration Over Bluetooth
enterprise T1567 Exfiltration Over Web Service
enterprise T1567.001 Exfiltration to Code Repository
enterprise T1567.002 Exfiltration to Cloud Storage
enterprise T1567.003 Exfiltration to Text Storage Sites
enterprise T1133 External Remote Services
ics T0822 External Remote Services
enterprise T1008 Fallback Channels
enterprise T1187 Forced Authentication
enterprise T1200 Hardware Additions
enterprise T1105 Ingress Tool Transfer
enterprise T1534 Internal Spearphishing
ics T0883 Internet Accessible Device
enterprise T1570 Lateral Tool Transfer
ics T0867 Lateral Tool Transfer
mobile T1430 Location Tracking
mobile T1430.002 Impersonate SS7 Nodes
enterprise T1104 Multi-Stage Channels
enterprise T1599 Network Boundary Bridging
enterprise T1599.001 Network Address Translation Traversal
enterprise T1498 Network Denial of Service
enterprise T1498.001 Direct Network Flood
enterprise T1498.002 Reflection Amplification
enterprise T1046 Network Service Discovery
enterprise T1095 Non-Application Layer Protocol
enterprise T1571 Non-Standard Port
mobile T1509 Non-Standard Port
enterprise T1003 OS Credential Dumping
enterprise T1003.006 DCSync
enterprise T1566 Phishing
enterprise T1566.001 Spearphishing Attachment
enterprise T1566.002 Spearphishing Link
enterprise T1566.003 Spearphishing via Service
enterprise T1598 Phishing for Information
enterprise T1598.001 Spearphishing Service
enterprise T1598.002 Spearphishing Attachment
enterprise T1598.003 Spearphishing Link
ics T0845 Program Upload
enterprise T1572 Protocol Tunneling
enterprise T1090 Proxy
enterprise T1090.001 Internal Proxy
enterprise T1090.002 External Proxy
enterprise T1090.003 Multi-hop Proxy
mobile T1604 Proxy Through Victim
enterprise T1219 Remote Access Software
enterprise T1563 Remote Service Session Hijacking
enterprise T1563.001 SSH Hijacking
enterprise T1563.002 RDP Hijacking
enterprise T1021 Remote Services
enterprise T1021.001 Remote Desktop Protocol
enterprise T1021.002 SMB/Windows Admin Shares
ics T0886 Remote Services
ics T0846 Remote System Discovery
ics T0888 Remote System Information Discovery
enterprise T1496 Resource Hijacking
ics T0848 Rogue Master
enterprise T1029 Scheduled Transfer
enterprise T1505 Server Software Component
enterprise T1505.003 Web Shell
ics T0856 Spoof Reporting Message
ics T0869 Standard Application Layer Protocol
enterprise T1033 System Owner/User Discovery
enterprise T1205 Traffic Signaling
enterprise T1205.001 Port Knocking
ics T0864 Transient Cyber Asset
ics T0855 Unauthorized Command Message
enterprise T1102 Web Service
enterprise T1102.001 Dead Drop Resolver
enterprise T1102.002 Bidirectional Communication
enterprise T1102.003 One-Way Communication
ics T0860 Wireless Compromise
ics T0887 Wireless Sniffing

References

  1. Spencer S. (2018, February 22). DCSYNCMonitor. Retrieved March 30, 2018. 

  2. Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018. 

  3. Perry, David. (2020, August 11). WakeOnLAN (WOL). Retrieved February 17, 2021. 

  4. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. 

  5. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. 

  6. US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. 

  7. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  8. Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019. 

  9. Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019. 

  10. Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019. 

  11. Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022. 

  12. Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022. 

  13. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020. 

  14. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020. 

  15. Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022.