Network Traffic

Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)

ID: DS0029

ⓘ

Platforms: IaaS, Linux, Windows, macOS

ⓘ

Collection Layers: Cloud Control Plane, Host, Network

Contributors: Center for Threat-Informed Defense (CTID); ExtraHop

Version: 1.0

Created: 20 October 2021

Last Modified: 10 November 2021

Data Components

Network Traffic: Network Connection Creation

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Network Traffic: Network Connection Creation

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Domain	ID		Name
Enterprise	T1020		Automated Exfiltration
		.001	Traffic Duplication
Enterprise	T1197		BITS Jobs
Enterprise	T1176		Browser Extensions
Enterprise	T1612		Build Image on Host
Enterprise	T1602		Data from Configuration Repository
		.001	SNMP (MIB Dump)
		.002	Network Device Configuration Dump
Enterprise	T1030		Data Transfer Size Limits
Enterprise	T1189		Drive-by Compromise
Enterprise	T1568		Dynamic Resolution
		.001	Fast Flux DNS
		.002	Domain Generation Algorithms
Enterprise	T1114		Email Collection
		.002	Remote Email Collection
Enterprise	T1048		Exfiltration Over Alternative Protocol
		.001	Exfiltration Over Symmetric Encrypted Non-C2 Protocol
		.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
		.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Enterprise	T1041		Exfiltration Over C2 Channel
Enterprise	T1011		Exfiltration Over Other Network Medium
		.001	Exfiltration Over Bluetooth
Enterprise	T1008		Fallback Channels
Enterprise	T1105		Ingress Tool Transfer
Enterprise	T1104		Multi-Stage Channels
Enterprise	T1571		Non-Standard Port
Enterprise	T1542		Pre-OS Boot
		.005	TFTP Boot
Enterprise	T1572		Protocol Tunneling
Enterprise	T1090		Proxy
		.001	Internal Proxy
		.002	External Proxy
		.003	Multi-hop Proxy
Enterprise	T1219		Remote Access Software
Enterprise	T1021		Remote Services
		.001	Remote Desktop Protocol
		.002	SMB/Windows Admin Shares
		.003	Distributed Component Object Model
		.004	SSH
		.005	VNC
		.006	Windows Remote Management
Enterprise	T1018		Remote System Discovery
Enterprise	T1496		Resource Hijacking
Enterprise	T1029		Scheduled Transfer
Enterprise	T1218		Signed Binary Proxy Execution
		.003	CMSTP
		.005	Mshta
		.007	Msiexec
		.010	Regsvr32
Enterprise	T1221		Template Injection
Enterprise	T1205		Traffic Signaling
		.001	Port Knocking
Enterprise	T1204		User Execution
		.001	Malicious Link
Enterprise	T1102		Web Service
		.002	Bidirectional Communication
		.003	One-Way Communication
Enterprise	T1047		Windows Management Instrumentation

Network Traffic: Network Traffic Content

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Network Traffic: Network Traffic Content

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Domain	ID		Name
Enterprise	T1595		Active Scanning
		.002	Vulnerability Scanning
Enterprise	T1557		Adversary-in-the-Middle
		.001	LLMNR/NBT-NS Poisoning and SMB Relay
		.002	ARP Cache Poisoning
Enterprise	T1071		Application Layer Protocol
		.001	Web Protocols
		.002	File Transfer Protocols
		.003	Mail Protocols
		.004	DNS
Enterprise	T1020		Automated Exfiltration
Enterprise	T1612		Build Image on Host
Enterprise	T1586		Compromise Accounts
		.001	Social Media Accounts
Enterprise	T1132		Data Encoding
		.001	Standard Encoding
		.002	Non-Standard Encoding
Enterprise	T1602		Data from Configuration Repository
		.001	SNMP (MIB Dump)
		.002	Network Device Configuration Dump
Enterprise	T1565		Data Manipulation
		.002	Transmitted Data Manipulation
Enterprise	T1001		Data Obfuscation
		.001	Junk Data
		.002	Steganography
		.003	Protocol Impersonation
Enterprise	T1491		Defacement
		.001	Internal Defacement
		.002	External Defacement
Enterprise	T1189		Drive-by Compromise
Enterprise	T1568		Dynamic Resolution
		.003	DNS Calculation
Enterprise	T1573		Encrypted Channel
		.001	Symmetric Cryptography
		.002	Asymmetric Cryptography
Enterprise	T1499		Endpoint Denial of Service
		.001	OS Exhaustion Flood
		.002	Service Exhaustion Flood
		.003	Application Exhaustion Flood
		.004	Application or System Exploitation
Enterprise	T1585		Establish Accounts
		.001	Social Media Accounts
Enterprise	T1048		Exfiltration Over Alternative Protocol
		.001	Exfiltration Over Symmetric Encrypted Non-C2 Protocol
		.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
		.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Enterprise	T1041		Exfiltration Over C2 Channel
Enterprise	T1011		Exfiltration Over Other Network Medium
		.001	Exfiltration Over Bluetooth
Enterprise	T1567		Exfiltration Over Web Service
		.001	Exfiltration to Code Repository
		.002	Exfiltration to Cloud Storage
Enterprise	T1190		Exploit Public-Facing Application
Enterprise	T1210		Exploitation of Remote Services
Enterprise	T1187		Forced Authentication
Enterprise	T1615		Group Policy Discovery
Enterprise	T1070		Indicator Removal on Host
		.005	Network Share Connection Removal
Enterprise	T1105		Ingress Tool Transfer
Enterprise	T1534		Internal Spearphishing
Enterprise	T1570		Lateral Tool Transfer
Enterprise	T1599		Network Boundary Bridging
		.001	Network Address Translation Traversal
Enterprise	T1095		Non-Application Layer Protocol
Enterprise	T1571		Non-Standard Port
Enterprise	T1003		OS Credential Dumping
		.006	DCSync
Enterprise	T1566		Phishing
		.001	Spearphishing Attachment
		.002	Spearphishing Link
		.003	Spearphishing via Service
Enterprise	T1598		Phishing for Information
		.001	Spearphishing Service
		.002	Spearphishing Attachment
		.003	Spearphishing Link
Enterprise	T1572		Protocol Tunneling
Enterprise	T1090		Proxy
		.001	Internal Proxy
		.002	External Proxy
		.003	Multi-hop Proxy
		.004	Domain Fronting
Enterprise	T1219		Remote Access Software
Enterprise	T1563		Remote Service Session Hijacking
		.001	SSH Hijacking
		.002	RDP Hijacking
Enterprise	T1207		Rogue Domain Controller
Enterprise	T1505		Server Software Component
		.003	Web Shell
Enterprise	T1221		Template Injection
Enterprise	T1205		Traffic Signaling
Enterprise	T1204		User Execution
		.001	Malicious Link
Enterprise	T1102		Web Service
		.001	Dead Drop Resolver
		.002	Bidirectional Communication
		.003	One-Way Communication

Network Traffic: Network Traffic Flow

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Network Traffic: Network Traffic Flow

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Domain	ID		Name
Enterprise	T1595		Active Scanning
		.001	Scanning IP Blocks
		.002	Vulnerability Scanning
Enterprise	T1557		Adversary-in-the-Middle
		.001	LLMNR/NBT-NS Poisoning and SMB Relay
		.002	ARP Cache Poisoning
Enterprise	T1071		Application Layer Protocol
		.001	Web Protocols
		.002	File Transfer Protocols
		.003	Mail Protocols
		.004	DNS
Enterprise	T1020		Automated Exfiltration
		.001	Traffic Duplication
Enterprise	T1612		Build Image on Host
Enterprise	T1565		Data Manipulation
		.002	Transmitted Data Manipulation
Enterprise	T1030		Data Transfer Size Limits
Enterprise	T1568		Dynamic Resolution
		.001	Fast Flux DNS
		.002	Domain Generation Algorithms
Enterprise	T1499		Endpoint Denial of Service
		.001	OS Exhaustion Flood
		.002	Service Exhaustion Flood
		.003	Application Exhaustion Flood
		.004	Application or System Exploitation
Enterprise	T1048		Exfiltration Over Alternative Protocol
		.001	Exfiltration Over Symmetric Encrypted Non-C2 Protocol
		.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
		.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Enterprise	T1041		Exfiltration Over C2 Channel
Enterprise	T1011		Exfiltration Over Other Network Medium
		.001	Exfiltration Over Bluetooth
Enterprise	T1567		Exfiltration Over Web Service
		.001	Exfiltration to Code Repository
		.002	Exfiltration to Cloud Storage
Enterprise	T1133		External Remote Services
Enterprise	T1008		Fallback Channels
Enterprise	T1187		Forced Authentication
Enterprise	T1105		Ingress Tool Transfer
Enterprise	T1534		Internal Spearphishing
Enterprise	T1570		Lateral Tool Transfer
Enterprise	T1104		Multi-Stage Channels
Enterprise	T1599		Network Boundary Bridging
		.001	Network Address Translation Traversal
Enterprise	T1498		Network Denial of Service
		.001	Direct Network Flood
		.002	Reflection Amplification
Enterprise	T1046		Network Service Scanning
Enterprise	T1095		Non-Application Layer Protocol
Enterprise	T1571		Non-Standard Port
Enterprise	T1003		OS Credential Dumping
		.006	DCSync
Enterprise	T1566		Phishing
		.001	Spearphishing Attachment
		.002	Spearphishing Link
		.003	Spearphishing via Service
Enterprise	T1598		Phishing for Information
		.001	Spearphishing Service
		.002	Spearphishing Attachment
		.003	Spearphishing Link
Enterprise	T1572		Protocol Tunneling
Enterprise	T1090		Proxy
		.001	Internal Proxy
		.002	External Proxy
		.003	Multi-hop Proxy
Enterprise	T1219		Remote Access Software
Enterprise	T1563		Remote Service Session Hijacking
		.001	SSH Hijacking
		.002	RDP Hijacking
Enterprise	T1021		Remote Services
		.001	Remote Desktop Protocol
		.002	SMB/Windows Admin Shares
Enterprise	T1496		Resource Hijacking
Enterprise	T1029		Scheduled Transfer
Enterprise	T1505		Server Software Component
		.003	Web Shell
Enterprise	T1205		Traffic Signaling
		.001	Port Knocking
Enterprise	T1102		Web Service
		.001	Dead Drop Resolver
		.002	Bidirectional Communication
		.003	One-Way Communication