Network Traffic

Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)

ID: DS0029
Platforms: Android, IaaS, Linux, Windows, iOS, macOS
Collection Layers: Cloud Control Plane, Host, Network
Contributors: Center for Threat-Informed Defense (CTID); ExtraHop
Version: 1.1
Created: 20 October 2021
Last Modified: 20 April 2023

Data Components

Network Traffic: Network Connection Creation

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Network Traffic: Network Connection Creation

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Domain ID Name Detects
Mobile T1638 Adversary-in-the-Middle

Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate.

Enterprise T1020 Automated Exfiltration

Monitor for newly constructed network connections associated with processes performing collection activity, especially those involving abnormal/untrusted hosts.

.001 Traffic Duplication

Monitor for newly constructed network connections that are sent or received by abnormal or untrusted hosts.

Enterprise T1197 BITS Jobs

Monitor for newly constructed network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).

Enterprise T1176 Browser Extensions

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1612 Build Image on Host

Monitor for established network communications with anomalous IPs that have never been seen before in the environment that may indicate the download of malicious code.

Enterprise T1602 Data from Configuration Repository

Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows. Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access configuration content)

.001 SNMP (MIB Dump)

Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows. Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows(e.g. snmp traffic originating from unauthorized or untrusted hosts, signature detection for strings mapped to device configuration(s), and anomolies in snmp request(s))

.002 Network Device Configuration Dump

Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows. Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access network configuration content)

Enterprise T1039 Data from Network Shared Drive

Monitor for newly constructed network connections that may search network shares on computers they have compromised to find files of interest. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols such as SMB that revolve around network shares.

Enterprise T1030 Data Transfer Size Limits

Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows (e.g. unusual network communications or suspicious communications sending fixed size data packets at regular intervals as well as unusually long connection patterns). Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, protocol port mismatch, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated

Enterprise T1189 Drive-by Compromise

Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.

ICS T0817 Drive-by Compromise

Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.

Enterprise T1568 Dynamic Resolution

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.001 Fast Flux DNS

Monitor for newly constructed network connections that may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution.

Enterprise T1114 Email Collection

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.002 Remote Email Collection

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1048 Exfiltration Over Alternative Protocol

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.003 Exfiltration Over Unencrypted Non-C2 Protocol

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1041 Exfiltration Over C2 Channel

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation.

Enterprise T1011 Exfiltration Over Other Network Medium

Monitor for newly constructed network connections that may attempt to exfiltrate data over a different network medium than the command and control channel. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation. The below analytic is using an event ID from OSQuery.

Analytic 1 - Windows Process Network Connection

netcon_from_sysproc = filter process_open_sockets where remote_port != 0 AND proc_name!= '';"

.001 Exfiltration Over Bluetooth

Monitor for newly constructed network connections that may attempt to exfiltrate data over Bluetooth rather than the command and control channel. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1567 Exfiltration Over Web Service

Monitor for newly constructed network connections to web and cloud services associated with abnormal or non-browser processes.

.002 Exfiltration to Cloud Storage

Monitor for newly constructed network connections to cloud services associated with abnormal or non-browser processes.

Enterprise T1133 External Remote Services

Monitor for newly constructed network connections that may use Valid Accounts to access and/or persist within a network using External Remote Services. Use of External Remote Services may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using External Remote Services.

Enterprise T1008 Fallback Channels

Monitor for newly constructed network connections that may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. Processes utilizing the network that do not normally have network communication or have never been seen before may be suspicious.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation. The below analytic is using an event ID from OSQuery.

Analytic 1 - Windows Process Network Connection

netcon_from_sysproc = filter process_open_sockets where remote_port != 0 AND proc_name!= '';"

Enterprise T1105 Ingress Tool Transfer

Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Enterprise T1104 Multi-Stage Channels

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1542 Pre-OS Boot

Monitor for newly constructed network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.

.005 TFTP Boot

Monitor for newly constructed network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. [1] [2] The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.

Enterprise T1572 Protocol Tunneling

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1090 Proxy

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.001 Internal Proxy

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.002 External Proxy

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.003 Multi-hop Proxy

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1219 Remote Access Software

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1021 Remote Services

Monitor for newly constructed network connections that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp: 3389 and tcp:22 for remote login.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network service protocols such as SSH and RDP.

Analytic 1 - Suspicious Protocols

suspicious_protocol = filter network_traffic where ((server_port = "636" AND protocol = "6") OR (server_port = "389" AND protocol = "17"))

.001 Remote Desktop Protocol

Monitor for newly constructed network connections (typically over port 3389) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

.002 SMB/Windows Admin Shares

Monitor for newly constructed network connections (typically over ports 139 or 445), especially those that are sent or received by abnormal or untrusted hosts. Correlate these network connections with remote login events and associated SMB-related activity such as file transfers and remote process execution.

Note: Event ID is for Zeek but can also be implemented in other Network Analysis Frameworks by parsing & decoding captured SMB2 network traffic. Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet. From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.

Analytic 1 and 2 are very similar, with the key difference being that Implementation 2 is intended to capture multiple attempts at lateral movement originating from the same host within a short time period (5 minutes).

  • Analytic 1 is indication of an SMB file write to a Windows Admin File Share: ADMIN$ or C$

  • Analytic 2 is observed originating from the same host, regardless of write-attempts and regardless of whether or not any connection is successful —just connection attempts— within a specified period of time.

From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.The Service Control Manager (SCM) can be used to copy a file to the ADMIN$ share and execute it as a service. This can be detected by looking for incoming RPC network connections to the Service Control Manager, followed by services.exe spawning a child process.

Analytic 1 - Basic

suspicious_smb_traffic = filter log_events where ((event_id == "smb2_write_request" OR event_type == "smb1_write_andx_response") AND (connection.smb_state.path == "ADMIN$" OR connection.smb_state.path == "C$"))

Analytic 2 - Multiple Attempts (Time Window)

suspicious_smb_traffic = filter log_events where ( (event_type == "smb2_tree_connect_request" OR event_type == "smb1_tree_connect_andx_request") AND (connection.smb_state.path == "ADMIN$" OR connection.smb_state.path == "C$") REPEATS 5 TIMES WITHIN 5 MINUTES FROM SAME src_ip )

.003 Distributed Component Object Model

Monitor for newly constructed network connections that may use Valid Accounts to interact with remote machines using Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. Monitor for any influxes or abnormal increases in DCOM related Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic (typically over port 135).

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on RPC network flows. Traffic to the RPC Endpoint Mapper will always have the destination port of 135. Assuming success, RPC traffic will continue to the endpoint. The endpoint and the client both bind to dynamically assigned ports (on Windows, this is typically greater than 49152). The traffic between the client and endpoint can be detected by looking at traffic to 135 followed by traffic where the source and destination ports are at least 49152.

Analytic 1 - RPC Mapper

rpc_mapper = filter flows where (dest_port == 135)rpc_endpoint = filter flows where (dest_port >= 49152 and src_port >= 49152)rpc = join rpc_mapper, rpc_endpoint where ( (rpc_mapper.time < rpc_endpoint.time < rpc_mapper.time + 2 seconds) AND (rpc_mapper.src_ip == rpc_endpoint.src_ip AND rpc_mapper.dest_ip == rpc_endpoint.dest_ip))

.004 SSH

Monitor for newly constructed network connections (typically port 22) that may use Valid Accounts to log into remote machines using Secure Shell (SSH). Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH.

Network Analysis Frameworks such as Zeek can be used to capture, decode, and alert on network traffic. Accordingly, they can be used to look for the creation of SSH network connections.

.005 VNC

Monitor for newly constructed network connections that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.

.006 Windows Remote Management

Monitor for newly constructed network connections using Windows Remote Management (WinRM), such as remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).

ICS T0886 Remote Services

Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use Valid Accounts to enable remote logins.

Enterprise T1018 Remote System Discovery

Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

Enterprise T1496 Resource Hijacking

Monitor for newly constructed network connections that are sent or received by untrusted hosts, look for connections to/from strange ports, as well as reputation of IPs and URLs related cryptocurrency hosts.

Note: Destination Host Name is not a comprehensive list of potential cryptocurrency URLs.

Analytic 1 - Suspicious Port Connections

suspicious_netcoms = filter network traffic where ((src_port = "3333" OR src_port = "4444" OR src_port = "5555" OR src_port = "6666") AND (dst_host_name = "cryptmonero.com" OR dst_host_name = "crypto-pool.fr" OR dst_host_name = "crypto-pool.info" OR dst_host_name = "cryptonight-hub.miningpoolhub.com"))

Enterprise T1029 Scheduled Transfer

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1218 System Binary Proxy Execution

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.003 CMSTP

Monitor for newly constructed network connections that are sent or received by untrusted hosts, such as Sysmon Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.

.005 Mshta

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.007 Msiexec

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.010 Regsvr32

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1221 Template Injection

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Enterprise T1205 Traffic Signaling

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.001 Port Knocking

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.002 Socket Filters

Monitor recently started applications creating raw socket connections.[3]

Enterprise T1204 User Execution

Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

.001 Malicious Link

Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

ICS T0863 User Execution

Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).

Enterprise T1102 Web Service

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.002 Bidirectional Communication

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

.003 One-Way Communication

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Mobile T1481 Web Service

Many properly configured firewalls may naturally block command and control traffic.

.001 Dead Drop Resolver

Many properly configured firewalls may naturally block command and control traffic.

.002 Bidirectional Communication

Many properly configured firewalls may naturally block bidirectional command and control traffic.

.003 One-Way Communication

Many properly configured firewalls may naturally block one-way command and control traffic.

Enterprise T1047 Windows Management Instrumentation

Monitor network traffic for WMI connections for potential use to remotely edit configuration, start services, or query files. When remote WMI requests are over RPC it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected. Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. More about RPCSS at : rpcss_dcom_interfaces.html

After the WMI connection has been initialized, a process can be remotely launched using the command: wmic /node:"" process call create "", which is detected in the third Detection Pseudocode.

This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.

After RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified.

When the command line is executed, it has the parent process of C:\windows\system32\wbem\WmiPrvSE.exe. This analytic looks for these two events happening in sequence, so that the network connection and target process are output.

Certain strings can be identifiers of the WMI by looking up the interface UUID for IRemUnknown2 in different formats- UUID 00000143-0000-0000-c000-000000000046 (decoded)- Hex 43 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 (raw)- ASCII CF (printable text only)

This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic. The transfer syntax is- UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (decoded)- Hex 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 (raw)- ASCII `]+H`` (printable text only)

Thus, a great ASCII based signature is- CF]+HCFCFhost"

Note: To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insight into individual connections and can actually decode and make sense of RPC traffic. Specifically, WMI can be detected by looking at RPC traffic where the target interface matches that of WMI, which is IRemUnknown2. Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted.

Analytic 1 - Remote WMI over RPC

wmi_flow = filter network_flow where (dest_port == 135 and proto_info.rpc_interface == "IRemUnknown2")

Analytic 2 : Remotely Launched Executables via WMI

wmi_children = filter processes where (parent_process == "wmiprvse.exe")wmi_flow = filter network flow where (src_port ≥ 49152 and dest_port ≥ 49152 and proto_info.rpc_interface == "IRemUnknown2")remote_wmi_process = join wmi_children, wmi_flow where (wmi_flow.time < wmi_children.time < wmi_flow.time + 1 sec and wmi_flow.hostname == wmi_children.hostname

Network Traffic: Network Traffic Content

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Network Traffic: Network Traffic Content

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Domain ID Name Detects
Enterprise T1087 .002 Account Discovery: Domain Account

Monitor and analyze traffic patterns and packet inspection associated to LDAP and MSRPC that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure).

ICS T0800 Activate Firmware Update Mode

Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.

Enterprise T1595 Active Scanning

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 Vulnerability Scanning

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 Wordlist Scanning

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).

Enterprise T1557 Adversary-in-the-Middle

Monitor network traffic for anomalies associated with known AiTM behavior.

.001 LLMNR/NBT-NS Poisoning and SMB Relay

Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.

.002 ARP Cache Poisoning

Monitor network traffic for unusual ARP traffic, gratuitous ARP replies may be suspicious. Consider collecting changes to ARP caches across endpoints for signs of ARP poisoning. For example, if multiple IP addresses map to a single MAC address, this could be an indicator that the ARP cache has been poisoned.

.003 DHCP Spoofing

Monitor network traffic for suspicious/malicious behavior involving DHCP, such as changes in DNS and/or gateway parameters. Additionally, monitor network traffic for rogue DHCPv6 activity.

ICS T0830 Adversary-in-the-Middle

Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).

Enterprise T1071 Application Layer Protocol

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Web Protocols

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 File Transfer Protocols

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 Mail Protocols

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.004 DNS

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for DNS over TLS (DoT) and DNS over HTTPS (DoH), that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0802 Automated Collection

Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network.

Enterprise T1020 Automated Exfiltration

Monitor network traffic content for evidence of data exfiltration, such as gratuitous or anomalous outbound traffic containing collected data. Consider correlation with process monitoring and command lines associated with collection and exfiltration.

ICS T0806 Brute Force I/O

Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.

Enterprise T1612 Build Image on Host

Monitor for network traffic associated with requests and/or downloads of container images, especially those that may be anomalous or known malicious.

ICS T0892 Change Credential

Monitor for device credential changes observable in automation or management network protocols.

ICS T0858 Change Operating Mode

Monitor ICS management protocols for functions that change an asset’s operating mode.

ICS T0885 Commonly Used Port

Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[4]

Enterprise T1586 Compromise Accounts

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Social Media Accounts

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0884 Connection Proxy

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1659 Content Injection

Monitor for other unusual network traffic that may indicate additional malicious content transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious payloads, content obfuscation, and exploit code.

Enterprise T1132 Data Encoding

Monitor for network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols and packet contents.

.001 Standard Encoding

Monitor for network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

.002 Non-Standard Encoding

Monitor for network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Enterprise T1602 Data from Configuration Repository

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access configuration content)

.001 SNMP (MIB Dump)

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flow (e.g. snmp traffic originating from unauthorized or untrusted hosts, signature detection for strings mapped to device configuration(s), and anomolies in snmp request(s))

.002 Network Device Configuration Dump

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access network configuration content)

Enterprise T1039 Data from Network Shared Drive

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1565 Data Manipulation

Monitor for networks that solicits and obtains the configuration information of the queried device.

.002 Transmitted Data Manipulation

Monitor for networks that solicits and obtains the configuration information of the queried device.

Enterprise T1001 Data Obfuscation

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Junk Data

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 Steganography

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure).

.003 Protocol Impersonation

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1491 Defacement

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access internal and external websites and services). Consider correlating with application monitoring for indication of unplanned service interruptions or unauthorized content changes.

.001 Internal Defacement

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 External Defacement

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0812 Default Credentials

Monitor network traffic for default credential use in protocols that allow unencrypted authentication.

ICS T0814 Denial of Service

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0868 Detect Operating Mode

Monitor ICS automation network protocols for functions related to reading an asset’s operating mode. In some cases, there may be multiple ways to detect a device’s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.

ICS T0816 Device Restart/Shutdown

Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.

Enterprise T1482 Domain Trust Discovery

Monitor and analyze traffic patterns and packet inspection associated to LDAP and MSRPC that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure).

Mobile T1407 Download New Code at Runtime

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.

Enterprise T1189 Drive-by Compromise

Monitor for other unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.

ICS T0817 Drive-by Compromise

Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.

Enterprise T1568 Dynamic Resolution

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 DNS Calculation

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1573 Encrypted Channel

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Symmetric Cryptography

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 Asymmetric Cryptography

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1499 Endpoint Denial of Service

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 OS Exhaustion Flood

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 Service Exhaustion Flood

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 Application Exhaustion Flood

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.004 Application or System Exploitation

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1585 Establish Accounts

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Social Media Accounts

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1048 Exfiltration Over Alternative Protocol

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 Exfiltration Over Unencrypted Non-C2 Protocol

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1041 Exfiltration Over C2 Channel

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1011 Exfiltration Over Other Network Medium

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Exfiltration Over Bluetooth

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1567 Exfiltration Over Web Service

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Exfiltration to Code Repository

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 Exfiltration to Cloud Storage

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 Exfiltration to Text Storage Sites

Monitor and analyze network traffic for exfiltration attempts using text storage sites, i.e. POST requests to text storage sites.

.004 Exfiltration Over Webhook

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1190 Exploit Public-Facing Application

Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads.

ICS T0819 Exploit Public-Facing Application

Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.

Enterprise T1210 Exploitation of Remote Services

Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.

Mobile T1428 Exploitation of Remote Services

Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources.

ICS T0866 Exploitation of Remote Services

Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.

Enterprise T1133 External Remote Services

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1187 Forced Authentication

For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.

Enterprise T1589 Gather Victim Identity Information

Monitor for suspicious network traffic that could be indicative of probing for user information, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

.002 Email Addresses

Monitor for suspicious network traffic that could be indicative of probing for email addresses and/or usernames, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

Enterprise T1615 Group Policy Discovery

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0891 Hardcoded Credentials

Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.

Enterprise T1070 Indicator Removal

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.005 Network Share Connection Removal

Monitoring for SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity.

Enterprise T1105 Ingress Tool Transfer

Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs.

Enterprise T1534 Internal Spearphishing

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0883 Internet Accessible Device

Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.

Enterprise T1570 Lateral Tool Transfer

Monitor for unusual processes with internal network connections creating files on-system may be suspicious

Note: Analytic Event Type is for Zeek but can also be implemented in other Network Analysis Frameworks by parsing & decoding captured SMB2 network traffic. From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.

  • Analytic 1 and 2 are very similar, with the key difference being that Implementation 2 is intended to capture multiple attempts at lateral movement originating from the same host within a short time period (5 minutes).

Analytic 1 - Basic

suspicious_smb_traffic = filter log_events where ((event_id == "smb2_write_response" OR event_id == "smb1_write_response" OR event_id == "smb1_write_andx_response") AND (connection.smb_state.path == "ADMIN$" OR connection.smb_state.path == "C$") )

Analytic 2 - Multiple Attempts (Time Window)

suspicious_smb_traffic = filter log_events where ((event_id == "smb2_write_response" OR event_id == "smb1_write_response" OR event_id == "smb1_write_andx_response") AND (connection.smb_state.path == "ADMIN$" OR connection.smb_state.path == "C$") REPEATS 5 TIMES WITHIN 5 MINUTES FROM SAME src_ip)

ICS T0867 Lateral Tool Transfer

Monitor for unusual processes with internal network connections creating files on-system which may be suspicious.

ICS T0838 Modify Alarm Settings

Monitor for alarm setting changes observable in automation or management network protocols.

ICS T0836 Modify Parameter

Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).

ICS T0889 Modify Program

Monitor device management protocols for functions that modify programs such as online edit and program append events.

ICS T0839 Module Firmware

Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.

ICS T0801 Monitor Process State

Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., "Read" function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process’ state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.

Enterprise T1599 Network Boundary Bridging

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Network Address Translation Traversal

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1095 Non-Application Layer Protocol

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1571 Non-Standard Port

Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Enterprise T1003 OS Credential Dumping

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.006 DCSync

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1566 Phishing

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[5][6]

.001 Spearphishing Attachment

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[5][6]

.002 Spearphishing Link

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Furthermore, monitor network traffic for cloned sites as well as homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).

.003 Spearphishing via Service

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Mobile T1660 Phishing

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.

Enterprise T1598 Phishing for Information

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Spearphishing Service

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 Spearphishing Attachment

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 Spearphishing Link

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Furthermore, monitor network traffic for homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Also monitor and analyze traffic patterns and packet inspection for indicators of cloned websites. For example, if adversaries use HTTrack to clone websites, Mirrored from (victim URL) may be visible in the HTML section of packets.

ICS T0861 Point & Tag Identification

Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.

ICS T0843 Program Download

Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.

ICS T0845 Program Upload

Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools.

Enterprise T1572 Protocol Tunneling

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1090 Proxy

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Internal Proxy

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 External Proxy

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 Multi-hop Proxy

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.004 Domain Fronting

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1219 Remote Access Software

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1563 Remote Service Session Hijacking

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 SSH Hijacking

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 RDP Hijacking

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols including RDP.

ICS T0846 Remote System Discovery

Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.

ICS T0888 Remote System Information Discovery

Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.

Enterprise T1207 Rogue Domain Controller

Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. [7][8] DC replication will naturally take place every 15 minutes but can be triggered by an adversary or by legitimate urgent changes (ex: passwords).

ICS T0848 Rogue Master

Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).

Enterprise T1505 Server Software Component

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). [9]

.003 Web Shell

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0865 Spearphishing Attachment

Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.

ICS T0856 Spoof Reporting Message

Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.

Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity.

ICS T0869 Standard Application Layer Protocol

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0857 System Firmware

Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.

Enterprise T1033 System Owner/User Discovery

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols.

Enterprise T1221 Template Injection

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1205 Traffic Signaling

Monitor and analyze network packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, protocol port mismatch, anomalous syntax, or structure). Consider packet inspection for Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.[10]

Enterprise T1537 Transfer Data to Cloud Account

Monitor network traffic content for evidence of data exfiltration, such as gratuitous or anomalous internal traffic containing collected data. Consider correlation with process monitoring and command lines associated with collection and exfiltration.

Enterprise T1199 Trusted Relationship

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure) from a trusted entity. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0855 Unauthorized Command Message

Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for Rogue Master but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).

Monitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.

Enterprise T1204 User Execution

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious detinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

.001 Malicious Link

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious detinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

ICS T0863 User Execution

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).

Enterprise T1102 Web Service

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Dead Drop Resolver

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 Bidirectional Communication

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 One-Way Communication

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Network Traffic: Network Traffic Flow

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Network Traffic: Network Traffic Flow

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Domain ID Name Detects
Enterprise T1595 Active Scanning

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Scanning IP Blocks

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.002 Vulnerability Scanning

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1557 Adversary-in-the-Middle

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

.001 LLMNR/NBT-NS Poisoning and SMB Relay

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

.002 ARP Cache Poisoning

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

.003 DHCP Spoofing

Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.

ICS T0830 Adversary-in-the-Middle

Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see Adversary-in-the-Middle and applicable sub-techniques.

ICS T0878 Alarm Suppression

Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.

Enterprise T1071 Application Layer Protocol

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.001 Web Protocols

Monitor for web traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.002 File Transfer Protocols

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.003 Mail Protocols

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

.004 DNS

Monitor for DNS traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1020 Automated Exfiltration

Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpected hardware devices, or other uncommon data flows.

.001 Traffic Duplication

Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpcted hardware devices, or other uncommon data flows.

ICS T0803 Block Command Message

Monitor for a loss of network communications, which may indicate this technique is being used.

ICS T0804 Block Reporting Message

Monitor for a loss of network communications, which may indicate this technique is being used.

ICS T0805 Block Serial COM

Monitor for a loss of network communications, which may indicate this technique is being used.

Enterprise T1612 Build Image on Host

Monitor for established network communications with anomalous IPs that have never been seen before in the environment that may indicate the download of malicious code.

ICS T0885 Commonly Used Port

Analyze network data for uncommon data flows (e.g., new protocols in use between hosts, unexpected ports in use). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ICS T0884 Connection Proxy

Monitor for known proxy protocols (e.g., SOCKS, Tor, peer-to-peer protocols) and tool usage (e.g., Squid, peer-to-peer software) on the network that are not part of normal operations. Also monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Monitor for several ways that code can execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.

When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.

This compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process.

Analytic 1 - Remotely Launched Executables via Services

service = filter process where (parent_exe == "services.exe")remote_start = join (flow, service ) where ( flow.hostname == service.hostname and flow.pid == service.pid and (flow.time < service.time < flow.time + 1 second))

Enterprise T1039 Data from Network Shared Drive

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols such as SMB that revolve around network shares. Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved.

Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.

Analytic 1 - SMB Events Monitoring

smb_events = filter flow where (dest_port == "445" and protocol == "smb")smb_events.file_name = smb_events.proto_info.file_name

Enterprise T1565 Data Manipulation

Monitor for network traffic originating from unknown/unexpected hardware devices.

.002 Transmitted Data Manipulation

Monitor for network traffic originating from unknown/unexpected hardware devices.

Enterprise T1030 Data Transfer Size Limits

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ICS T0814 Denial of Service

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ICS T0816 Device Restart/Shutdown

Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.

Enterprise T1568 Dynamic Resolution

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Fast Flux DNS

In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection.

.002 Domain Generation Algorithms

Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more. [11] CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA. [12] Another approach is to use deep learning to classify domains as DGA-generated[13]]

Enterprise T1499 Endpoint Denial of Service

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 OS Exhaustion Flood

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.002 Service Exhaustion Flood

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.003 Application Exhaustion Flood

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.004 Application or System Exploitation

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1048 Exfiltration Over Alternative Protocol

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.003 Exfiltration Over Unencrypted Non-C2 Protocol

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1041 Exfiltration Over C2 Channel

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1011 Exfiltration Over Other Network Medium

Monitor network data for uncommon data flows., such as the usage of abnormal/unexpected protocols.

.001 Exfiltration Over Bluetooth

Monitor network data for uncommon data flows., such as the usage of abnormal/unexpected protocols.

Enterprise T1567 Exfiltration Over Web Service

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Exfiltration to Code Repository

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for use of code repositories for data exfiltration.

Analytic 1 - Suspicious Data Exfil

suspicious_exfil = filter network_traffic where (httpHost = "github.com" or httpHost ="justpaste.it" or httpHost= "pastebin.com" or httpHost="onpaste.com" or httpHost="transfernow.net" or httpHost = "codepad.org")

.002 Exfiltration to Cloud Storage

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for cloud storages for data exfiltration.

Analytic 1 - Suspicious Data Exfil

suspicious_exfil = filter network_traffic where (httpHost = "dropbox.com" or httpHost = "box.com" or httpHost = "drive.google.com" or httpHost = "mega.io" or httpHost = "mediafire.com")

.003 Exfiltration to Text Storage Sites

Monitor network data for uncommon data flows, specifically to text storage sites such as Pastebin[.]com, Paste[.]ee, and Pastebin[.]pl.

.004 Exfiltration Over Webhook

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1133 External Remote Services

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

ICS T0822 External Remote Services

Monitor for network traffic originating from unknown/unexpected systems.

Enterprise T1008 Fallback Channels

Monitor network data for uncommon data flows, such as unexpected surges or other abnormal inbound/outbound patterns.

Enterprise T1187 Forced Authentication

Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems.If attempts are detected, then investigate endpoint data sources to find the root cause.

Analytic 1 - SMB Session Setups

smb_setup = filter flow where (dest_port == 445 and protocol == smb.setup)smb_setup.user = smb_write.proto_info.user_namesmb_setup.target_host = smb_write.proto_info.hostname

Enterprise T1200 Hardware Additions

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

Enterprise T1105 Ingress Tool Transfer

Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1534 Internal Spearphishing

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ICS T0883 Internet Accessible Device

Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.

Enterprise T1570 Lateral Tool Transfer

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

ICS T0867 Lateral Tool Transfer

Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

Mobile T1430 .002 Location Tracking: Impersonate SS7 Nodes

Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.[14] The CSRIC also suggests threat information sharing between telecommunications industry members.

Enterprise T1112 Modify Registry

Remote access to the registry can be achieved via

  • Windows API function RegConnectRegistry
  • command line via reg.exe
  • graphically via regedit.exe

All of these behaviors call into the Windows API, which uses the NamedPipe WINREG over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function.

Analytic 1 - Remote Registry

flows = search Flow:Messagewinreg = filter flows where (dest_port == 445 and proto_info.pipe == "WINREG")winreg_modify = filter flows where (proto_info.function == "Create" or proto_info.function == "SetValue")

Enterprise T1104 Multi-Stage Channels

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1599 Network Boundary Bridging

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Network Address Translation Traversal

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1498 Network Denial of Service

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Direct Network Flood

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.002 Reflection Amplification

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1046 Network Service Discovery

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. It should be noted that when a host/ port/ service scan is performed from a compromised machine, a single machine makes multiple calls to other hosts in the network to identify live hosts and services.

After compromising an initial machine, adversaries commonly attempt to laterally move across the network. The first step to attempt the Lateral Movement often involves conducting host identification, port and service scans on the internal network via the compromised machine using tools such as Nmap, Cobalt Strike, etc.

Analytic 1 - Identifying Port Scanning Activity

flow = filter flow where (src_type = "firewall_logs" AND dest_ip = "internal_subnet" )

Enterprise T1095 Non-Application Layer Protocol

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1571 Non-Standard Port

Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port.

Mobile T1509 Non-Standard Port

Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.

Enterprise T1003 OS Credential Dumping

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.006 DCSync

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1566 Phishing

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Spearphishing Attachment

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.002 Spearphishing Link

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.003 Spearphishing via Service

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Mobile T1660 Phishing

Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.

Enterprise T1598 Phishing for Information

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Spearphishing Service

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.002 Spearphishing Attachment

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.003 Spearphishing Link

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ICS T0845 Program Upload

Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads).

Enterprise T1572 Protocol Tunneling

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1090 Proxy

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Internal Proxy

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.002 External Proxy

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.003 Multi-hop Proxy

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Mobile T1604 Proxy Through Victim

Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.

Enterprise T1219 Remote Access Software

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Analytic 1 - Suspicious Port Usage

suspicious_ports = filter network_traffic where ((protocol ="6" and (serverPort = 5938 or serverPort = 6568 or serverPort = 5650 or serverPort = 5655 or serverPort =5631)) or (protocol = "17" and (serverPort = 15000 and serverPort = 5632 )) or(httpHost = "remoteutilities.com"))

Enterprise T1563 Remote Service Session Hijacking

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 SSH Hijacking

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.002 RDP Hijacking

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. RDP sessions may be split up into multiple flows and would therefore need to be aggregated.

Anomaly detection using machine learning or other methods based on baselined RDP network flows may be a viable approach to alerting on potential RDP session hijacking.

Enterprise T1021 Remote Services

Monitor network data for uncommon data flows that may be related to abuse of Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC.

.001 Remote Desktop Protocol

Monitor network traffic for uncommon data flows that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).

The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.Remote Desktop can be detected in several ways

  • Network connections to port 3389/tcp (assuming use of the default port)
  • Packet capture analysis
  • Windows security logs (Event ID 4624, 4634, 4647, 4778)
  • Detecting network connections from mstsc.exe
  • Execution of the process rdpclip.exe
  • Runs as the clipboard manager on the RDP target if clipboard sharing is enabled

Analytic 1

rdp_start = filter flow_start where (port == "3389")rdp_end = filter flow_start where (port == "3389")rdp = group flow_start, flow_end by src_ip, src_port, dest_ip, dest_port

.002 SMB/Windows Admin Shares

Monitor network data for uncommon SMB data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on SMB network flows.

Notes:

  • The logic for Implementation 1 is based around detecting on SMB write requests, which are often used by adversaries to move laterally to another host. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to looking at techniques associated with actively changing remote hosts, instead of passively reading files.
  • The logic for Implementation 2 is based around detection of new processes that were created from a file written to an SMB share. First, a file is remotely written to a host via an SMB share; then, a variety of Execution techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.

Analytic 1 - SMB Write

smb_write = filter flow where (dest_port == "445" AND protocol == "smb.write")

Analytic 2 - SMB Copy and Execution

remote_start = join (smb:write, process:create) where ( smb_write.hostname == process.hostname AND smb_write.file_path == process.image_path AND (smb_write.time < process.time))

Analytic 3 - RPC Activity

rpc_mapper = filter flows where (dest_port == 135)rpc_endpoint = filter flows where (dest_port >= 49152 and src_port >= 49152)rpc = join rpc_mapper, rpc_endpoint where ( (rpc_mapper.time < rpc_endpoint.time < rpc_mapper.time + 2 seconds) and (rpc_mapper.src_ip == rpc_endpoint.src_ip and rpc_mapper.dest_ip == rpc_endpoint.dest_ip))

.006 Windows Remote Management

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on RPC network flows.

When a Windows Remote Management connection is opened, the client sends HTTP requests to port 5985 for HTTP or 5986 for HTTPS on the target host. Each HTTP(S) request to the URI "/wsman" is called, and other information is set in the headers. Depending on the operation, the HTTP method may vary (i.e., GET, POST, etc.). This analytic would detect Remote PowerShell, as well as other communications that rely on WinRM. Additionally, it outputs the executable on the client host, the connection information, and the hostname of the target host. Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis.

Note: Traffic to the RPC Endpoint Mapper will always have the destination port of 135. Assuming success, RPC traffic will continue to the endpoint. The endpoint and the client both bind to dynamically assigned ports (on Windows, this is typically greater than 49152). The traffic between the client and endpoint can be detected by looking at traffic to 135 followed by traffic where the source and destination ports are at least 49152.

Analytic 1 - RPC Activity

rpc_mapper = filter flows where (dest_port == 135)rpc_endpoint = filter flows where (dest_port >= 49152 and src_port >= 49152)rpc = join rpc_mapper, rpc_endpoint where ( (rpc_mapper.time < rpc_endpoint.time < rpc_mapper.time + 2 seconds) AND (rpc_mapper.src_ip == rpc_endpoint.src_ip AND rpc_mapper.dest_ip == rpc_endpoint.dest_ip))

Analytic 2 - WinRM

winrm = filter flow where (dest_port == 5985)winrm_s = filter flow where (dest_port == 5986)

ICS T0886 Remote Services

Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.

ICS T0846 Remote System Discovery

Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see Remote System Discovery.

ICS T0888 Remote System Information Discovery

Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).

Enterprise T1496 Resource Hijacking

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ICS T0848 Rogue Master

Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices.

Enterprise T1053 .002 Scheduled Task/Job: At

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. When AT.exe is used to remotely schedule tasks, Windows uses named pipes over SMB to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe ATSVC is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention C:\Windows\System32\AT.

This pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern C:\Windows\System32\AT\<job_id>.

To detect AT via network traffic, a sensor is needed that has the ability to extract and decode PCAP information. Specifically, it needs to properly decode SMB and the functions that are implemented over it via NamedPipes. If a sensor meets these criteria, then the PCAP data needs to search for instances of the command JobAdd over the pipe ATSVC, which is all implemented over Windows SMB 445/tcp.

Analytic 1 - Remotely Scheduled Tasks via AT

flows = search Flow:Messageat_proto = filter flows where (dest_port == 445 and proto_info.pipe == "ATSVC")at_create = filter flows where (proto_info.function == "JobAdd")

.005 Scheduled Task/Job: Scheduled Task

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Look for RPC traffic after being mapped, which implies a destination port of at least 49152. If network inspection is available via packet captures or a NIDS, then traffic through the ITaskSchedulerService interface can be detected. Microsoft has a list of the possible methods that are implemented for the ITaskSchedulerService interface, which may be useful in differentiating read and query operations from creations and modifications.

When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established, the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.Certain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats

  • UUID 86d35949-83c9-4044-b424-db363231fd0c (decoded)
  • Hex 49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c (raw)
  • ASCII IYD@$621 (printable bytes only)

This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.

Analytic 1 - Remotely Scheduled Tasks via Schtasks

schtasks_rpc = filter flows where (src_port >= 49152 AND dest_port >= 49152 AND proto_info.rpc_interface == "ITaskSchedulerService")sch_create = filter flows where (proto_info.function == "SchRpcRegisterTask" OR proto_info.function == "SchRpcRun" OR proto_info.function == "SchRpcEnableTask")

Enterprise T1029 Scheduled Transfer

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

Enterprise T1505 Server Software Component

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.003 Web Shell

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ICS T0856 Spoof Reporting Message

Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique.

ICS T0869 Standard Application Layer Protocol

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Enterprise T1033 System Owner/User Discovery

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Enterprise T1569 .002 System Services: Service Execution

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Analytic 1 - Service Control Manager spawning Command Shell

service_proto = filter flows where (dest_port == 445 and proto_info.pipe == "SVCCTL")service_create = filter flows where (proto_info.function == "CreateServiceW" OR proto_info.function == "CreateServiceA" OR proto_info.function == "StartServiceW" OR proto_info.function == "StartServiceA" )

Enterprise T1205 Traffic Signaling

Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpcted hardware devices, or other uncommon data flows.

.001 Port Knocking

Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpcted hardware devices, or other uncommon data flows.

ICS T0864 Transient Cyber Asset

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets.

ICS T0855 Unauthorized Command Message

Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via Rogue Master.

Enterprise T1102 Web Service

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.001 Dead Drop Resolver

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.002 Bidirectional Communication

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

.003 One-Way Communication

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ICS T0860 Wireless Compromise

New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.[15] [16] Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.

ICS T0887 Wireless Sniffing

Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.[15] [16] Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.

References