![]() ![]() ![]() "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. "value": "Exfiltration Over Alternative Protocol - T1048 " "mitre-attack:enterprise-attack:exfiltration " (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis\n\nRequires Network: Yes", Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Different channels could include Internet Web services such as cloud storage.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. The data is likely to be sent to an alternate network location from the main command and control server. ![]() "description": "Data exfiltration is performed with a different protocol from the main command and control protocol or channel. "type": "mitre-enterprise-attack-attack-pattern ", "name": "Enterprise Attack - Attack Pattern ", ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |