cti/enterprise-attack/attack-pattern/attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6.json

{
    "type": "bundle",
    "id": "bundle--2a87d4cb-fd7e-4fcb-bcb4-2c3a9bfee6c4",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-05-31T21:30:56.776Z",
            "modified": "2018-01-17T12:56:55.080Z",
            "name": "Standard Application Layer Protocol",
            "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.  Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring\n\nRequires Network: Yes",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "command-and-control"
                }
            ],
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/wiki/Technique/T1071",
                    "external_id": "T1071"
                },
                {
                    "source_name": "University of Birmingham C2",
                    "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
                    "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_data_sources": [
                "Packet capture",
                "Netflow/Enclave netflow",
                "Process use of network",
                "Malware reverse engineering",
                "Process monitoring"
            ],
            "x_mitre_network_requirements": true,
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows"
            ]
        }
    ]
}