cti/enterprise-attack/attack-pattern/attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d.json

{
    "objects": [
        {
            "name": "Exfiltration Over Command and Control Channel",
            "description": "Data exfiltration is performed over the Command and Control channel.  Data is encoded into the normal communications channel using the same protocol as command and control communications.\n\nDetection: Detection for command and control applies. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: User interface, Process monitoring\n\nRequires Network: Yes",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "exfiltration"
                }
            ],
            "external_references": [
                {
                    "url": "https://attack.mitre.org/wiki/Technique/T1041",
                    "source_name": "mitre-attack",
                    "external_id": "T1041"
                },
                {
                    "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
                    "source_name": "University of Birmingham C2",
                    "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "created": "2017-05-31T21:30:41.804Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows"
            ],
            "x_mitre_data_sources": [
                "User interface",
                "Process monitoring"
            ],
            "x_mitre_network_requirements": true,
            "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
            "modified": "2018-04-18T17:59:24.739Z",
            "type": "attack-pattern"
        }
    ],
    "type": "bundle",
    "id": "bundle--f29bacc5-5a05-4296-9ee8-3156bbac94fb",
    "spec_version": "2.0"
}