cti/ATTACK/attack-pattern/attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d.json

{
    "id": "bundle--89da3e23-03fc-4447-b7d6-30d974492656",
    "objects": [
        {
            "created": "2017-05-31T21:30:41.80483Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Data exfiltration is performed over the [[Command and Control]] channel.  Data is encoded into the normal communications channel using the same protocol as command and control communications.\n\nDetection: Detection for command and control applies. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[[Citation: University of Birmingham C2]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: User interface, Process monitoring",
            "external_references": [
                {
                    "external_id": "T1041",
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/wiki/Technique/T1041"
                },
                {
                    "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
                    "source_name": "University of Birmingham C2",
                    "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
                }
            ],
            "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "exfiltration"
                }
            ],
            "modified": "2017-05-31T21:30:41.80483Z",
            "name": "Exfiltration Over Command and Control Channel",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "x_mitre_data_sources": [
                "User interface",
                "Process monitoring"
            ],
            "x_mitre_network_requirements": false,
            "x_mitre_platforms": [
                "Windows Server 2003",
                "Windows Server 2008",
                "Windows Server 2012",
                "Windows XP",
                "Windows 7",
                "Windows 8",
                "Windows Server 2003 R2",
                "Windows Server 2008 R2",
                "Windows Server 2012 R2",
                "Windows Vista",
                "Windows 8.1"
            ]
        }
    ],
    "spec_version": "2.0",
    "type": "bundle"
}