Esc
Network Traffic Analysis
Definition
Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.
Artifact Relationships:
This defensive technique is related to specific artifacts. Click the artifact node for more information.
Technique Subclasses
There are 21 techniques in this category, Network Traffic Analysis.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Network Traffic Analysis | D3-NTA | Analyzing intercepted or summarized computer network traffic to detect unauthorized activity. | |
| - Protocol Metadata Anomaly Detection | D3-PMAD | Collecting network communication protocol metadata and identifying statistical outliers. | |
| - Active Certificate Analysis | D3-ACA | Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis. | |
| - Byte Sequence Emulation | D3-BSE | Analyzing sequences of bytes and determining if they likely represent malicious shellcode. | Shellcode Transmission Detection |
| - Certificate Analysis | D3-CA | Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs. | |
| - Client-server Payload Profiling | D3-CSPP | Comparing client-server request and response payloads to a baseline profile to identify outliers. | |
| - Per Host Download-Upload Ratio Analysis | D3-PHDURA | Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host. | |
| - RPC Traffic Analysis | D3-RTA | Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities. | RPC Protocol Analysis |
| - Remote Firmware Update Monitoring | D3-RFUM | Monitoring of remote firmware update commands to identify unauthorized software installations. | |
| - Connection Attempt Analysis | D3-CAA | Analyzing failed connections in a network to detect unauthorized activity. | Network Scan Detection |
| - Network Traffic Signature Analysis | D3-NTSA | Analyzing network traffic and compares it to known signatures | |
| - DNS Traffic Analysis | D3-DNSTA | Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host. | Domain Name Analysis |
| - Administrative Network Activity Analysis | D3-ANAA | Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline. | |
| - Application Protocol Command Analysis | D3-APCA | Analyzing application protocol level remote commands to detect unauthorized activity. | |
| - Network Traffic Community Deviation | D3-NTCD | Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication. | |
| - Passive Certificate Analysis | D3-PCA | Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity. | |
| - Inbound Session Volume Analysis | D3-ISVA | Analyzing inbound network session or connection attempt volume. | |
| - Relay Pattern Analysis | D3-RPA | The detection of an internal host relaying traffic between the internal network and the external network. | Relay Network Detection |
| - Remote Terminal Session Detection | D3-RTSD | Detection of an unauthorized remote live terminal console session by examining network traffic to a network host. | |
| - IPC Traffic Analysis | D3-IPCTA | Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity. | IPC Analysis |
| - File Carving | D3-FC | Identifying and extracting files from network application protocols through the use of network stream reassembly software. |
Related ATT&CK Techniques:
These mappings are inferred, experimental, and will improve as the
knowledge graph grows.
These offensive techniques are determined related because of the way this defensive technique,, , , and .
Lateral Movement
Remote Services
Use Alternate Authentication Material
Exploitation of Remote Services
Remote Service Session Hijacking
Lateral Tool Transfer
Privilege Escalation
Account Manipulation
Event Triggered Execution
Command And Control
Remote Access Tools
Encrypted Channel
Proxy
Data Obfuscation
Multi-Stage Channels
Fallback Channels
Data Encoding
Application Layer Protocol
Dynamic Resolution
Traffic Signaling
Web Service
Non-Application Layer Protocol
Ingress Tool Transfer
Protocol Tunneling
Non-Standard Port
Impact
Network Denial of Service
Endpoint Denial of Service
Data Manipulation
Collection
Adversary-in-the-Middle
Browser Session Hijacking
Discovery
Network Sniffing
Remote System Discovery
Persistence
Account Manipulation
Pre-OS Boot
BITS Jobs
Traffic Signaling
Event Triggered Execution
Initial Access
Phishing
Exploit Public-Facing Application
Trusted Relationship
Drive-by Compromise
Credential Access
Adversary-in-the-Middle
Brute Force
Network Sniffing
OS Credential Dumping
Steal or Forge Kerberos Tickets
Steal or Forge Authentication Certificates
Defense Evasion
Use Alternate Authentication Material
Pre-OS Boot
Rogue Domain Controller
BITS Jobs
Traffic Signaling
System Binary Proxy Execution
Exfiltration
Exfiltration Over Web Service
Automated Exfiltration
Exfiltration Over Alternative Protocol
Data Transfer Size Limits
Scheduled Transfer
Exfiltration Over C2 Channel
Exfiltration Over Other Network Medium