T1001 - Data Obfuscation

Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

Shield Active Defense

PCAP Collection

Collect full network traffic for future research and analysis.

PCAP Collection allows a defenders to use the data to examine an adversary’s network traffic more closely, including studying if it is encoded and/or encrypted. PCAP can be run through tools to replay the traffic to get a real-time view of what happened over the wire. These tools can also parse the traffic and send results to a SIEM for monitoring and alerting.

Opportunity

There is an opportunity to detect adversary activity that uses obfuscated communication.

Use Case

A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation.

Procedures

Collect PCAP on a decoy network to improve visibility into an adversary’s network activity.