cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864.json

{
    "type": "bundle",
    "id": "bundle--1a166e8f-7475-4c76-969c-527ed66d870d",
    "spec_version": "2.0",
    "objects": [
        {
            "id": "attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Data Hiding",
            "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1320).\n\nCertain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)",
            "external_references": [
                {
                    "source_name": "mitre-pre-attack",
                    "url": "https://attack.mitre.org/techniques/T1320",
                    "external_id": "T1320"
                },
                {
                    "source_name": "BotnetsDNSC2",
                    "description": "Christian J. Dietrich,  Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann. (2011). On Botnets that use DNS for Command and Control. Retrieved March 6, 2017."
                },
                {
                    "source_name": "HAMMERTOSS2015",
                    "description": "FireEye. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved March 6, 2017."
                },
                {
                    "source_name": "DNS-Tunnel",
                    "description": "Alexey Shulmi and Sergey Yunakovsky. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved May 9, 2017."
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_detectable_by_common_defenses": "Yes",
            "x_mitre_detectable_by_common_defenses_explanation": "Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.",
            "x_mitre_difficulty_for_adversary": "No",
            "x_mitre_difficulty_for_adversary_explanation": "This technique requires a more advanced protocol understanding and testing to insert covert communication into legitimate protocol fields.",
            "x_mitre_version": "1.0",
            "x_mitre_old_attack_id": "PRE-T1097",
            "type": "attack-pattern",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-pre-attack",
                    "phase_name": "adversary-opsec"
                }
            ],
            "modified": "2020-10-26T13:42:49.342Z",
            "created": "2017-12-14T16:46:06.044Z",
            "x_mitre_deprecated": true
        }
    ]
}