Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DE.AE-02.01 | Event analysis and detection | Mitigates | T1001.001 | Junk Data |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1001.001 | Junk Data |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
References
|
PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1001.001 | Junk Data |
Comments
This diagnostic statement protects against Junk Data through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CA-07 | Continuous Monitoring | mitigates | T1001.001 | Junk Data | |
CM-06 | Configuration Settings | mitigates | T1001.001 | Junk Data | |
SI-03 | Malicious Code Protection | mitigates | T1001.001 | Junk Data | |
CM-02 | Baseline Configuration | mitigates | T1001.001 | Junk Data | |
SI-04 | System Monitoring | mitigates | T1001.001 | Junk Data | |
AC-04 | Information Flow Enforcement | mitigates | T1001.001 | Junk Data | |
SC-07 | Boundary Protection | mitigates | T1001.001 | Junk Data |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Other | Other | related-to | T1001.001 | Junk Data |