DC0085: Network Traffic Content
The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.
*Data Collection Measures:*
- Network Packet Capture (Full Content Logging) - Wireshark / tcpdump / tshark - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap` - Zeek (formerly Bro) - Extracts protocol headers and payload details into structured logs. `echo "redef Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr capture.pcap local.zeek` - Suricata / Snort (IDS/IPS with PCAP Logging) - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata` - Host-Based Collection - Sysmon Event ID 22 – DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains. - Sysmon Event ID 3 – Network Connection Initiated, Logs process-to-network connection relationships. - AuditD (Linux) – syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity` - Cloud & SaaS Traffic Collection - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic. - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.
Analyst context for executives and security teams
Network Traffic Content is the packet or session-level evidence that lets defenders look beyond connection metadata and inspect what actually moved across the network. For leaders, its value is strongest during incident response and high-consequence investigations: it can help determine whether suspicious communications involved command-and-control activity, data movement, or other protocol-level behavior that simpler logs may not explain.
Executive priority
Treat this as a resilience and evidence-readiness capability, not just a monitoring feature. Full-content network visibility can be expensive, privacy-sensitive, and storage-intensive, so leadership should decide where it is most justified: critical network segments, investigation workflows, regulated environments, and locations where exfiltration or C2 validation would materially affect incident decisions. Because ATT&CK provides no specific detection logic for this data component, the priority is confirming that collection, retention, access control, and analyst workflows are fit for investigations rather than assuming coverage exists.
Technical view
SOC and IR teams should validate whether they can obtain full packet capture or session data containing protocol headers and payload content when needed. The supplied ATT&CK description points to full-content packet capture, Zeek-style protocol extraction, IDS/IPS PCAP logging, host network/DNS process context such as Sysmon Event IDs 22 and 3 or Linux AuditD connect monitoring, and cloud traffic sources such as VPC or NSG flow logs and cloud IDS-style analysis. Because cloud flow logs are typically metadata-oriented, teams should distinguish clearly between metadata visibility and true payload/session-content visibility. Use this data component to support forensic inspection, payload decoding, IDS correlation, and investigation of suspected C2 or exfiltration, while recognizing that no ATT&CK tactics, platforms, or detection analytics are specified for this object.
Likely telemetry
- Full packet capture files containing protocol headers and payload content
- Session data suitable for protocol inspection and payload decoding
- IDS/IPS packet or alert context from tools capable of deep packet inspection or PCAP logging
- Structured network protocol logs derived from packet analysis, such as Zeek-style outputs
- DNS query evidence and process-to-network connection context from host logging where available
Detection direction
- First validate collection reality: identify where full-content capture exists, where only metadata exists, and where no network evidence is retained.
- Tune use cases around investigative questions such as suspected command-and-control traffic, exfiltration review, protocol anomaly investigation, and IDS correlation rather than treating packet capture as a standalone detection.
- Document blind spots caused by encryption, short retention windows, unmanaged network paths, cloud/SaaS visibility limits, and segments where capture is not legally or operationally approved.
- Correlate network content with host DNS and process-network telemetry when available to reduce ambiguity about which system or process generated traffic.
- Account for false positives and privacy risk: benign administrative tools, software updates, and business applications may produce unusual or high-volume traffic that requires contextual triage.
Mitigation priorities
- Define policy for where full-content capture is allowed, required, and prohibited, including privacy, legal, and retention constraints.
- Prioritize collection around critical assets, egress points, investigation choke points, and environments where C2 or exfiltration evidence would drive incident decisions.
- Pair packet/session-content sources with host and identity context so analysts can connect traffic to users, systems, and processes where possible.
- Set retention and access controls appropriate to the sensitivity of captured payload content.
- Maintain analyst procedures for PCAP review, protocol decoding, IDS correlation, and escalation into incident response.
Analyst notes and limits
This object is a data component, not a technique, and no relationship context was supplied. Its defensive value is strongest as an evidence source for detection engineering, managed detection, and incident response, especially when metadata alone cannot answer what occurred inside a network session. Local architecture, encryption patterns, logging retention, and privacy requirements will determine how useful and appropriate this data source is.
ATT&CK does not provide official detection logic, tactics, platforms, aliases, labels, or relationships for this object in the supplied fields. The collection examples include both full-content and metadata-oriented sources, so teams must verify what each source actually captures in their environment. This summary does not imply active exploitation, attribution, guaranteed detection coverage, or universal applicability.
Network Traffic Content
The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.
*Data Collection Measures:*
- Network Packet Capture (Full Content Logging) - Wireshark / tcpdump / tshark - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap` - Zeek (formerly Bro) - Extracts protocol headers and payload details into structured logs. `echo "redef Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr capture.pcap local.zeek` - Suricata / Snort (IDS/IPS with PCAP Logging) - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata` - Host-Based Collection - Sysmon Event ID 22 – DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains. - Sysmon Event ID 3 – Network Connection Initiated, Logs process-to-network connection relationships. - AuditD (Linux) – syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity` - Cloud & SaaS Traffic Collection - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic. - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 5df8b7aabc3b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0085Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.