M1031: Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.
Analyst context for executives and security teams
Network Intrusion Prevention is a boundary control intended to block traffic that matches intrusion detection signatures. Its business value is strongest where adversary behavior depends on network communications: command-and-control, proxying, protocol impersonation, service discovery, and multiple exfiltration patterns. For leaders, the key question is not whether an IPS exists, but whether it is positioned, tuned, and governed to block the specific network behaviors that matter to the organization without disrupting legitimate operations.
Executive priority
Prioritize this mitigation as part of resilience and incident containment planning for command-and-control and exfiltration risk. The related ATT&CK techniques show coverage relevance across C2 channels, alternate protocols, DNS/web/file/mail protocols, proxies, scheduled or size-limited transfers, and service discovery. Executives should ask for evidence of where blocking is enforced, how signatures are maintained, what traffic is not inspected, and how exceptions are approved. This is also useful compliance evidence when demonstrating preventive network controls, but it should not be treated as complete coverage by itself.
Technical view
MITRE defines M1031 as using intrusion detection signatures to block traffic at network boundaries. SOC and detection engineering teams should validate IPS policy coverage against the related techniques: Data Obfuscation, Junk Data, Steganography, Protocol or Service Impersonation, Fallback Channels, Scheduled Transfer, Data Transfer Size Limits, Exfiltration over C2 or alternative protocols, Application Layer Protocol abuse, Proxy behavior, Non-Application Layer Protocol C2, Web Service C2, and Network Service Discovery. Because no official detection text is provided for this mitigation, validation should focus on control placement, signature relevance, alert-to-block behavior, exception handling, and whether encrypted, obfuscated, internal, cloud, or non-standard protocol traffic creates blind spots.
Likely telemetry
- IPS/IDS alerts and block events at network boundaries
- Firewall allow/deny logs correlated with IPS decisions
- Network flow records showing source, destination, port, protocol, volume, and timing
- DNS query and response logs where DNS-based C2 or exfiltration is in scope
- Web proxy or secure web gateway logs for HTTP/S and web service traffic
Detection direction
- Confirm which related ATT&CK techniques have active signatures or blocking rules and which are only monitored.
- Validate that IPS placement covers relevant ingress, egress, and segmented boundary paths; network boundaries may not include all internal or cloud traffic.
- Tune for protocol impersonation, junk data, abnormal transfer sizing, scheduled transfers, proxy behavior, and non-standard protocol use without assuming every anomaly is malicious.
- Review false positives carefully for common protocols such as HTTP/S, DNS, mail, SMB, FTP, and publish/subscribe protocols because legitimate business traffic may look similar at a network level.
- Identify blind spots where encryption, steganography, legitimate web services, fallback channels, or approved proxies reduce signature visibility.
Mitigation priorities
- Start with an inventory of network boundaries where IPS blocking is expected, including internet egress, ingress, sensitive segment boundaries, and cloud/IaaS paths where applicable to the environment.
- Map IPS signatures and policies to the related C2, discovery, and exfiltration techniques to expose unsupported or monitor-only areas.
- Maintain a governed signature update and exception process so blocking remains current while business-critical traffic is not disrupted unexpectedly.
- Prioritize egress controls and protocol governance for commonly abused channels such as web, DNS, file transfer, mail, and proxy paths.
- Use IPS blocking as one layer alongside logging, segmentation, firewall policy, proxy controls, and incident response playbooks; do not rely on signatures alone for obfuscated or encrypted traffic.
Analyst notes and limits
The object is a mitigation, not a detection analytic. Its official description is brief, and no official detection guidance is provided. The relationship set is important: MITRE links this mitigation to many command-and-control and exfiltration techniques, plus network service discovery, which makes it most useful as a preventive network-control discussion rather than a standalone SOC alerting strategy.
Platforms and tactics are not specified on the mitigation object itself. Platform references come from related techniques and should be validated against the local environment before drawing coverage conclusions. The supplied data does not prove any organization has effective IPS coverage, active exploitation, specific adversary use, or guaranteed detection/blocking.
Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1568 | Dynamic Resolution | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use dynamic resolution and determine future C2 infrastructure that the malware will attempt to contact, but this is a time and resource intensive effort.CitationCybereason Dissecting DGAsCitationCisco Umbrella DGA Brute Force |
| Enterprise | T1542.005 | TFTP Boot Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configurations. |
| Enterprise | T1008 | Fallback Channels | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. CitationUniversity of Birmingham C2 |
| Enterprise | T1572 | Protocol Tunneling | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1071 | Application Layer Protocol | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. |
| Enterprise | T1105 | Ingress Tool Transfer | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.CitationUniversity of Birmingham C2 |
| Enterprise | T1132 | Data Encoding | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. CitationUniversity of Birmingham C2 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.CitationCybereason Dissecting DGAsCitationCisco Umbrella DGA Brute Force Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.CitationAkamai DGA Mitigation Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. |
| Enterprise | T1102 | Web Service | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. CitationUniversity of Birmingham C2 |
| Enterprise | T1104 | Multi-Stage Channels | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1090.002 | External Proxy Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.CitationUniversity of Birmingham C2 |
| Enterprise | T1095 | Non-Application Layer Protocol | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1204.005 | Malicious Library Sub-technique | Network prevention intrusion systems and systems designed to scan and remove malicious downloads can be used to block activity. |
| Enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. |
| Enterprise | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. |
| Enterprise | T1557.002 | ARP Cache Poisoning Sub-technique | Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1046 | Network Service Discovery | Use network intrusion detection/prevention systems to detect and prevent remote service scans. |
| Enterprise | T1557.001 | Name Resolution Poisoning and SMB Relay Sub-technique | Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. |
| Enterprise | T1570 | Lateral Tool Transfer | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. CitationUniversity of Birmingham C2 |
| Enterprise | T1557.004 | Evil Twin Sub-technique | Wireless intrusion prevention systems (WIPS) can identify traffic patterns indicative of adversary-in-the-middle activity and scan for evils twins and rogue access points. |
| Enterprise | T1204.001 | Malicious Link Sub-technique | If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. |
| Enterprise | T1566 | Phishing | Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity. |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1204.004 | Malicious Copy and Paste Sub-technique | If a link is being requested by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. |
| Enterprise | T1557.003 | DHCP Spoofing Sub-technique | Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.Citationdhcp_serv_op_events |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. |
| Enterprise | T1204.003 | Malicious Image Sub-technique | Network prevention intrusion systems and systems designed to scan and remove malicious downloads can be used to block activity. |
| Enterprise | T1001.001 | Junk Data Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. |
| Enterprise | T1001 | Data Obfuscation | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.CitationUniversity of Birmingham C2 |
| Enterprise | T1204 | User Execution | If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. |
| Enterprise | T1557 | Adversary-in-the-Middle | Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. |
| Enterprise | T1602.002 | Network Device Configuration Dump Sub-technique | Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources. Create signatures to detect Smart Install (SMI) usage from sources other than trusted director.CitationUS-CERT TA18-106A Network Infrastructure Devices 2018 |
| Enterprise | T1602.001 | SNMP (MIB Dump) Sub-technique | Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources.CitationUS-CERT-TA18-106A |
| Enterprise | T1029 | Scheduled Transfer | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. CitationUniversity of Birmingham C2 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1030 | Data Transfer Size Limits | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. |
| Enterprise | T1221 | Template Injection | Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.CitationAnomali Template Injection MAR 2018 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1573 | Encrypted Channel | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1001.002 | Steganography Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. |
| Enterprise | T1602 | Data from Configuration Repository | Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources.CitationUS-CERT-TA18-106A |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. |
| Enterprise | T1071.004 | DNS Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1090 | Proxy | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. CitationUniversity of Birmingham C2 |
| Enterprise | T1219 | Remote Access Tools | Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. |
| Enterprise | T1542.004 | ROMMONkit Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configurations. |
| Enterprise | T1571 | Non-Standard Port | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1071.005 | Publish/Subscribe Protocols Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f72541d59fa3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1031Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.