Which MITRE ATT&CK techniques can be detected from PCAP files?

PcapAI detects 46 MITRE ATT&CK techniques spanning 10 tactics — from Reconnaissance through Impact — directly from PCAP and PCAPNG files. Every detection is derived from stateful deep packet inspection of real network traffic, not endpoint telemetry or log aggregation.

How does PcapAI map packet captures to ATT&CK techniques automatically?

PcapAI processes PCAP files through a pipeline of 46 purpose-built analyzers, one per MITRE ATT&CK technique. Each analyzer applies technique-specific detection logic — statistical models, protocol parsing, payload pattern matching, and behavioral thresholds — to reassembled TCP/UDP streams. The entire analysis runs in under 60 seconds.

Can PcapAI detect Command and Control (C2) traffic?

Yes. PcapAI includes dedicated analyzers for eight Command and Control ATT&CK techniques: HTTP/HTTPS beaconing (T1071.001), DNS-based C2 and tunneling (T1071.004), proxy abuse (T1090), non-application-layer C2 over ICMP and GRE (T1095), remote access software abuse (T1219), Domain Generation Algorithms (T1568.002), protocol tunneling (T1572), and custom encrypted channels (T1573.001). Detection relies on statistical behavioral models rather than fixed signatures.

How is this different from signature-based IDS?

Signature-based IDS tools like Suricata or Snort match traffic against fixed byte patterns. They miss jittered beaconing and low-volume attacks. PcapAI uses statistical and behavioral models — coefficient-of-variation analysis for beaconing, Shannon entropy scoring for encrypted channels — that fire on behavioral indicators rather than specific byte sequences. This catches unknown malware families as long as the underlying technique matches a known ATT&CK behavior.

Is PcapAI's MITRE coverage limited to network-visible techniques only?

Yes, by design. PcapAI analyzes what is visible in the network layer — the PCAP file. Every technique in this matrix is detectable purely from packet captures without requiring endpoint agents, EDR telemetry, or OS-level logging. This makes PcapAI particularly useful for incident responders who have a capture file but no access to the affected endpoint.

46 Techniques · 10 Tactics · Network-Layer Detection

MITRE ATT&CK
Network Detection

Run Detection on My PCAP Browse Use Cases

SOC teams and incident responders rely on MITRE ATT&CK to classify adversary behavior, but mapping packet captures to technique IDs manually takes hours in Wireshark. PcapAI automates that work: upload a PCAP file and get a structured report with every matching ATT&CK technique ID, tactic, severity, and full evidence — in under 60 seconds.

The matrix below documents every technique our analyzers can detect from raw PCAP and PCAPNG files. Detection logic is derived from stateful deep packet inspection, not endpoint telemetry or log aggregation, making it useful even when you have no access to the affected host.

Techniques: 46
ATT&CK Tactics: 10
Sub-Techniques: 26
Analysis Time: <60s

Detection Engine

MITRE ATT&CK Network Detection Matrix

Every technique below is detectable from a packet capture file using AI-powered PCAP analysis — no endpoint agents or log collectors required.

Reconnaissance 3 techniques

T1590 Reconnaissance

Gather Victim Network Information

Detects DNS reconnaissance by counting NXDOMAIN responses per source host. When a single resolver floods queries for non-existent subdomains within a target domain, the analyzer raises an alert. It also flags DNS zone transfer (AXFR) requests — adversaries use these to dump every record in a zone without iterative enumeration, revealing all hostnames in scope before active scanning begins. Both signals fire independently with source IP and domain evidence.

T1595.001 Reconnaissance

Active Scanning: Scanning IP Blocks

Identifies true port scanning by counting TCP RST responses and ICMP Port Unreachable messages received per source host. Unlike rate-based heuristics, this approach examines rejection traffic — the definitive evidence that probed ports were closed or filtered. A finding fires when a source accumulates rejections across more than a threshold of unique destination IPs, indicating a systematic sweep of an IP block rather than normal connection failures.

T1595.002 Reconnaissance

Active Scanning: Vulnerability Scanning

Parses HTTP User-Agent strings and request paths to identify known vulnerability scanner signatures including Nessus, OpenVAS, Nuclei, and Nikto. Also detects path traversal attempts, CGI endpoint probing, and default credential page enumeration. A finding fires when a source sends requests matching scanner fingerprints or targets a statistically improbable variety of known-vulnerable paths, distinguishing automated scanning from manual browsing.

Initial Access 4 techniques

T1133 Initial Access

External Remote Services

Monitors inbound TCP SYN packets from external (non-RFC-1918) sources destined for SSH (22), RDP (3389), and WinRM (5985/5986) ports. Fires a medium-severity finding per unique external-to-internal connection. Escalates to high severity when the same external IP targets the same port repeatedly within a short window, indicating automated credential attacks against the network perimeter rather than legitimate remote access.

T1190 Initial Access

Exploit Public-Facing Application

Scans HTTP GET and POST payloads for SQL injection signatures — UNION SELECT, OR 1=1, stacked queries, time-based blind patterns — and XSS markers including script tags and javascript: URIs. Each detected pattern class triggers a separate finding, enabling analysts to determine whether an adversary tested a single vulnerability type or broad-spectrum application exploitation across multiple attack categories.

T1566.001 Initial Access

Phishing: Spearphishing Attachment

Inspects SMTP MIME Content-Disposition and Content-Type headers within reassembled email sessions for executable and macro-enabled file types: .exe, .dll, .docm, .xlsm, .js, .vbs, .lnk, .zip, .rar, .7z, and .iso. Fires a high-severity finding per suspicious attachment type observed, preserving sender and recipient addresses from SMTP headers. Designed to catch phishing delivery at the network layer without requiring endpoint agents.

T1566.002 Initial Access

Phishing: Spearphishing Link

Analyzes DNS query names and HTTP Host headers against high-risk TLD lists and a typosquatting engine using Levenshtein distance scoring. Flags domains closely resembling legitimate brand names (distance ≤ 2) and newly abused TLDs. Designed to catch phishing infrastructure before a user clicks — pre-click DNS resolution from a browser or email client exposes the malicious domain in network traffic even before HTTP contact is made.

Execution 1 technique

T1047 Execution

Windows Management Instrumentation

Detects WMI-based remote execution over DCOM by tracking TCP SYN packets to port 135 (RPC Endpoint Mapper) between internal hosts. When a source also connects to dynamic high-numbered RPC ports (49152–65535) on the same destination within a short window, the analyzer fires. This pattern matches WMI remote invocations, PsExec-style tooling, and lateral movement frameworks that rely on DCOM transport for execution without persistent services.

Persistence 1 technique

T1505.003 Persistence

Server Software Component: Web Shell

Matches incoming HTTP requests against known web shell filenames and paths. Also flags POST requests submitting command parameters (cmd=, exec=, pass=) to .php, .aspx, .jsp, or .cfm server-side scripts. Fires on the first matching request, providing the URL path, source IP, and HTTP method needed to locate and remove the implant. Covers China Chopper, WSO, b374k, and generic one-liner shell patterns.

Credential Access 11 techniques

T1040 Credential Access

Network Sniffing

Parses TCP-reassembled streams to extract plaintext credentials from FTP (USER/PASS on port 21), SMTP AUTH PLAIN/LOGIN (25/587), POP3 USER/PASS (110), IMAP LOGIN (143), Telnet username prompts (23), and PostgreSQL simple-auth (5432). Fires a critical-severity finding for each credential pair observed in cleartext, recording source IP, destination IP, and protocol to support immediate password rotation and access revocation.

T1110 Credential Access

Brute Force

Counts failed authentication responses per source IP: HTTP 401/403 errors, FTP 530 login-incorrect replies, and abnormally short-lived SSH and RDP sessions. When a single source accumulates threshold failures within 60 seconds, a high-severity finding fires. Failure counts are tracked independently per protocol and destination, enabling precise attribution even when an adversary distributes attempts across multiple services to avoid per-service lockout thresholds.

T1110.001 Credential Access

Brute Force: Password Guessing

Tracks authentication attempts per (source IP, target username) tuple across FTP, SMTP AUTH, POP3, IMAP, and Telnet sessions. When the same username receives multiple different password attempts from one source within the observation window, the analyzer concludes a dictionary or wordlist-based guessing campaign is underway. Fires once per unique (attacker, username, protocol) combination to prevent alert fatigue while still capturing all targeted accounts.

T1110.002 Credential Access

Brute Force: Password Cracking

Monitors Kerberos traffic on port 88 for two offline-cracking indicators. AS-REP Roasting fires when the KDC returns an AS-REP for an account with pre-authentication disabled — the encrypted response is crackable with hashcat or John the Ripper. Kerberoasting fires when a TGS-REP uses RC4 (etype 23) encryption for a service ticket, the weakest Kerberos cipher specifically chosen because it is offline-crackable.

T1110.003 Credential Access

Brute Force: Password Spraying

Distinguishes password spraying from per-account guessing by tracking attempts per source IP across multiple target usernames. When one source tries the same password against many different accounts on FTP, SMTP, or POP3 within a short window, the analyzer fires. This low-and-slow pattern bypasses per-account lockout policies and is a hallmark of targeted Active Directory credential attacks designed to evade security monitoring thresholds.

T1110.004 Credential Access

Brute Force: Credential Stuffing

Monitors HTTP POST requests to authentication endpoints (/login, /signin, /auth, /api/login) from a single source IP. When one IP sends more than a threshold of login POSTs within 60 seconds — each with different credential pairs — a high-severity finding fires. Covers both HTML form login and JSON API authentication, recording the endpoint path and request count for each finding to support application-layer blocking.

T1552.006 Credential Access

Unsecured Credentials: Group Policy Preferences

Parses SMB2 File Read requests on TCP 445 for SYSVOL Group Policy Preferences XML paths: Groups.xml, Services.xml, ScheduledTasks.xml, DataSources.xml, and Printers.xml. These files historically stored AES-encrypted local administrator passwords in a cpassword attribute whose key was published by Microsoft. Any host accessing these files triggers a critical-severity finding identifying the accessing IP and exact SYSVOL file path.

See Use Case

T1557.001 Credential Access

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning

Detects LLMNR (UDP 5355) and NBT-NS (UDP 137) poisoning by correlating broadcast queries with responses from unexpected hosts. When a host other than the legitimate name owner answers an LLMNR or NBT-NS query, the analyzer flags a potential Responder-style attack. Adversaries use this technique to intercept NTLMv2 credential hashes from Windows clients, which can then be cracked offline or relayed to authenticated services.

See Use Case

T1557.002 Credential Access

Adversary-in-the-Middle: ARP Cache Poisoning

Identifies ARP Cache Poisoning by detecting gratuitous ARP and unsolicited ARP reply messages where a single MAC address claims ownership of multiple IP addresses, including the local gateway. High-rate conflicting ARP replies from one host are definitive evidence of an active man-in-the-middle setup. Fires a critical-severity finding identifying the poisoning host's MAC, the claimed IP addresses, and the targeted gateway.

T1558.001 Credential Access

Steal or Forge Kerberos Tickets: Golden Ticket

Parses Kerberos KRB5 packets on port 88 to detect Golden Ticket usage. Fires when a host sends a TGS-REQ (service ticket request) without a preceding AS-REQ (initial authentication) in the capture window — consistent with presenting a forged TGT generated offline using the KRBTGT account hash. The finding includes source IP, requested service principal name, and confidence score based on the absent authentication exchange.

T1558.003 Credential Access

Steal or Forge Kerberos Tickets: Kerberoasting

Detects Kerberoasting by parsing Kerberos TGS-REQ and TGS-REP packets on port 88. Fires when TGS-REQ messages specify RC4-HMAC (etype 23) encryption for service principal names — the weakest supported cipher, chosen specifically because RC4 hashes are offline-crackable with hashcat or Impacket. Also triggers on anomalous TGS-REQ volume from a single host indicating automated SPN enumeration with tools like Rubeus.

Discovery 4 techniques

T1016 Discovery

System Network Configuration Discovery

Detects three network configuration discovery signals. SNMP sweeps fire when a host queries UDP/161 on three or more unique destinations. ARP sweeps fire when a host sends ARP WHO-HAS to 30 or more unique IPs, mapping live segment residents. DHCP DISCOVER floods fire when a host repeatedly broadcasts DHCP DISCOVER without completing a lease, exposing subnet masks and DNS server addresses to any observer on the segment.

T1018 Discovery

Remote System Discovery

Identifies internal host enumeration via five signals: ICMP ping sweeps to 10+ private IPs, NetBIOS NS queries to 8+ hosts, DNS PTR reverse-lookup floods of 10+ in-addr.arpa queries, LDAP/LDAPS sweeps to 3+ domain controllers, and SMB browse-list sweeps to 8+ TCP/445 targets. Multiple signals from the same host compound confidence that a systematic network mapping operation is underway before lateral movement begins.

T1135 Discovery

Network Share Discovery

Tracks SMB2 Tree Connect requests and counts unique share paths a source attempts to access. When a host connects to more than a threshold of distinct share paths — including hidden administrative shares, DFS paths, and named pipe paths — a finding fires. Also monitors NetBIOS Name Service broadcasts to detect broadcast-based share enumeration, covering both authenticated SMB2/3 and unauthenticated browse-list discovery patterns.

T1482 Discovery

Domain Trust Discovery

Parses LDAP query payloads on TCP/389 for attribute names associated with domain trust enumeration: trustedDomain, msDS-TrustForestTrustInfo, msDS-AllowedToActOnBehalfOfOtherIdentity, and TrustPartner. These are the exact attributes queried by dsquery, AdFind, BloodHound, and PowerView to map Active Directory forest and domain trust relationships, identifying targets for cross-domain privilege escalation paths.

Lateral Movement 7 techniques

T1021.001 Lateral Movement

Remote Services: Remote Desktop Protocol

Fires on every TCP SYN to port 3389 where both source and destination are RFC-1918 private addresses. Internal-to-internal RDP is a primary lateral movement indicator — adversaries use it to pivot interactively to newly compromised hosts. Generates one finding per unique (source, destination) pair to prevent duplicate alerts during sustained sessions while still capturing multi-target pivoting to additional machines on the segment.

T1021.002 Lateral Movement

Remote Services: SMB/Windows Admin Shares

Scans TCP-reassembled SMB payloads on ports 445 and 139 for references to Windows administrative shares (C$, ADMIN$, IPC$) between internal hosts. Handles both ASCII/ANSI encoding used in SMBv1 and UTF-16LE used in SMBv2/3 path strings. Fires a high-severity finding per unique (source, destination, share) triple, capturing multi-share lateral movement in a single pass without requiring agent-side endpoint telemetry.

T1021.004 Lateral Movement

Remote Services: SSH

Detects internal-to-internal SSH connections (TCP SYN to port 22) between RFC-1918 hosts. External SSH is expected administrative traffic, but SSH between internal systems is unusual and indicates adversary pivoting — using one compromised Linux host as a jump box to reach deeper network segments. Fires once per unique internal (source, destination) pair to enable targeted response without generating duplicate alerts.

T1021.005 Lateral Movement

Remote Services: VNC

Flags TCP SYN packets targeting VNC ports (5900, 5901, 5902) between internal hosts. VNC provides full graphical desktop access and is commonly installed without network-layer controls. Adversaries use it for stealthy interactive sessions that bypass Windows Event Log auditing. Fires a medium-severity finding per unique (source, destination, port) combination, covering primary and display-offset VNC listeners.

T1021.006 Lateral Movement

Remote Services: Windows Remote Management

Monitors TCP SYN packets to WinRM ports (5985 HTTP, 5986 HTTPS) between internal RFC-1918 hosts. WinRM enables remote PowerShell execution and is a primary transport for lateral movement frameworks including Empire, Metasploit, and CrackMapExec. Fires per unique internal (source, destination) pair. WinRM's use of non-standard ports often bypasses firewall rules configured to block only traditional lateral movement protocols.

T1550.003 Lateral Movement

Use Alternate Authentication Material: Pass the Ticket

Parses Kerberos KRB5 packets on TCP/UDP port 88 to detect Pass-the-Ticket via two signals. First: a TGS-REQ from a host that sent no AS-REQ in the capture window, suggesting a pre-stolen ticket. Second: the same Kerberos ticket presented from two different source IPs — only possible if the ticket was extracted from memory on one host and replayed on another to achieve lateral movement.

T1570 Lateral Movement

Lateral Tool Transfer

Parses TCP payloads on SMB (445/139), FTP (21), and HTTP (80) ports between internal hosts for transfers of executable file types: .exe, .dll, .ps1, .bat, .cmd, .vbs, .js, .msi, and .scr. Fires on the first binary transfer between internal endpoints, including source IP, destination IP, protocol, and extracted filename — enabling immediate artifact retrieval and hash verification on the receiving host before execution.

Command and Control 8 techniques

T1071.001 Command and Control

Application Layer Protocol: Web Protocols

Measures inter-request timing regularity for HTTP/HTTPS flows to single external destinations. Applies a coefficient-of-variation test: a CV below 0.3 with at least five requests indicates machine-generated beaconing. Fires with beacon interval, session count, and destination IP. This statistical approach catches jittered beaconing that evades fixed-interval signature rules, as C2 frameworks deliberately introduce interval noise to avoid detection.

T1071.004 Command and Control

Application Layer Protocol: DNS

Detects DNS-based C2 via three signals: DGA probing (high NXDOMAIN rate on algorithmically generated names), DNS tunneling (TXT/NULL requests with high-entropy encoded subdomains exceeding Shannon entropy thresholds), and abnormally long query labels exceeding 63 bytes. Each signal fires independently. The tunneling detector computes byte-frequency entropy on subdomain labels and fires on values consistent with base64 or hex encoding rather than natural hostname character distribution.

See Use Case

T1090 Command and Control

Proxy

Detects proxy usage for C2 evasion by inspecting TCP payloads for SOCKS4/SOCKS5 handshake headers and HTTP CONNECT method requests that establish tunnels through forward proxies. Also tracks connections to known proxy ports (8080, 8443, 3128, 1080) from internal hosts toward external destinations. Detection requires payload-level confirmation rather than port use alone, substantially reducing false positives from legitimate HTTPS on port 8443.

T1095 Command and Control

Non-Application Layer Protocol

Monitors for C2 over non-application-layer protocols: ICMP echo payloads exceeding 64 bytes carrying data above the standard header, UDP traffic on non-standard ports with high payload entropy indicating encryption or encoding, and GRE tunnel headers between internal and external endpoints. Each variant fires a separate finding with anomaly type, source/destination IPs, and measured payload size or entropy to support targeted network-layer blocking.

T1219 Command and Control

Remote Access Software

Performs deep packet inspection and DNS hostname matching to detect traffic from unauthorized remote access software: TeamViewer, AnyDesk, RustDesk, ScreenConnect (ConnectWise), and Ammyy Admin. Detection covers both the application's proprietary protocol and relay connections through vendor cloud infrastructure. Fires a high-severity finding with the tool name identified and the source host IP for immediate investigation and quarantine.

See Use Case

T1568.002 Command and Control

Dynamic Resolution: Domain Generation Algorithms

Detects DGA malware by correlating DNS query names with NXDOMAIN responses. Generates bigram frequency and vowel-consonant ratio scores for each queried domain. When a host resolves more than a threshold of statistically improbable domains — high consonant density, rare letter sequences, 8–20 character length — within a short window, a finding fires. Designed to catch DGA families that rotate through dozens of candidate domains each day to evade blocklists.

T1572 Command and Control

Protocol Tunneling

Detects three tunneling variants: SSH volume anomaly (high outbound bytes relative to session count indicating data transfer hidden in encrypted SSH), ICMP tunneling (non-standard payload sizes inconsistent with legitimate ping), and DNS/ICMP data volume anomalies (total bytes substantially exceeding legitimate protocol use). Each variant fires independently with source IP, destination IP, and byte volume evidence for targeted blocking decisions.

See Use Case

T1573.001 Command and Control

Encrypted Channel: Symmetric Cryptography

Detects custom encrypted C2 channels by analyzing the first 64 bytes of new TCP connections. When inbound data arrives before any TLS ClientHello with Shannon entropy above 7.5 bits/byte on non-TLS and non-SSH ports, the session cannot be attributed to a standard application protocol. This entropy threshold distinguishes custom-encrypted C2 payloads from cleartext protocols, flagging potential symmetric cryptographic tunnels for manual protocol analysis.

Exfiltration 4 techniques

T1020 Exfiltration

Automated Exfiltration

Analyzes per-flow upload byte counts across time buckets to detect mechanically regular exfiltration schedules. Computes inter-session intervals and their coefficient of variation: flows with CV ≤ 0.25 across three or more active upload sessions totaling over 500 KB fire a finding. Known telemetry domains and email servers are excluded. Mean interval and total bytes transferred appear in evidence to support both volume-based and behavioral correlation.

T1041 Exfiltration

Exfiltration Over C2 Channel

Tracks outbound byte volume per flow and upload-to-download ratio for sessions matching C2 beacon patterns. When a periodic, low-CV flow simultaneously carries outbound data volume exceeding a threshold, the analyzer concludes data is being exfiltrated through the same C2 channel. Fires a high-severity finding combining behavioral C2 evidence with raw byte volume, giving analysts both a volume figure and a confidence score from beaconing regularity.

T1048 Exfiltration

Exfiltration Over Alternative Protocol

Measures protocol-specific upload volume thresholds for protocols not typically used for bulk data transfer: DNS TXT/NULL record payload bytes, ICMP echo data bytes, and cleartext FTP data channel bytes. When outbound data on these protocols exceeds configurable thresholds and the upload-to-download ratio is asymmetric, a finding fires — catching adversaries bypassing egress filters that block HTTP/HTTPS but leave legacy protocols unrestricted.

See Use Case

T1537 Exfiltration

Transfer Data to Cloud Account

Monitors outbound connections to cloud storage API hostnames — s3.amazonaws.com, blob.core.windows.net, storage.googleapis.com, and regional variants — from internal RFC-1918 sources. Tracks cumulative bytes uploaded per (source IP, cloud endpoint) pair in a 10-minute rolling window. When transfers exceed 500 MB, a critical-severity finding fires, specifically designed to detect bulk database dump or archive exfiltration to adversary-controlled cloud buckets.

Impact 3 techniques

T1496 Impact

Resource Hijacking

Detects cryptocurrency mining via three signals: connections to known mining pool hostnames and IPs, Stratum protocol patterns (mining.subscribe, mining.authorize, eth_submitWork JSON-RPC calls) in TCP payloads, and entropy analysis on DNS query domain names to catch algorithmically generated pool domains. Fires a high-severity finding with the mining pool host, Stratum variant identified, and the affected internal host IP for endpoint investigation.

T1498.001 Impact

Network DoS: Direct Network Flood

Counts TCP SYN, UDP, and ICMP echo packets per (source, destination) pair per second. When the packet rate from a single source to a destination exceeds protocol-specific flood thresholds within a 10-second window, a high-severity finding fires. SYN, UDP, and ICMP floods are tracked independently to differentiate attack type. Evidence includes peak packets-per-second, total packets observed, targeted destination IP, and port where applicable.

See Use Case

T1498.002 Impact

Network DoS: Reflection Amplification

Detects reflection and amplification attacks by identifying spoofed-source UDP requests sent to amplifier services — DNS (53), NTP (123), SSDP (1900), Memcached (11211) — combined with the oversized responses those services return. When response packets substantially exceed request sizes at a rate above the detection threshold, a finding fires identifying amplifier IPs, the spoofed victim destination, and the estimated amplification factor.

See Use Case

Common Questions

Frequently Asked Questions

About MITRE ATT&CK network detection and how PcapAI maps packet captures to technique IDs.

Run ATT&CK Detection on Your PCAP

Upload a PCAP or PCAPNG file and get a full ATT&CK-mapped report in under 60 seconds. No Wireshark expertise. No installation. No registration for the free scan.

Upload PCAP for ATT&CK Analysis View Pricing

No registration required. PCAPs are processed in memory and never stored permanently.