109 indexed
ATT&CKATT&CK data components
109 MITRE ATT&CK data components — the specific signals within a data source used to detect techniques. Use /search for keyword lookup. Authored by Adam Lundqvist.
Showing 1–50 of 109 · page 1 of 3
| ID | Title | Summary |
|---|---|---|
| Active Directory Credential Request | Active Directory Credential Request | A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769) |
| Active Directory Object Access | Active Directory Object Access | Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661) |
| Active Directory Object Creation | Active Directory Object Creation | Initial construction of a new active directory object (ex: Windows EID 5137) |
| Active Directory Object Deletion | Active Directory Object Deletion | Removal of an active directory object (ex: Windows EID 5141) |
| Active Directory Object Modification | Active Directory Object Modification | Changes made to an active directory object (ex: Windows EID 5163 or 5136) |
| Active DNS | Active DNS | Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries) |
| Application Log Content | Application Log Content | Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications) |
| Certificate Registration | Certificate Registration | Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency) |
| Cloud Service Disable | Cloud Service Disable | Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging) |
| Cloud Service Enumeration | Cloud Service Enumeration | An extracted list of cloud services (ex: AWS ECS ListServices) |
| Cloud Service Metadata | Cloud Service Metadata | Contextual data about a cloud service and activity around it such as name, type, or purpose/function |
| Cloud Service Modification | Cloud Service Modification | Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule) |
| Cloud Storage Access | Cloud Storage Access | Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject) |
| Cloud Storage Creation | Cloud Storage Creation | Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket) |
| Cloud Storage Deletion | Cloud Storage Deletion | Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket) |
| Cloud Storage Enumeration | Cloud Storage Enumeration | An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects) |
| Cloud Storage Metadata | Cloud Storage Metadata | Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner |
| Cloud Storage Modification | Cloud Storage Modification | Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl) |
| Cluster Metadata | Cluster Metadata | Contextual data about a cluster and activity around it such as name, namespace, age, or status |
| Command Execution | Command Execution | The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >d… |
| Container Creation | Container Creation | Initial construction of a new container (ex: docker create <container_name>) |
| Container Enumeration | Container Enumeration | An extracted list of containers (ex: docker ps) |
| Container Metadata | Container Metadata | Contextual data about a container and activity around it such as name, ID, image, or status |
| Container Start | Container Start | Activation or invocation of a container (ex: docker start or docker restart) |
| Domain Registration | Domain Registration | Information about domain name assignments and other domain metadata (ex: WHOIS) |
| Drive Access | Drive Access | Opening of a data storage device with an assigned drive letter or mount point |
| Drive Creation | Drive Creation | Initial construction of a drive letter or mount point to a data storage device |
| Drive Modification | Drive Modification | Changes made to a drive letter or mount point of a data storage device |
| Driver Load | Driver Load | Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6) |
| Driver Metadata | Driver Metadata | Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking |
| File Access | File Access | Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663) |
| File Creation | File Creation | Initial construction of a new file (ex: Sysmon EID 11) |
| File Deletion | File Deletion | Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules) |
| File Metadata | File Metadata | Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. |
| File Modification | File Modification | Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2) |
| Firewall Disable | Firewall Disable | Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs) |
| Firewall Enumeration | Firewall Enumeration | An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
| Firewall Metadata | Firewall Metadata | Contextual data about a firewall and activity around it such as name, policy, or status |
| Firewall Rule Modification | Firewall Rule Modification | Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Col… |
| Firmware Modification | Firmware Modification | Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record) |
| Group Enumeration | Group Enumeration | An extracted list of available groups and/or their associated settings (ex: AWS list-groups) |
| Group Metadata | Group Metadata | Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group |
| Group Modification | Group Modification | Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup) |
| Host Status | Host Status | Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
| Image Creation | Image Creation | Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT) |
| Image Deletion | Image Deletion | Removal of a virtual machine image (ex: Azure Compute Service Images DELETE) |
| Image Metadata | Image Metadata | Contextual data about a virtual machine image such as name, resource group, state, or type |
| Image Modification | Image Modification | Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH) |
| Instance Creation | Instance Creation | Initial construction of a new instance (ex: instance.insert within GCP Audit Logs) |
| Instance Deletion | Instance Deletion | Removal of an instance (ex: instance.delete within GCP Audit Logs) |