109 indexed
ATT&CKATT&CK data components
109 MITRE ATT&CK data components — the specific signals within a data source used to detect techniques. Use /search for keyword lookup. Authored by Adam Lundqvist.
Showing 51–100 of 109 · page 2 of 3
| ID | Title | Summary |
|---|---|---|
| Instance Enumeration | Instance Enumeration | An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs) |
| Instance Metadata | Instance Metadata | Contextual data about an instance and activity around it such as name, type, or status |
| Instance Modification | Instance Modification | Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs) |
| Instance Start | Instance Start | Activation or invocation of an instance (ex: instance.start within GCP Audit Logs) |
| Instance Stop | Instance Stop | Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs) |
| Kernel Module Load | Kernel Module Load | An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems,… |
| Logon Session Creation | Logon Session Creation | Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp) |
| Logon Session Metadata | Logon Session Metadata | Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any act… |
| Malware Content | Malware Content | Code, strings, and other signatures that compromise a malicious payload |
| Malware Metadata | Malware Metadata | Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information |
| Module Load | Module Load | Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) |
| Named Pipe Metadata | Named Pipe Metadata | Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18) |
| Network Connection Creation | Network Connection Creation | Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3… |
| Network Share Access | Network Share Access | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) |
| Network Traffic Content | Network Traffic Content | Logged network traffic data showing both protocol header and body values (ex: PCAP) |
| Network Traffic Flow | Network Traffic Flow | Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log) |
| OS API Execution | OS API Execution | Operating system function/method calls executed by a process |
| Passive DNS | Passive DNS | Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS) |
| Pod Creation | Pod Creation | Initial construction of a new pod (ex: kubectl apply|run) |
| Pod Enumeration | Pod Enumeration | An extracted list of pods within a cluster (ex: kubectl get pods) |
| Pod Metadata | Pod Metadata | Contextual data about a pod and activity around it such as name, ID, namespace, or status |
| Pod Modification | Pod Modification | Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit) |
| Process Access | Process Access | Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10) |
| Process Creation | Process Creation | The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use… |
| Process Metadata | Process Metadata | Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc. |
| Process Modification | Process Modification | Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8) |
| Process Termination | Process Termination | Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689) |
| Response Content | Response Content | Logged network traffic in response to a scan showing both protocol header and body values |
| Response Metadata | Response Metadata | Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports |
| Scheduled Job Creation | Scheduled Job Creation | Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs) |
| Scheduled Job Metadata | Scheduled Job Metadata | Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. |
| Scheduled Job Modification | Scheduled Job Modification | Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs) |
| Script Execution | Script Execution | The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.) |
| Service Creation | Service Creation | Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs) |
| Service Metadata | Service Metadata | Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. |
| Service Modification | Service Modification | Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs) |
| Snapshot Creation | Snapshot Creation | Initial construction of a new snapshot (ex: AWS create-snapshot) |
| Snapshot Deletion | Snapshot Deletion | Removal of a snapshot (ex: AWS delete-snapshot) |
| Snapshot Enumeration | Snapshot Enumeration | An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots) |
| Snapshot Metadata | Snapshot Metadata | Contextual data about a snapshot, which may include information such as ID, type, and status |
| Snapshot Modification | Snapshot Modification | Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute) |
| Social Media | Social Media | Established, compromised, or otherwise acquired social media personas |
| User Account Authentication | User Account Authentication | An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log) |
| User Account Creation | User Account Creation | Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs) |
| User Account Deletion | User Account Deletion | Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs) |
| User Account Metadata | User Account Metadata | Contextual data about an account, which may include a username, user ID, environmental data, etc. |
| User Account Modification | User Account Modification | Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs) |
| Volume Creation | Volume Creation | Initial construction of a cloud volume (ex: AWS create-volume) |
| Volume Deletion | Volume Deletion | Removal of a a cloud volume (ex: AWS delete-volume) |
| Volume Enumeration | Volume Enumeration | An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes) |