38 indexed
ATT&CKATT&CK data sources
38 MITRE ATT&CK data sources — the telemetry categories that reveal adversary techniques. Use /search for keyword + ID lookup. Authored by Adam Lundqvist.
Showing 1–38 of 38 · page 1 of 1
| ID | Title | Summary |
|---|---|---|
| DS0001 | Firmware | Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI |
| DS0002 | User Account | A profile representing a user, device, service, or application used to authenticate and access resources |
| DS0003 | Scheduled Job | Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: … |
| DS0004 | Malware Repository | Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries |
| DS0005 | WMI | The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WM… |
| DS0006 | Web Credential | Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation:… |
| DS0007 | Image | A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AM… |
| DS0008 | Kernel | A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG A… |
| DS0009 | Process | Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or sha… |
| DS0010 | Cloud Storage | Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Ama… |
| DS0011 | Module | Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), execut… |
| DS0012 | Script | A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell L… |
| DS0013 | Sensor Health | Information from host telemetry providing insights about system status, errors, or other notable functional activity |
| DS0014 | Pod | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) |
| DS0015 | Application Log | Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Lo… |
| DS0016 | Drive | A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/o… |
| DS0017 | Command | A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(C… |
| DS0018 | Firewall | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing networ… |
| DS0019 | Service | A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation:… |
| DS0020 | Snapshot | A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation:… |
| DS0021 | Persona | A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims |
| DS0022 | File | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(… |
| DS0023 | Named Pipe | Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Mic… |
| DS0024 | Windows Registry | A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-sy… |
| DS0025 | Cloud Service | Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(… |
| DS0026 | Active Directory | A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application… |
| DS0027 | Driver | A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, ena… |
| DS0028 | Logon Session | Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Ci… |
| DS0029 | Network Traffic | Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format… |
| DS0030 | Instance | A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) |
| DS0031 | Cluster | A set of containerized computing resources that are managed together but have separate nodes to execute various tasks and/or applications(Citation: Kube Cluste… |
| DS0032 | Container | A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environm… |
| DS0033 | Network Share | A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network … |
| DS0034 | Volume | Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citat… |
| DS0035 | Internet Scan | Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Inte… |
| DS0036 | Group | A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Ama… |
| DS0037 | Certificate | A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications |
| DS0038 | Domain Name | Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org) |