+
|
+
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
+ +This JSON file contains the machine readble output used to create this page: changelog.json
+Current version: 2.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-24 17:48:35.900000+00:00 | 2025-11-06 17:52:37.747000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | Yusuke Niwa, ITOCHU Cyber & Intelligence Inc. | |
| x_mitre_contributors | Suguru Ishimaru, ITOCHU Cyber & Intelligence Inc. | |
| x_mitre_contributors | Hajime Yanagishita, Macnica, Inc. |
Current version: 1.3
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may carry out malicious operations using a virtu | t | 1 | Adversaries may carry out malicious operations using a virtu |
| > | al instance to avoid detection. A wide variety of virtualiza | > | al instance to avoid detection. A wide variety of virtualiza | ||
| > | tion technologies exist that allow for the emulation of a co | > | tion technologies exist that allow for the emulation of a co | ||
| > | mputer or computing environment. By running malicious code i | > | mputer or computing environment. By running malicious code i | ||
| > | nside of a virtual instance, adversaries can hide artifacts | > | nside of a virtual instance, adversaries can hide artifacts | ||
| > | associated with their behavior from security tools that are | > | associated with their behavior from security tools that are | ||
| > | unable to monitor activity inside the virtual instance.(Cita | > | unable to monitor activity inside the virtual instance.(Cita | ||
| > | tion: CyberCX Akira Ransomware) Additionally, depending on t | > | tion: CyberCX Akira Ransomware) Additionally, depending on t | ||
| > | he virtual networking implementation (ex: bridged adapter), | > | he virtual networking implementation (ex: bridged adapter), | ||
| > | network traffic generated by the virtual instance can be dif | > | network traffic generated by the virtual instance can be dif | ||
| > | ficult to trace back to the compromised host as the IP addre | > | ficult to trace back to the compromised host as the IP addre | ||
| > | ss and hostname might not match known values.(Citation: Sing | > | ss and hostname might not match known values.(Citation: Sing | ||
| > | Health Breach Jan 2019) Adversaries may utilize native supp | > | Health Breach Jan 2019) Adversaries may utilize native supp | ||
| > | ort for virtualization (ex: Hyper-V), deploy lightweight emu | > | ort for virtualization (ex: Hyper-V), deploy lightweight emu | ||
| > | lators (ex: QEMU), or drop the necessary files to run a virt | > | lators (ex: QEMU), or drop the necessary files to run a virt | ||
| > | ual instance (ex: VirtualBox binaries).(Citation: Securonix | > | ual instance (ex: VirtualBox binaries).(Citation: Securonix | ||
| > | CronTrap 2024) After running a virtual instance, adversaries | > | CronTrap 2024) After running a virtual instance, adversaries | ||
| > | may create a shared folder between the guest and host with | > | may create a shared folder between the guest and host with | ||
| > | permissions that enable the virtual instance to interact wit | > | permissions that enable the virtual instance to interact wit | ||
| > | h the host file system.(Citation: Sophos Ragnar May 2020) T | > | h the host file system.(Citation: Sophos Ragnar May 2020) T | ||
| > | hreat actors may also leverage temporary virtualized environ | > | hreat actors may also leverage temporary virtualized environ | ||
| > | ments such as the Windows Sandbox, which supports the use of | > | ments such as the Windows Sandbox, which supports the use of | ||
| > | `.wsb` configuration files for defining execution parameter | > | `.wsb` configuration files for defining execution parameter | ||
| > | s. For example, the `<MappedFolder>` property supports the c | > | s. For example, the `<MappedFolder>` property supports the c | ||
| > | reation of a shared folder, while the `<LogonCommand>` prope | > | reation of a shared folder, while the `<LogonCommand>` prope | ||
| > | rty allows the specification of a payload.(Citation: ESET Mi | > | rty allows the specification of a payload.(Citation: ESET Mi | ||
| > | rrorFace 2025) In VMWare environments, adversaries may leve | > | rrorFace 2025)(Citation: ITOCHU Hack the Sandbox)(Citation: | ||
| > | rage the vCenter console to create new virtual machines. How | > | ITOCHU Sandbox PPT) In VMWare environments, adversaries may | ||
| > | ever, they may also create virtual machines directly on ESXi | > | leverage the vCenter console to create new virtual machines | ||
| > | servers by running a valid `.vmx` file with the `/bin/vmx` | > | . However, they may also create virtual machines directly on | ||
| > | utility. Adding this command to `/etc/rc.local.d/local.sh` ( | > | ESXi servers by running a valid `.vmx` file with the `/bin/ | ||
| > | i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037 | > | vmx` utility. Adding this command to `/etc/rc.local.d/local. | ||
| > | /004)) will cause the VM to persistently restart.(Citation: | > | sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/ | ||
| > | vNinja Rogue VMs 2024) Creating a VM this way prevents it fr | > | T1037/004)) will cause the VM to persistently restart.(Citat | ||
| > | om appearing in the vCenter console or in the output to the | > | ion: vNinja Rogue VMs 2024) Creating a VM this way prevents | ||
| > | `vim-cmd vmsvc/getallvms` command on the ESXi server, thereb | > | it from appearing in the vCenter console or in the output to | ||
| > | y hiding it from typical administrative activities.(Citation | > | the `vim-cmd vmsvc/getallvms` command on the ESXi server, t | ||
| > | : MITRE VMware Abuse 2024) | > | hereby hiding it from typical administrative activities.(Cit | ||
| > | ation: MITRE VMware Abuse 2024) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-24 17:49:15.607000+00:00 | 2025-11-05 15:22:05.269000+00:00 |
| description | Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
+
+Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
+
+Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the ` | Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
+
+Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
+
+Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the ` |
| external_references[6]['source_name'] | Shadowbunny VM Defense Evasion | ITOCHU Sandbox PPT |
| external_references[6]['description'] | Johann Rehberger. (2020, September 23). Beware of the Shadowbunny - Using virtual machines to persist and evade detections. Retrieved September 22, 2021. | ITOCHU Cyber & Intelligence Inc.. (n.d.). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025. |
| external_references[6]['url'] | https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/ | https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_2_9_kamekawa_sasada_niwa_en.pdf |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'ITOCHU Hack the Sandbox', 'description': 'ITOCHU Cyber & Intelligence Inc.. (2025, March 12). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025.', 'url': 'https://blog-en.itochuci.co.jp/entry/2025/03/12/140000'} |
Current version: 2.4
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-24 17:49:09.835000+00:00 | 2025-11-12 15:42:52.705000+00:00 |
| x_mitre_attack_spec_version | 3.2.0 | 3.3.0 |
Current version: 1.0
Description:
Test
Current version: 5.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-24 00:59:31.235000+00:00 | 2025-11-12 18:55:12.319000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | Wai Linn Oo @ Kernellix |
Current version: 3.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-23 18:52:40.872000+00:00 | 2025-11-04 19:40:42.270000+00:00 |
| x_mitre_contributors[2] | YH Chang, ZScaler ThreatLabz | ZScaler ThreatLabz |
Current version: 1.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The [SharePoint ToolShell Exploitation](https://attack.mitre | t | 1 | The [SharePoint ToolShell Exploitation](https://attack.mitre |
| > | .org/campaigns/C0058) campaign was conducted in July 2025 an | > | .org/campaigns/C0058) campaign was conducted in July 2025 an | ||
| > | d encompassed the first waves of exploitation against incomp | > | d encompassed the first waves of exploitation against incomp | ||
| > | etely patched spoofing (CVE-2025-49706) and remote code exec | > | letely patched spoofing (CVE-2025-49706) and remote code exe | ||
| > | ution (CVE-2025-49704) vulnerabilities affecting on-premises | > | cution (CVE-2025-49704) vulnerabilities affecting on-premise | ||
| > | Microsoft SharePoint servers. Later patched and updated as | > | s Microsoft SharePoint servers. Later patched and updated as | ||
| > | CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabili | > | CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabil | ||
| > | ties were widely exploited including by China-based ransomwa | > | ities were widely exploited including by China-based ransomw | ||
| > | re actor Storm-2603 and espionage actors [Threat Group-3390] | > | are actor Storm-2603 and espionage actors [Threat Group-3390 | ||
| > | (https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](http | > | ](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](htt | ||
| > | s://attack.mitre.org/groups/G0128). [SharePoint ToolShell Ex | > | ps://attack.mitre.org/groups/G0128). [SharePoint ToolShell E | ||
| > | ploitation](https://attack.mitre.org/campaigns/C0058) target | > | xploitation](https://attack.mitre.org/campaigns/C0058) targe | ||
| > | ed multiple regions and industries including finance, educat | > | ted multiple regions and industries including finance, educa | ||
| > | ion, energy, and healthcare across Asia, Europe, and the Uni | > | tion, energy, and healthcare across Asia, Europe, and the Un | ||
| > | ted States.(Citation: Microsoft SharePoint Exploit JUL 2025) | > | ited States.(Citation: Microsoft SharePoint Exploit JUL 2025 | ||
| > | (Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Ci | > | )(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(C | ||
| > | tation: Eye Research ToolShell JUL 2025)(Citation: ESET Tool | > | itation: Eye Research ToolShell JUL 2025)(Citation: ESET Too | ||
| > | Shell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL | > | lShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JU | ||
| > | 2025) | > | L 2025) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Wai Linn Oo @ Kernellix'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-24 04:12:20.214000+00:00 | 2025-11-12 15:13:10.723000+00:00 |
| description | The [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompetely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors [Threat Group-3390](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](https://attack.mitre.org/groups/G0128). [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025) + | The [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompletely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors [Threat Group-3390](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](https://attack.mitre.org/groups/G0128). [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025) + |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Requests for authentication credentials via Kerberos or othe | t | 1 | Requests for authentication credentials via Kerberos or othe |
| > | r methods like NTLM and LDAP queries. Examples: - Kerberos | > | r methods like NTLM and LDAP queries. Examples: - Kerberos | ||
| > | TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authen | > | TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authen | ||
| > | tication Events - LDAP Bind Requests *Data Collection Measu | > | tication Events - LDAP Bind Requests. | ||
| > | res:* - Security Event Logging: - Enable "`Audit Kerber | ||||
| > | os Authentication Service`" or "`Audit Kerberos Service Tick | ||||
| > | et Operations`." - Captured Events: IDs 4768, 4769, 4624 | ||||
| > | . - Windows Event Forwarding (WEF): Forward domain controlle | ||||
| > | r logs to SIEM. - SIEM Integration: Use tools like Splunk or | ||||
| > | Azure Sentinel for log analysis. - Kerberos Debug Logging: | ||||
| > | - Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Ls | ||||
| > | a\Kerberos\Parameters. - Set DWORD LogLevel to 1. - Azur | ||||
| > | e AD Logs: Monitor Sign-In Logs for authentication and polic | ||||
| > | y issues. - Enable EDR Monitoring: - Use EDR to detect s | ||||
| > | uspicious processes querying authentication mechanisms (e.g. | ||||
| > | , lsass.exe memory access). | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 18:41:09.269000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0084 | https://attack.mitre.org/datacomponents/DC0084 |
| description | Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples: + +- Kerberos TGT and Service Tickets (Event IDs 4768, 4769) +- NTLM Authentication Events +- LDAP Bind Requests + +*Data Collection Measures:* + +- Security Event Logging: + - Enable "`Audit Kerberos Authentication Service`" or "`Audit Kerberos Service Ticket Operations`." + - Captured Events: IDs 4768, 4769, 4624. +- Windows Event Forwarding (WEF): Forward domain controller logs to SIEM. +- SIEM Integration: Use tools like Splunk or Azure Sentinel for log analysis. +- Kerberos Debug Logging: + - Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters. + - Set DWORD LogLevel to 1. +- Azure AD Logs: Monitor Sign-In Logs for authentication and policy issues. +- Enable EDR Monitoring: + - Use EDR to detect suspicious processes querying authentication mechanisms (e.g., lsass.exe memory access). | Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples: + +- Kerberos TGT and Service Tickets (Event IDs 4768, 4769) +- NTLM Authentication Events +- LDAP Bind Requests. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Creating new objects in AD, such as user accounts, groups, o | t | 1 | Creating new objects in AD, such as user accounts, groups, o |
| > | rganizational units (OUs), or trust relationships. Logged as | > | rganizational units (OUs), or trust relationships. Logged as | ||
| > | Event ID 5137. Examples: - User Account Creation: New user | > | Event ID 5137. Examples: - User Account Creation: New user | ||
| > | account. - Group Creation: New security/distribution group. | > | account. - Group Creation: New security/distribution group. | ||
| > | - OU Creation: New organizational unit. - Service Account C | > | - OU Creation: New organizational unit. - Service Account C | ||
| > | reation: New service account for automation or malicious tas | > | reation: New service account for automation or malicious tas | ||
| > | ks. - Trust Object Creation: Trust relationship with another | > | ks. - Trust Object Creation: Trust relationship with another | ||
| > | domain. *Data Collection Measures:* - Audit Policy: - | > | domain. | ||
| > | Enable "Audit Directory Service Changes" (Success and Failu | ||||
| > | re). - Path: `Computer Configuration > Policies > Window | ||||
| > | s Settings > Security Settings > Advanced Audit Policy Confi | ||||
| > | guration > Audit Policies > Directory Service Changes`. | ||||
| > | - Key Event: Event ID 5137 (object creation). - Log Forwardi | ||||
| > | ng: Use WEF to centralize logs for SIEM tools (e.g., Splunk) | ||||
| > | . - Enable EDR Monitoring: - Track processes that create | ||||
| > | new accounts or modify AD objects. - Correlate object c | ||||
| > | reation with suspicious commands (e.g., net user /add). | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.803000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples: + +- User Account Creation: New user account. +- Group Creation: New security/distribution group. +- OU Creation: New organizational unit. +- Service Account Creation: New service account for automation or malicious tasks. +- Trust Object Creation: Trust relationship with another domain. + +*Data Collection Measures:* + +- Audit Policy: + - Enable "Audit Directory Service Changes" (Success and Failure). + - Path: `Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes`. + - Key Event: Event ID 5137 (object creation). +- Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk). +- Enable EDR Monitoring: + - Track processes that create new accounts or modify AD objects. + - Correlate object creation with suspicious commands (e.g., net user /add). | Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples: + +- User Account Creation: New user account. +- Group Creation: New security/distribution group. +- OU Creation: New organizational unit. +- Service Account Creation: New service account for automation or malicious tasks. +- Trust Object Creation: Trust relationship with another domain. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:40.681000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[0]['name'] | WinEventLog:DirectoryService | WinEventLog:Security |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes to AD objects (e.g., users, groups, OUs) are logged | t | 1 | Changes to AD objects (e.g., users, groups, OUs) are logged |
| > | as Event ID 5136 (Object Modification) or 5163 (Attribute Ch | > | as Event ID 5136 (Object Modification) or 5163 (Attribute Ch | ||
| > | anges). Examples: - User Account: Modifying attributes (e.g | > | anges). Examples: - User Account: Modifying attributes (e.g | ||
| > | ., group membership, enabling/disabling accounts). - Group M | > | ., group membership, enabling/disabling accounts). - Group M | ||
| > | embership: Adding/removing members. - OU: Changing propertie | > | embership: Adding/removing members. - OU: Changing propertie | ||
| > | s/permissions (e.g., delegation). - Service Account: Modifyi | > | s/permissions (e.g., delegation). - Service Account: Modifyi | ||
| > | ng SPNs or other attributes. - Object Attributes: Changes to | > | ng SPNs or other attributes. - Object Attributes: Changes to | ||
| > | passwords, logon hours, or control flags. *Data Collection | > | passwords, logon hours, or control flags. | ||
| > | Measures:* - Audit Policy: - Enable "Audit Directory S | ||||
| > | ervice Changes" (Success and Failure). - Path: `Computer | ||||
| > | Configuration > Policies > Windows Settings > Security Sett | ||||
| > | ings > Advanced Audit Policy Configuration > Audit Policies | ||||
| > | > Directory Service Changes`. - Key Events: 5136 (modifi | ||||
| > | cations), 5163 (attribute changes). - Log Forwarding: - | ||||
| > | Use WEF to centralize logs for SIEM. - Parse logs to ext | ||||
| > | ract: Object Name, Attribute Changed, Initiator Account Name | ||||
| > | . - Enable EDR Monitoring: - Detect changes to critical | ||||
| > | attributes (e.g., memberOf, logonHours). - Track process | ||||
| > | es modifying directory service objects (e.g., Set-ADUser or | ||||
| > | dsmod). - Enable EDR Monitoring: - Detect changes to cri | ||||
| > | tical attributes (e.g., memberOf, logonHours). - Track p | ||||
| > | rocesses modifying directory service objects (e.g., Set-ADUs | ||||
| > | er or dsmod). | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 18:42:57.886000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0066 | https://attack.mitre.org/datacomponents/DC0066 |
| description | Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples: + +- User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts). +- Group Membership: Adding/removing members. +- OU: Changing properties/permissions (e.g., delegation). +- Service Account: Modifying SPNs or other attributes. +- Object Attributes: Changes to passwords, logon hours, or control flags. + +*Data Collection Measures:* + +- Audit Policy: + - Enable "Audit Directory Service Changes" (Success and Failure). + - Path: `Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes`. + - Key Events: 5136 (modifications), 5163 (attribute changes). +- Log Forwarding: + - Use WEF to centralize logs for SIEM. + - Parse logs to extract: Object Name, Attribute Changed, Initiator Account Name. +- Enable EDR Monitoring: + - Detect changes to critical attributes (e.g., memberOf, logonHours). + - Track processes modifying directory service objects (e.g., Set-ADUser or dsmod). +- Enable EDR Monitoring: + - Detect changes to critical attributes (e.g., memberOf, logonHours). + - Track processes modifying directory service objects (e.g., Set-ADUser or dsmod). | Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples: + +- User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts). +- Group Membership: Adding/removing members. +- OU: Changing properties/permissions (e.g., delegation). +- Service Account: Modifying SPNs or other attributes. +- Object Attributes: Changes to passwords, logon hours, or control flags. |
| x_mitre_log_sources[6]['name'] | WinEventLog:DirectoryService | WinEventLog:Security |
| x_mitre_log_sources[6]['channel'] | EventCode=5136 | EventCode=5163 |
| x_mitre_log_sources[4]['name'] | azure:SigninLogs | azure:signinlogs |
| x_mitre_log_sources[7]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Application Log Content refers to logs generated by applicat | t | 1 | Application Log Content refers to logs generated by applicat |
| > | ions or services, providing a record of their activity. Thes | > | ions or services, providing a record of their activity. Thes | ||
| > | e logs may include metrics, errors, performance data, and op | > | e logs may include metrics, errors, performance data, and op | ||
| > | erational alerts from web, mail, or other applications. Thes | > | erational alerts from web, mail, or other applications. Thes | ||
| > | e logs are vital for monitoring application behavior and det | > | e logs are vital for monitoring application behavior and det | ||
| > | ecting malicious activities or anomalies. Examples: - Web | > | ecting malicious activities or anomalies. Examples: - Web | ||
| > | Application Logs: These logs include information about reque | > | Application Logs: These logs include information about reque | ||
| > | sts, responses, errors, and security events (e.g., unauthori | > | sts, responses, errors, and security events (e.g., unauthori | ||
| > | zed access attempts). - Email Application Logs: Logs contain | > | zed access attempts). - Email Application Logs: Logs contain | ||
| > | metadata about emails sent, received, or blocked (e.g., sen | > | metadata about emails sent, received, or blocked (e.g., sen | ||
| > | der/receiver addresses, message IDs). - SaaS Application Log | > | der/receiver addresses, message IDs). - SaaS Application Log | ||
| > | s: Activity logs include user logins, configuration changes, | > | s: Activity logs include user logins, configuration changes, | ||
| > | and access to sensitive resources. - Cloud Application Logs | > | and access to sensitive resources. - Cloud Application Logs | ||
| > | : Logs detail control plane activities, including API calls, | > | : Logs detail control plane activities, including API calls, | ||
| > | instance modifications, and network changes. - System/Appli | > | instance modifications, and network changes. - System/Appli | ||
| > | cation Monitoring Logs: Logs provide insights into applicati | > | cation Monitoring Logs: Logs provide insights into applicati | ||
| > | on performance, errors, and anomalies. This data component | > | on performance, errors, and anomalies. | ||
| > | can be collected through the following measures: Configure | ||||
| > | Application Logging - Enable logging within the application | ||||
| > | or service. - Examples: - Web Servers: Enable access an | ||||
| > | d error logs in NGINX or Apache. - Email Systems: Enable | ||||
| > | audit logging in Microsoft Exchange or Gmail. Centralized | ||||
| > | Log Management - Use log management solutions like Splunk, | ||||
| > | or a cloud-native logging solution. - Configure the applicat | ||||
| > | ion to send logs to a centralized system for analysis. Clou | ||||
| > | d-Specific Collection - Use services like AWS CloudWatch, A | ||||
| > | zure Monitor, or Google Cloud Operations Suite for cloud-bas | ||||
| > | ed applications. - Ensure logging is enabled for all critica | ||||
| > | l resources (e.g., API calls, IAM changes). SIEM Integratio | ||||
| > | n - Integrate application logs with a SIEM platform (e.g., | ||||
| > | Splunk, QRadar) for real-time correlation and analysis. - Us | ||||
| > | e parsers to standardize log formats and extract key fields | ||||
| > | like timestamps, user IDs, and error codes. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.580000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: + +- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts). +- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs). +- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources. +- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes. +- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies. + +This data component can be collected through the following measures: + +Configure Application Logging + +- Enable logging within the application or service. +- Examples: + - Web Servers: Enable access and error logs in NGINX or Apache. + - Email Systems: Enable audit logging in Microsoft Exchange or Gmail. + +Centralized Log Management + +- Use log management solutions like Splunk, or a cloud-native logging solution. +- Configure the application to send logs to a centralized system for analysis. + +Cloud-Specific Collection + +- Use services like AWS CloudWatch, Azure Monitor, or Google Cloud Operations Suite for cloud-based applications. +- Ensure logging is enabled for all critical resources (e.g., API calls, IAM changes). + +SIEM Integration + +- Integrate application logs with a SIEM platform (e.g., Splunk, QRadar) for real-time correlation and analysis. +- Use parsers to standardize log formats and extract key fields like timestamps, user IDs, and error codes. | Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: + +- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts). +- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs). +- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources. +- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes. +- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies. |
| x_mitre_log_sources[17]['name'] | WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational | WinEventLog:System |
| x_mitre_log_sources[37]['name'] | azure:signinLogs | azure:signinlogs |
| x_mitre_log_sources[75]['name'] | WinEventLog:Application | WinEventLog:System |
| x_mitre_log_sources[75]['channel'] | EventCode=1000-1026 | EventCode=1000 |
| x_mitre_log_sources[44]['channel'] | EventCode=7031,7034,1000,1001 | EventCode=1341, 1342, 1020, 1063 |
| x_mitre_log_sources[172]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Application', 'channel': 'EventCode=1000, 1001, 1002'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:System', 'channel': 'EventCode=1341,1342,1020,1063'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Application', 'channel': 'EventCode=1000,1001'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | This data component refers to monitoring actions that deacti | t | 1 | This data component refers to monitoring actions that deacti |
| > | vate or stop a cloud service in a cloud control plane. Examp | > | vate or stop a cloud service in a cloud control plane. Examp | ||
| > | les include disabling essential logging services like AWS Cl | > | les include disabling essential logging services like AWS Cl | ||
| > | oudTrail (`StopLogging` API call), Microsoft Azure Monitor L | > | oudTrail (`StopLogging` API call), Microsoft Azure Monitor L | ||
| > | ogs, or Google Cloud's Operations Suite (formerly Stackdrive | > | ogs, or Google Cloud's Operations Suite (formerly Stackdrive | ||
| > | r). Disabling such services can hinder visibility into adver | > | r). Disabling such services can hinder visibility into adver | ||
| > | sary activities within the cloud environment. Examples: - | > | sary activities within the cloud environment. Examples: - | ||
| > | AWS CloudTrail StopLogging: This action stops logging of API | > | AWS CloudTrail StopLogging: This action stops logging of API | ||
| > | activity for a particular trail, effectively reducing the m | > | activity for a particular trail, effectively reducing the m | ||
| > | onitoring and visibility of AWS resources and activities. - | > | onitoring and visibility of AWS resources and activities. - | ||
| > | Microsoft Azure Monitor Logs: Disabling these logs hinders t | > | Microsoft Azure Monitor Logs: Disabling these logs hinders t | ||
| > | he organization’s ability to detect anomalous activities and | > | he organization’s ability to detect anomalous activities and | ||
| > | trace malicious actions. - Google Cloud Logging: Disabling | > | trace malicious actions. - Google Cloud Logging: Disabling | ||
| > | cloud logging removes visibility into resource activity, pre | > | cloud logging removes visibility into resource activity, pre | ||
| > | venting monitoring of service access or configuration change | > | venting monitoring of service access or configuration change | ||
| > | s. - SaaS Applications: Stopping logging removes visibility | > | s. - SaaS Applications: Stopping logging removes visibility | ||
| > | into user activities, such as email access or file downloads | > | into user activities, such as email access or file downloads | ||
| > | , enabling undetected malicious behavior. This data compone | > | , enabling undetected malicious behavior. | ||
| > | nt can be collected through the following measures: Enable | ||||
| > | and Monitor Cloud Service Logging - Ensure logging is enabl | ||||
| > | ed for all cloud services, including administrative actions | ||||
| > | like StopLogging. - Example: Use AWS Config to verify that C | ||||
| > | loudTrail is enabled and enforce logging as a compliance rul | ||||
| > | e. API Monitoring - Use API monitoring tools to detect cal | ||||
| > | ls like StopLogging or equivalent service-stopping actions i | ||||
| > | n other platforms. - Example: Monitor AWS CloudWatch for spe | ||||
| > | cific API events such as StopLogging and flag unauthorized u | ||||
| > | sers. SIEM Integration - Collect logs and events from the | ||||
| > | cloud control plane into a centralized SIEM for real-time an | ||||
| > | alysis and correlation. - Example: Ingest AWS CloudTrail log | ||||
| > | s into Splunk or Azure Monitor logs into Sentinel. Cloud Se | ||||
| > | curity Posture Management (CSPM) Tools - Leverage CSPM tool | ||||
| > | s like Prisma Cloud, Dome9, or AWS Security Hub to detect mi | ||||
| > | sconfigurations or suspicious activity, such as disabled log | ||||
| > | ging. - Example: Set alerts for changes to logging configura | ||||
| > | tions in CSPM dashboards. Configure Alerts in Cloud Platfor | ||||
| > | ms - Create native alerts in cloud platforms to detect serv | ||||
| > | ice stoppages. - Example: Configure an AWS CloudWatch alarm | ||||
| > | to trigger when StopLogging is invoked. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:39.702000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (`StopLogging` API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples: + +- AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities. +- Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions. +- Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes. +- SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior. + +This data component can be collected through the following measures: + +Enable and Monitor Cloud Service Logging + +- Ensure logging is enabled for all cloud services, including administrative actions like StopLogging. +- Example: Use AWS Config to verify that CloudTrail is enabled and enforce logging as a compliance rule. + +API Monitoring + +- Use API monitoring tools to detect calls like StopLogging or equivalent service-stopping actions in other platforms. +- Example: Monitor AWS CloudWatch for specific API events such as StopLogging and flag unauthorized users. + +SIEM Integration + +- Collect logs and events from the cloud control plane into a centralized SIEM for real-time analysis and correlation. +- Example: Ingest AWS CloudTrail logs into Splunk or Azure Monitor logs into Sentinel. + +Cloud Security Posture Management (CSPM) Tools + +- Leverage CSPM tools like Prisma Cloud, Dome9, or AWS Security Hub to detect misconfigurations or suspicious activity, such as disabled logging. +- Example: Set alerts for changes to logging configurations in CSPM dashboards. + +Configure Alerts in Cloud Platforms + +- Create native alerts in cloud platforms to detect service stoppages. +- Example: Configure an AWS CloudWatch alarm to trigger when StopLogging is invoked. | This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (`StopLogging` API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples: + +- AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities. +- Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions. +- Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes. +- SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud service enumeration involves listing or querying avail | t | 1 | Cloud service enumeration involves listing or querying avail |
| > | able cloud services in a cloud control plane. This activity | > | able cloud services in a cloud control plane. This activity | ||
| > | is often performed to identify resources such as virtual mac | > | is often performed to identify resources such as virtual mac | ||
| > | hines, storage buckets, compute clusters, or other services | > | hines, storage buckets, compute clusters, or other services | ||
| > | within a cloud environment. Examples include API calls like | > | within a cloud environment. Examples include API calls like | ||
| > | `AWS ECS ListServices`, `Azure ListAllResources`, or `Google | > | `AWS ECS ListServices`, `Azure ListAllResources`, or `Google | ||
| > | Cloud ListInstances`. Examples: AWS Cloud Service Enumera | > | Cloud ListInstances`. Examples: AWS Cloud Service Enumera | ||
| > | tion: The adversary gathers details about existing ECS servi | > | tion: The adversary gathers details about existing ECS servi | ||
| > | ces to identify opportunities for privilege escalation or ex | > | ces to identify opportunities for privilege escalation or ex | ||
| > | filtration. - Azure Resource Enumeration: The adversary coll | > | filtration. - Azure Resource Enumeration: The adversary coll | ||
| > | ects information about virtual machines, resource groups, an | > | ects information about virtual machines, resource groups, an | ||
| > | d other Azure assets for reconnaissance purposes. - Google C | > | d other Azure assets for reconnaissance purposes. - Google C | ||
| > | loud Resource Enumeration: The attacker seeks to map the env | > | loud Resource Enumeration: The attacker seeks to map the env | ||
| > | ironment and find misconfigured or underutilized resources f | > | ironment and find misconfigured or underutilized resources f | ||
| > | or exploitation. - Office 365 Service Enumeration: The attac | > | or exploitation. - Office 365 Service Enumeration: The attac | ||
| > | ker may look for data repositories or collaboration tools to | > | ker may look for data repositories or collaboration tools to | ||
| > | exfiltrate sensitive information. This data component can | > | exfiltrate sensitive information. | ||
| > | be collected through the following measures: Enable Cloud | ||||
| > | Activity Logging - Ensure cloud service logs are enabled fo | ||||
| > | r API calls and resource usage. - Example: Enable AWS CloudT | ||||
| > | rail, Azure Monitor, or Google Cloud Logging to track resour | ||||
| > | ce queries. Centralize Logs in a SIEM - Aggregate logs fro | ||||
| > | m cloud control planes into a centralized SIEM (e.g., Splunk | ||||
| > | , Azure Sentinel). - Example: Collect AWS CloudTrail logs an | ||||
| > | d set up alerts for API calls related to service enumeration | ||||
| > | . Use Native Cloud Security Tools - Leverage cloud-native | ||||
| > | security solutions like AWS GuardDuty, Azure Defender, or Go | ||||
| > | ogle Security Command Center. - Example: Use GuardDuty to de | ||||
| > | tect anomalous API activity, such as ListServices being exec | ||||
| > | uted by an unknown user. Implement Network Flow Logging - | ||||
| > | Monitor and analyze VPC flow logs to identify lateral moveme | ||||
| > | nt or enumeration activity. - Example: Inspect flow logs for | ||||
| > | unexpected traffic between compute instances and the cloud | ||||
| > | control plane. API Access Monitoring - Monitor API keys an | ||||
| > | d tokens used for enumeration to identify misuse or compromi | ||||
| > | se. - Example: Use AWS Secrets Manager or Azure Key Vault to | ||||
| > | manage and rotate keys securely. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:38.498000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like `AWS ECS ListServices`, `Azure ListAllResources`, or `Google Cloud ListInstances`. Examples: + +AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration. +- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes. +- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation. +- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information. + +This data component can be collected through the following measures: + +Enable Cloud Activity Logging + +- Ensure cloud service logs are enabled for API calls and resource usage. +- Example: Enable AWS CloudTrail, Azure Monitor, or Google Cloud Logging to track resource queries. + +Centralize Logs in a SIEM + +- Aggregate logs from cloud control planes into a centralized SIEM (e.g., Splunk, Azure Sentinel). +- Example: Collect AWS CloudTrail logs and set up alerts for API calls related to service enumeration. + +Use Native Cloud Security Tools + +- Leverage cloud-native security solutions like AWS GuardDuty, Azure Defender, or Google Security Command Center. +- Example: Use GuardDuty to detect anomalous API activity, such as ListServices being executed by an unknown user. + +Implement Network Flow Logging + +- Monitor and analyze VPC flow logs to identify lateral movement or enumeration activity. +- Example: Inspect flow logs for unexpected traffic between compute instances and the cloud control plane. + +API Access Monitoring + +- Monitor API keys and tokens used for enumeration to identify misuse or compromise. +- Example: Use AWS Secrets Manager or Azure Key Vault to manage and rotate keys securely. | Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like `AWS ECS ListServices`, `Azure ListAllResources`, or `Google Cloud ListInstances`. Examples: + +AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration. +- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes. +- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation. +- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud service metadata refers to the contextual and descript | t | 1 | Cloud service metadata refers to the contextual and descript |
| > | ive information about cloud services, including their name, | > | ive information about cloud services, including their name, | ||
| > | type, purpose, configuration, and activity around them. This | > | type, purpose, configuration, and activity around them. This | ||
| > | metadata is essential for understanding the roles and funct | > | metadata is essential for understanding the roles and funct | ||
| > | ions of cloud services, their operational status, and their | > | ions of cloud services, their operational status, and their | ||
| > | potential misuse. Examples: - Azure Service Metadata: Meta | > | potential misuse. Examples: - Azure Service Metadata: Meta | ||
| > | data describing a resource in Azure, such as an Azure Storag | > | data describing a resource in Azure, such as an Azure Storag | ||
| > | e Account or a Virtual Machine. - AWS Cloud Service Metadata | > | e Account or a Virtual Machine. - AWS Cloud Service Metadata | ||
| > | : Metadata for an AWS EC2 instance collected using the `Desc | > | : Metadata for an AWS EC2 instance collected using the `Desc | ||
| > | ribeInstances` API call. - Google Cloud Service Metadata: Me | > | ribeInstances` API call. - Google Cloud Service Metadata: Me | ||
| > | tadata for a Google Compute Engine instance collected using | > | tadata for a Google Compute Engine instance collected using | ||
| > | `gcloud compute instances describe`. - Office 365 Metadata: | > | `gcloud compute instances describe`. - Office 365 Metadata: | ||
| > | Metadata about an Office 365 SharePoint site. This data com | > | Metadata about an Office 365 SharePoint site. | ||
| > | ponent can be collected through the following measures: Ena | ||||
| > | ble Cloud Metadata APIs - Leverage APIs provided by cloud p | ||||
| > | roviders to query metadata about services. - AWS: Use AW | ||||
| > | S CLI or SDKs for `DescribeInstances`, `DescribeBuckets`, et | ||||
| > | c. - Azure: Use `az resource list` or SDKs. - Google | ||||
| > | Cloud: Use `gcloud compute instances describe` or related c | ||||
| > | ommands. - Office 365: Use Microsoft Graph API. Central | ||||
| > | ize Metadata in a Security Platform - Aggregate metadata fr | ||||
| > | om multiple clouds into a SIEM or CSPM (Cloud Security Postu | ||||
| > | re Management) tool. - Example: Integrate AWS CloudTrail wit | ||||
| > | h Splunk or Azure Monitor with Sentinel. Enable Continuous | ||||
| > | Monitoring - Set up automated jobs or workflows to regularl | ||||
| > | y query and update metadata. - Example: Use AWS Config to tr | ||||
| > | ack resource configurations and changes over time. Configur | ||||
| > | e Access and Logging - Enable logging for API queries to en | ||||
| > | sure access and usage of metadata are monitored. - Example: | ||||
| > | Use AWS CloudTrail to log API activity for metadata queries. | ||||
| > | Use Cloud Security Tools - Employ CSPM tools like Prisma | ||||
| > | Cloud, Wiz, or Dome9 to gather metadata and identify misconf | ||||
| > | igurations. - Example: Prisma Cloud provides consolidated vi | ||||
| > | ews of metadata for resources across AWS, Azure, and GCP. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.276000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples: + +- Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine. +- AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the `DescribeInstances` API call. +- Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using `gcloud compute instances describe`. +- Office 365 Metadata: Metadata about an Office 365 SharePoint site. + +This data component can be collected through the following measures: + +Enable Cloud Metadata APIs + +- Leverage APIs provided by cloud providers to query metadata about services. + - AWS: Use AWS CLI or SDKs for `DescribeInstances`, `DescribeBuckets`, etc. + - Azure: Use `az resource list` or SDKs. + - Google Cloud: Use `gcloud compute instances describe` or related commands. + - Office 365: Use Microsoft Graph API. + +Centralize Metadata in a Security Platform + +- Aggregate metadata from multiple clouds into a SIEM or CSPM (Cloud Security Posture Management) tool. +- Example: Integrate AWS CloudTrail with Splunk or Azure Monitor with Sentinel. + +Enable Continuous Monitoring + +- Set up automated jobs or workflows to regularly query and update metadata. +- Example: Use AWS Config to track resource configurations and changes over time. + +Configure Access and Logging + +- Enable logging for API queries to ensure access and usage of metadata are monitored. +- Example: Use AWS CloudTrail to log API activity for metadata queries. + +Use Cloud Security Tools + +- Employ CSPM tools like Prisma Cloud, Wiz, or Dome9 to gather metadata and identify misconfigurations. +- Example: Prisma Cloud provides consolidated views of metadata for resources across AWS, Azure, and GCP. | Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples: + +- Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine. +- AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the `DescribeInstances` API call. +- Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using `gcloud compute instances describe`. +- Office 365 Metadata: Metadata about an Office 365 SharePoint site. |
| x_mitre_log_sources[0]['name'] | CloudTrail:GetInstanceIdentityDocument | AWS:CloudTrail |
| x_mitre_log_sources[4]['name'] | CloudTrail:GetSecretValue | AWS:CloudTrail |
| x_mitre_log_sources[4]['channel'] | API call to retrieve secret or access key | GetSecretValue |
| x_mitre_log_sources[5]['name'] | CloudTrail:InvokeFunction | AWS:CloudTrail |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud service modification refers to changes made to the con | t | 1 | Cloud service modification refers to changes made to the con |
| > | figuration, settings, or data of a cloud service. These modi | > | figuration, settings, or data of a cloud service. These modi | ||
| > | fications can include administrative changes such as enablin | > | fications can include administrative changes such as enablin | ||
| > | g or disabling features, altering permissions, or deleting c | > | g or disabling features, altering permissions, or deleting c | ||
| > | ritical components. Monitoring these changes is critical to | > | ritical components. Monitoring these changes is critical to | ||
| > | detect potential misconfigurations or malicious activity. Ex | > | detect potential misconfigurations or malicious activity. Ex | ||
| > | amples: - AWS Cloud Service Modifications: A user disables | > | amples: - AWS Cloud Service Modifications: A user disables | ||
| > | AWS CloudTrail logging (StopLogging) or deletes a CloudWatc | > | AWS CloudTrail logging (StopLogging) or deletes a CloudWatc | ||
| > | h configuration rule (DeleteConfigRule). - Azure Cloud Servi | > | h configuration rule (DeleteConfigRule). - Azure Cloud Servi | ||
| > | ce Modifications: Changes to Azure Role-Based Access Control | > | ce Modifications: Changes to Azure Role-Based Access Control | ||
| > | (RBAC) roles, such as adding a new Contributor role to a se | > | (RBAC) roles, such as adding a new Contributor role to a se | ||
| > | nsitive resource. - Google Cloud Service Modifications: Dele | > | nsitive resource. - Google Cloud Service Modifications: Dele | ||
| > | tion of a Google Cloud Storage bucket or disabling a Google | > | tion of a Google Cloud Storage bucket or disabling a Google | ||
| > | Cloud Function. - Office 365 Cloud Service Modifications: Al | > | Cloud Function. - Office 365 Cloud Service Modifications: Al | ||
| > | tering mailbox permissions or disabling auditing in Microsof | > | tering mailbox permissions or disabling auditing in Microsof | ||
| > | t 365. This data component can be collected through the fol | > | t 365. | ||
| > | lowing measures: Enable Cloud Audit Logging - AWS: Enable | ||||
| > | AWS CloudTrail for logging management events such as StopLog | ||||
| > | ging or DeleteTrail. - Azure: Use Azure Activity Logs to mon | ||||
| > | itor resource changes and access actions. - Google Cloud: En | ||||
| > | able Google Cloud Audit Logs to track API calls, resource mo | ||||
| > | difications, and policy changes. - Office 365: Use Unified A | ||||
| > | udit Logs in Microsoft Purview to track administrative actio | ||||
| > | ns. Centralize Log Storage - Consolidate logs from all clo | ||||
| > | ud providers into a SIEM or CSPM (Cloud Security Posture Man | ||||
| > | agement) tool. - Example: Use Splunk or Elastic Stack to ing | ||||
| > | est and analyze logs from AWS, Azure, and Google Cloud. Aut | ||||
| > | omate Alerts for Sensitive Changes - Configure alerts for h | ||||
| > | igh-risk actions, such as disabling logging or modifying IAM | ||||
| > | roles. - AWS Example: Use AWS Config rules to detect and no | ||||
| > | tify changes to critical services. - Azure Example: Set up A | ||||
| > | zure Monitor alerts for write actions on sensitive resources | ||||
| > | . Enable Continuous Monitoring - Use tools like AWS Securi | ||||
| > | ty Hub, Azure Defender, or Google Chronicle to continuously | ||||
| > | monitor cloud service modifications for anomalies. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.943000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples: + +- AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule). +- Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource. +- Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function. +- Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365. + +This data component can be collected through the following measures: + +Enable Cloud Audit Logging + +- AWS: Enable AWS CloudTrail for logging management events such as StopLogging or DeleteTrail. +- Azure: Use Azure Activity Logs to monitor resource changes and access actions. +- Google Cloud: Enable Google Cloud Audit Logs to track API calls, resource modifications, and policy changes. +- Office 365: Use Unified Audit Logs in Microsoft Purview to track administrative actions. + +Centralize Log Storage + +- Consolidate logs from all cloud providers into a SIEM or CSPM (Cloud Security Posture Management) tool. +- Example: Use Splunk or Elastic Stack to ingest and analyze logs from AWS, Azure, and Google Cloud. + +Automate Alerts for Sensitive Changes + +- Configure alerts for high-risk actions, such as disabling logging or modifying IAM roles. +- AWS Example: Use AWS Config rules to detect and notify changes to critical services. +- Azure Example: Set up Azure Monitor alerts for write actions on sensitive resources. + +Enable Continuous Monitoring + +- Use tools like AWS Security Hub, Azure Defender, or Google Chronicle to continuously monitor cloud service modifications for anomalies. | Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples: + +- AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule). +- Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource. +- Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function. +- Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365. |
| x_mitre_log_sources[9]['name'] | CloudTrail:Organizations | AWS:CloudTrail |
| x_mitre_log_sources[15]['name'] | CloudTrail:UpdatePolicy | AWS:CloudTrail |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud storage access refers to the retrieval or interaction | t | 1 | Cloud storage access refers to the retrieval or interaction |
| > | with data stored in cloud infrastructure. This data componen | > | with data stored in cloud infrastructure. This data componen | ||
| > | t includes activities such as reading, downloading, or acces | > | t includes activities such as reading, downloading, or acces | ||
| > | sing files and objects within cloud storage systems. Common | > | sing files and objects within cloud storage systems. Common | ||
| > | examples include API calls like GetObject in AWS S3, which r | > | examples include API calls like GetObject in AWS S3, which r | ||
| > | etrieves objects from cloud buckets. Examples: - AWS S3 Ac | > | etrieves objects from cloud buckets. Examples: - AWS S3 Ac | ||
| > | cess: An adversary uses the `GetObject` API to retrieve sens | > | cess: An adversary uses the `GetObject` API to retrieve sens | ||
| > | itive data from an AWS S3 bucket. - Azure Blob Storage Acces | > | itive data from an AWS S3 bucket. - Azure Blob Storage Acces | ||
| > | s: A user accesses a blob in Azure Storage using `Get Blob` | > | s: A user accesses a blob in Azure Storage using `Get Blob` | ||
| > | or `Get Blob Properties`. - Google Cloud Storage Access: An | > | or `Get Blob Properties`. - Google Cloud Storage Access: An | ||
| > | adversary uses `storage.objects.get` to download objects fro | > | adversary uses `storage.objects.get` to download objects fro | ||
| > | m - OpenStack Swift Storage Access: A user retrieves an obje | > | m - OpenStack Swift Storage Access: A user retrieves an obje | ||
| > | ct from OpenStack Swift using the `GET` method. This data c | > | ct from OpenStack Swift using the `GET` method. | ||
| > | omponent can be collected through the following measures: E | ||||
| > | nable Logging for Cloud Storage Services - AWS S3: Enable S | ||||
| > | erver Access Logging to capture API calls like `GetObject` a | ||||
| > | nd store them in a designated S3 bucket. - Azure Storage: En | ||||
| > | able Azure Storage Logging to capture operations like `GetBl | ||||
| > | ob` and log metadata. - Google Cloud Storage: Enable Data Ac | ||||
| > | cess audit logs for `storage.objects.get` API calls. - OpenS | ||||
| > | tack Swift: Configure middleware for object logging to captu | ||||
| > | re GET requests. Centralize and Aggregate Logs - Use a cen | ||||
| > | tralized logging solution (e.g., Splunk, ELK, or a cloud-nat | ||||
| > | ive SIEM) to ingest and analyze logs from different cloud pr | ||||
| > | oviders. - AWS Example: Use AWS CloudTrail to collect AP | ||||
| > | I activity logs and forward them to your SIEM. - Azure E | ||||
| > | xample: Use Azure Monitor and Log Analytics to analyze stora | ||||
| > | ge access logs. Correlate with IAM Logs - Combine storage | ||||
| > | access logs with IAM activity logs to correlate user actions | ||||
| > | with specific permissions and identities. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.111000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples: + +- AWS S3 Access: An adversary uses the `GetObject` API to retrieve sensitive data from an AWS S3 bucket. +- Azure Blob Storage Access: A user accesses a blob in Azure Storage using `Get Blob` or `Get Blob Properties`. +- Google Cloud Storage Access: An adversary uses `storage.objects.get` to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the `GET` method. + +This data component can be collected through the following measures: + +Enable Logging for Cloud Storage Services + +- AWS S3: Enable Server Access Logging to capture API calls like `GetObject` and store them in a designated S3 bucket. +- Azure Storage: Enable Azure Storage Logging to capture operations like `GetBlob` and log metadata. +- Google Cloud Storage: Enable Data Access audit logs for `storage.objects.get` API calls. +- OpenStack Swift: Configure middleware for object logging to capture GET requests. + +Centralize and Aggregate Logs + +- Use a centralized logging solution (e.g., Splunk, ELK, or a cloud-native SIEM) to ingest and analyze logs from different cloud providers. + - AWS Example: Use AWS CloudTrail to collect API activity logs and forward them to your SIEM. + - Azure Example: Use Azure Monitor and Log Analytics to analyze storage access logs. + +Correlate with IAM Logs + +- Combine storage access logs with IAM activity logs to correlate user actions with specific permissions and identities. | Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples: + +- AWS S3 Access: An adversary uses the `GetObject` API to retrieve sensitive data from an AWS S3 bucket. +- Azure Blob Storage Access: A user accesses a blob in Azure Storage using `Get Blob` or `Get Blob Properties`. +- Google Cloud Storage Access: An adversary uses `storage.objects.get` to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the `GET` method. |
| x_mitre_log_sources[0]['channel'] | PutObject, CopyObject | GetObject, CopyObject |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'AWS:CloudTrail', 'channel': 'PutObject, GetObject, CopyObject, DeleteObject'} | |
| x_mitre_log_sources | {'name': 'AWS:CloudTrail', 'channel': 'GetObject'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud Storage Creation refers to the initial creation of a n | t | 1 | Cloud Storage Creation refers to the initial creation of a n |
| > | ew cloud storage resource, such as buckets, containers, or d | > | ew cloud storage resource, such as buckets, containers, or d | ||
| > | irectories, within a cloud environment. This action is criti | > | irectories, within a cloud environment. This action is criti | ||
| > | cal to track as it might indicate the legitimate provisionin | > | cal to track as it might indicate the legitimate provisionin | ||
| > | g of resources or unauthorized actions taken by adversaries | > | g of resources or unauthorized actions taken by adversaries | ||
| > | to stage, store, or exfiltrate data. Examples: - AWS S3 Bu | > | to stage, store, or exfiltrate data. Examples: - AWS S3 Bu | ||
| > | cket Creation: An AWS user creates a new S3 bucket using the | > | cket Creation: An AWS user creates a new S3 bucket using the | ||
| > | `CreateBucket` API call. - Azure Blob Storage Container Cre | > | `CreateBucket` API call. - Azure Blob Storage Container Cre | ||
| > | ation: A user creates a new container in Azure Blob Storage | > | ation: A user creates a new container in Azure Blob Storage | ||
| > | using the `Create Container` operation. - Google Cloud Stora | > | using the `Create Container` operation. - Google Cloud Stora | ||
| > | ge Bucket Creation: A Google Cloud user creates a new bucket | > | ge Bucket Creation: A Google Cloud user creates a new bucket | ||
| > | using `storage.buckets.create`. - OpenStack Swift Container | > | using `storage.buckets.create`. - OpenStack Swift Container | ||
| > | Creation: A user creates a new container in OpenStack Swift | > | Creation: A user creates a new container in OpenStack Swift | ||
| > | using the `PUT` method. This data component can be collect | > | using the `PUT` method. | ||
| > | ed through the following measures: Enable Logging for Cloud | ||||
| > | Storage Services - AWS S3: Enable AWS CloudTrail to log Cr | ||||
| > | eateBucket API actions. - Azure Blob Storage: Enable Azure M | ||||
| > | onitor and Diagnostic Logs for storage account activity. Use | ||||
| > | Azure Event Grid to capture Create Container operations. - | ||||
| > | Google Cloud Storage: Enable Data Access logs in Cloud Audit | ||||
| > | Logs to monitor storage.buckets.create API calls. - OpenSta | ||||
| > | ck Swift: Configure Swift logging to capture PUT requests to | ||||
| > | new containers. Centralized Logging and Analysis - Forwar | ||||
| > | d logs to centralized platforms like Splunk or cloud-native | ||||
| > | SIEM solutions for correlation and analysis. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:39.305000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples: + +- AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the `CreateBucket` API call. +- Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the `Create Container` operation. +- Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using `storage.buckets.create`. +- OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the `PUT` method. + +This data component can be collected through the following measures: + +Enable Logging for Cloud Storage Services + +- AWS S3: Enable AWS CloudTrail to log CreateBucket API actions. +- Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs for storage account activity. Use Azure Event Grid to capture Create Container operations. +- Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.create API calls. +- OpenStack Swift: Configure Swift logging to capture PUT requests to new containers. + +Centralized Logging and Analysis + +- Forward logs to centralized platforms like Splunk or cloud-native SIEM solutions for correlation and analysis. | Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples: + +- AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the `CreateBucket` API call. +- Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the `Create Container` operation. +- Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using `storage.buckets.create`. +- OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the `PUT` method. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:38.644000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'AWS:CloudTrail', 'channel': 'PutBackupVaultAccessPolicy'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud Storage Enumeration involves retrieving a list of avai | t | 1 | Cloud Storage Enumeration involves retrieving a list of avai |
| > | lable cloud storage infrastructure, such as buckets, contain | > | lable cloud storage infrastructure, such as buckets, contain | ||
| > | ers, or objects, within a cloud environment. This activity m | > | ers, or objects, within a cloud environment. This activity m | ||
| > | ay be performed for legitimate administrative purposes or ma | > | ay be performed for legitimate administrative purposes or ma | ||
| > | licious reconnaissance by adversaries seeking to identify ac | > | licious reconnaissance by adversaries seeking to identify ac | ||
| > | cessible storage resources.Examples: - AWS S3 Bucket Enumer | > | cessible storage resources.Examples: - AWS S3 Bucket Enumer | ||
| > | ation: An AWS user lists all buckets using the `ListBuckets` | > | ation: An AWS user lists all buckets using the `ListBuckets` | ||
| > | API call. - Azure Blob Storage Container Enumeration: A use | > | API call. - Azure Blob Storage Container Enumeration: A use | ||
| > | r retrieves a list of all containers within a storage accoun | > | r retrieves a list of all containers within a storage accoun | ||
| > | t using the Azure Storage SDK or API. - Google Cloud Storage | > | t using the Azure Storage SDK or API. - Google Cloud Storage | ||
| > | Bucket Enumeration: A Google Cloud user lists all buckets w | > | Bucket Enumeration: A Google Cloud user lists all buckets w | ||
| > | ithin a project using the `storage.buckets.list` API. - Open | > | ithin a project using the `storage.buckets.list` API. - Open | ||
| > | Stack Swift Container Enumeration: A user retrieves a list o | > | Stack Swift Container Enumeration: A user retrieves a list o | ||
| > | f containers in OpenStack Swift using the `GET` method on th | > | f containers in OpenStack Swift using the `GET` method on th | ||
| > | e storage endpoint. This data component can be collected th | > | e storage endpoint. | ||
| > | rough the following measures: Enable Logging for Cloud Stor | ||||
| > | age Enumeration - AWS S3: Enable AWS CloudTrail to capture | ||||
| > | ListBuckets and ListObjects API calls. - Azure Blob Storage: | ||||
| > | Enable Azure Monitor and Diagnostic Logs to capture enumera | ||||
| > | tion operations like List Containers. Use Azure Event Grid t | ||||
| > | o trigger alerts for container enumeration. - Google Cloud S | ||||
| > | torage: Enable Audit Logs in Google Cloud to track storage.b | ||||
| > | uckets.list API activity. - OpenStack Swift: Configure Swift | ||||
| > | logging to capture GET requests for container enumeration. | ||||
| > | Centralized Log Aggregation - Use platforms like Splunk or | ||||
| > | native SIEM solutions to collect and analyze enumeration lo | ||||
| > | gs. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:38.903000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples: + +- AWS S3 Bucket Enumeration: An AWS user lists all buckets using the `ListBuckets` API call. +- Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API. +- Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the `storage.buckets.list` API. +- OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the `GET` method on the storage endpoint. + +This data component can be collected through the following measures: + +Enable Logging for Cloud Storage Enumeration + +- AWS S3: Enable AWS CloudTrail to capture ListBuckets and ListObjects API calls. +- Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture enumeration operations like List Containers. Use Azure Event Grid to trigger alerts for container enumeration. +- Google Cloud Storage: Enable Audit Logs in Google Cloud to track storage.buckets.list API activity. +- OpenStack Swift: Configure Swift logging to capture GET requests for container enumeration. + +Centralized Log Aggregation + +- Use platforms like Splunk or native SIEM solutions to collect and analyze enumeration logs. + | Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples: + +- AWS S3 Bucket Enumeration: An AWS user lists all buckets using the `ListBuckets` API call. +- Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API. +- Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the `storage.buckets.list` API. +- OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the `GET` method on the storage endpoint. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud Storage Metadata provides contextual information about | t | 1 | Cloud Storage Metadata provides contextual information about |
| > | cloud storage infrastructure and its associated activity. T | > | cloud storage infrastructure and its associated activity. T | ||
| > | his data may include attributes such as storage name, size, | > | his data may include attributes such as storage name, size, | ||
| > | owner, permissions, creation date, region, and activity meta | > | owner, permissions, creation date, region, and activity meta | ||
| > | data. It is essential for monitoring, auditing, and identify | > | data. It is essential for monitoring, auditing, and identify | ||
| > | ing anomalies in cloud storage environments. Examples: - A | > | ing anomalies in cloud storage environments. Examples: - A | ||
| > | WS S3 Bucket Metadata: Metadata about an S3 bucket includes | > | WS S3 Bucket Metadata: Metadata about an S3 bucket includes | ||
| > | the bucket name, region, creation date, owner, storage class | > | the bucket name, region, creation date, owner, storage class | ||
| > | , and permissions. - Azure Blob Storage Metadata: Metadata f | > | , and permissions. - Azure Blob Storage Metadata: Metadata f | ||
| > | or an Azure Blob container includes container name, access l | > | or an Azure Blob container includes container name, access l | ||
| > | evel (e.g., private or public), size, and tags. - Google Clo | > | evel (e.g., private or public), size, and tags. - Google Clo | ||
| > | ud Storage Metadata: Metadata includes bucket name, storage | > | ud Storage Metadata: Metadata includes bucket name, storage | ||
| > | class, location, labels, lifecycle policies, and versioning | > | class, location, labels, lifecycle policies, and versioning | ||
| > | status. - OpenStack Swift Metadata: Metadata for a Swift con | > | status. - OpenStack Swift Metadata: Metadata for a Swift con | ||
| > | tainer includes name, access level, quota, and custom attrib | > | tainer includes name, access level, quota, and custom attrib | ||
| > | utes. This data component can be collected through the foll | > | utes. | ||
| > | owing measures: Enable Logging for Metadata Collection - A | ||||
| > | WS S3: Use AWS CloudTrail to log `GetBucketAcl`, `GetBucketP | ||||
| > | olicy`, and `HeadBucket` API calls. - Azure Blob Storage: Us | ||||
| > | e Azure Monitor to log container metadata retrieval and upda | ||||
| > | tes. - Google Cloud Storage: Enable Google Cloud Audit Logs | ||||
| > | to capture `storage.buckets.get` and `storage.buckets.update | ||||
| > | `. - OpenStack Swift: Enable logging of `HEAD` or `GET` requ | ||||
| > | ests to containers. Centralized Log Aggregation - Use a SI | ||||
| > | EM solution (e.g., Splunk) to aggregate and analyze metadata | ||||
| > | retrieval and modification logs. - Correlate metadata acces | ||||
| > | s with user actions, IP addresses, and other contextual data | ||||
| > | . API Polling - Use cloud SDKs or APIs to periodically que | ||||
| > | ry metadata for analysis: - AWS CLI Example: `aws s3api | ||||
| > | get-bucket-acl --bucket company-sensitive-data` - Azure | ||||
| > | CLI Example: `az storage container show --name customer-reco | ||||
| > | rds` - Google Cloud CLI Example: `gcloud storage buckets | ||||
| > | describe user-uploads` | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:39.767000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples: + +- AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions. +- Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags. +- Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status. +- OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes. + +This data component can be collected through the following measures: + +Enable Logging for Metadata Collection + +- AWS S3: Use AWS CloudTrail to log `GetBucketAcl`, `GetBucketPolicy`, and `HeadBucket` API calls. +- Azure Blob Storage: Use Azure Monitor to log container metadata retrieval and updates. +- Google Cloud Storage: Enable Google Cloud Audit Logs to capture `storage.buckets.get` and `storage.buckets.update`. +- OpenStack Swift: Enable logging of `HEAD` or `GET` requests to containers. + +Centralized Log Aggregation + +- Use a SIEM solution (e.g., Splunk) to aggregate and analyze metadata retrieval and modification logs. +- Correlate metadata access with user actions, IP addresses, and other contextual data. + +API Polling + +- Use cloud SDKs or APIs to periodically query metadata for analysis: + - AWS CLI Example: `aws s3api get-bucket-acl --bucket company-sensitive-data` + - Azure CLI Example: `az storage container show --name customer-records` + - Google Cloud CLI Example: `gcloud storage buckets describe user-uploads` | Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples: + +- AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions. +- Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags. +- Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status. +- OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud Storage Modification involves tracking changes made to | t | 1 | Cloud Storage Modification involves tracking changes made to |
| > | cloud storage infrastructure, including updates to settings | > | cloud storage infrastructure, including updates to settings | ||
| > | , permissions, or stored data. Examples include modifying ob | > | , permissions, or stored data. Examples include modifying ob | ||
| > | ject access control lists (ACLs), uploading new objects, or | > | ject access control lists (ACLs), uploading new objects, or | ||
| > | updating bucket policies. Examples: AWS S3: An object is u | > | updating bucket policies. Examples: AWS S3: An object is u | ||
| > | ploaded or its ACL is modified. - Azure Blob Storage: A blob | > | ploaded or its ACL is modified. - Azure Blob Storage: A blob | ||
| > | 's metadata or permissions are updated. - Google Cloud Stora | > | 's metadata or permissions are updated. - Google Cloud Stora | ||
| > | ge: An object's lifecycle policy is updated, or a bucket pol | > | ge: An object's lifecycle policy is updated, or a bucket pol | ||
| > | icy is changed. - OpenStack Swift: Modifications to containe | > | icy is changed. - OpenStack Swift: Modifications to containe | ||
| > | r settings or uploading of new objects. This data component | > | r settings or uploading of new objects. | ||
| > | can be collected through the following measures: Enable Lo | ||||
| > | gging - AWS S3: Enable AWS CloudTrail to log API events lik | ||||
| > | e PutObject, PutObjectAcl, and PutBucketPolicy. - Azure Blob | ||||
| > | Storage: Use Azure Monitor to log write and update operatio | ||||
| > | ns. - Google Cloud Storage: Enable Google Cloud Audit Logs t | ||||
| > | o track storage.objects.update and storage.buckets.update. - | ||||
| > | OpenStack Swift: Enable logging for PUT and POST requests t | ||||
| > | o track object uploads and container metadata updates. Use | ||||
| > | Cloud Monitoring Tools - Integrate with tools like AWS Conf | ||||
| > | ig, Azure Security Center, or Google Cloud Monitoring to det | ||||
| > | ect configuration drift or unauthorized changes. Centralize | ||||
| > | d Log Aggregation - Use a SIEM (e.g., Splunk) to aggregate | ||||
| > | logs across multiple cloud providers for unified monitoring | ||||
| > | and analysis. Periodic API Queries - AWS CLI Example: Quer | ||||
| > | y recent modifications to bucket policies: `aws s3api get-bu | ||||
| > | cket-policy --bucket sensitive-data` - Azure CLI Example: Li | ||||
| > | st changes to a blob container: `az storage blob show --cont | ||||
| > | ainer-name private-docs` - Google Cloud CLI Example: Check m | ||||
| > | etadata updates: `gcloud storage objects describe gs://user- | ||||
| > | uploads/document.txt` | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.930000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples: + +AWS S3: An object is uploaded or its ACL is modified. +- Azure Blob Storage: A blob's metadata or permissions are updated. +- Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed. +- OpenStack Swift: Modifications to container settings or uploading of new objects. + +This data component can be collected through the following measures: + +Enable Logging + +- AWS S3: Enable AWS CloudTrail to log API events like PutObject, PutObjectAcl, and PutBucketPolicy. +- Azure Blob Storage: Use Azure Monitor to log write and update operations. +- Google Cloud Storage: Enable Google Cloud Audit Logs to track storage.objects.update and storage.buckets.update. +- OpenStack Swift: Enable logging for PUT and POST requests to track object uploads and container metadata updates. + +Use Cloud Monitoring Tools + +- Integrate with tools like AWS Config, Azure Security Center, or Google Cloud Monitoring to detect configuration drift or unauthorized changes. + +Centralized Log Aggregation + +- Use a SIEM (e.g., Splunk) to aggregate logs across multiple cloud providers for unified monitoring and analysis. + +Periodic API Queries + +- AWS CLI Example: Query recent modifications to bucket policies: `aws s3api get-bucket-policy --bucket sensitive-data` +- Azure CLI Example: List changes to a blob container: `az storage blob show --container-name private-docs` +- Google Cloud CLI Example: Check metadata updates: `gcloud storage objects describe gs://user-uploads/document.txt` | Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples: + +AWS S3: An object is uploaded or its ACL is modified. +- Azure Blob Storage: A blob's metadata or permissions are updated. +- Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed. +- OpenStack Swift: Modifications to container settings or uploading of new objects. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Command Execution involves monitoring and capturing the exec | t | 1 | Command Execution involves monitoring and capturing the exec |
| > | ution of textual commands (including shell commands, cmdlets | > | ution of textual commands (including shell commands, cmdlets | ||
| > | , and scripts) within an operating system or application. Th | > | , and scripts) within an operating system or application. Th | ||
| > | ese commands may include arguments or parameters and are typ | > | ese commands may include arguments or parameters and are typ | ||
| > | ically executed through interpreters such as `cmd.exe`, `bas | > | ically executed through interpreters such as `cmd.exe`, `bas | ||
| > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | ||
| > | : - Windows Command Prompt - dir – Lists directory con | > | : - Windows Command Prompt - dir – Lists directory con | ||
| > | tents. - net user – Queries or manipulates user accounts | > | tents. - net user – Queries or manipulates user accounts | ||
| > | . - tasklist – Lists running processes. - PowerShell | > | . - tasklist – Lists running processes. - PowerShell | ||
| > | - Get-Process – Retrieves processes running on a system. | > | - Get-Process – Retrieves processes running on a system. | ||
| > | - Set-ExecutionPolicy – Changes PowerShell script executio | > | - Set-ExecutionPolicy – Changes PowerShell script executio | ||
| > | n policies. - Invoke-WebRequest – Downloads remote resou | > | n policies. - Invoke-WebRequest – Downloads remote resou | ||
| > | rces. - Linux Shell - ls – Lists files in a directory. | > | rces. - Linux Shell - ls – Lists files in a directory. | ||
| > | - cat /etc/passwd – Reads the user accounts file. - c | > | - cat /etc/passwd – Reads the user accounts file. - c | ||
| > | url http://malicious-site.com – Retrieves content from a mal | > | url http://malicious-site.com – Retrieves content from a mal | ||
| > | icious URL. - Container Environments - docker exec – Exe | > | icious URL. - Container Environments - docker exec – Exe | ||
| > | cutes a command inside a running container. - kubectl ex | > | cutes a command inside a running container. - kubectl ex | ||
| > | ec – Runs commands in Kubernetes pods. - macOS Terminal | > | ec – Runs commands in Kubernetes pods. - macOS Terminal | ||
| > | - open – Opens files or URLs. - dscl . -list /Users – Li | > | - open – Opens files or URLs. - dscl . -list /Users – Li | ||
| > | sts all users on the system. - osascript -e – Executes A | > | sts all users on the system. - osascript -e – Executes A | ||
| > | ppleScript commands. This data component can be collected t | > | ppleScript commands. | ||
| > | hrough the following measures: Enable Command Logging - Wi | ||||
| > | ndows: - Enable PowerShell logging: `Set-ExecutionPolicy | ||||
| > | Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\M | ||||
| > | icrosoft\Windows\PowerShell\ScriptBlockLogging" -Name Enable | ||||
| > | ScriptBlockLogging -Value 1` - Enable Windows Event Logg | ||||
| > | ing: - Event ID 4688: Tracks process creation, inclu | ||||
| > | ding command-line arguments. - Event ID 4104: Logs P | ||||
| > | owerShell script block execution. - Linux/macOS: - Enabl | ||||
| > | e shell history logging in `.bashrc` or `.zshrc`: `export HI | ||||
| > | STTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='histor | ||||
| > | y -a; history -w'` - Use audit frameworks (e.g., `auditd | ||||
| > | `) to log command executions. Example rule to log all `execv | ||||
| > | e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex | ||||
| > | ec` - Containers: - Use runtime-specific tools like Dock | ||||
| > | er’s --log-driver or Kubernetes Audit Logs to capture exec c | ||||
| > | ommands. Integrate with Centralized Logging - Collect logs | ||||
| > | using a SIEM (e.g., Splunk) or cloud-based log aggregation | ||||
| > | tools like AWS CloudWatch or Azure Monitor. Example Splunk S | ||||
| > | earch for Windows Event 4688: `index=windows EventID=4688 Co | ||||
| > | mmandLine=*` Use Endpoint Detection and Response (EDR) Tool | ||||
| > | s - Monitor command executions via EDR solutions Deploy S | ||||
| > | ysmon for Advanced Logging (Windows) - Use Sysmon's Event I | ||||
| > | D 1 to log process creation with command-line arguments | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.849000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: + +- Windows Command Prompt + - dir – Lists directory contents. + - net user – Queries or manipulates user accounts. + - tasklist – Lists running processes. +- PowerShell + - Get-Process – Retrieves processes running on a system. + - Set-ExecutionPolicy – Changes PowerShell script execution policies. + - Invoke-WebRequest – Downloads remote resources. +- Linux Shell + - ls – Lists files in a directory. + - cat /etc/passwd – Reads the user accounts file. + - curl http://malicious-site.com – Retrieves content from a malicious URL. +- Container Environments + - docker exec – Executes a command inside a running container. + - kubectl exec – Runs commands in Kubernetes pods. +- macOS Terminal + - open – Opens files or URLs. + - dscl . -list /Users – Lists all users on the system. + - osascript -e – Executes AppleScript commands. + +This data component can be collected through the following measures: + +Enable Command Logging + +- Windows: + - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1` + - Enable Windows Event Logging: + - Event ID 4688: Tracks process creation, including command-line arguments. + - Event ID 4104: Logs PowerShell script block execution. +- Linux/macOS: + - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='history -a; history -w'` + - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec` +- Containers: + - Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands. + +Integrate with Centralized Logging + +- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688: +`index=windows EventID=4688 CommandLine=*` + +Use Endpoint Detection and Response (EDR) Tools + +- Monitor command executions via EDR solutions + +Deploy Sysmon for Advanced Logging (Windows) + +- Use Sysmon's Event ID 1 to log process creation with command-line arguments | Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: + +- Windows Command Prompt + - dir – Lists directory contents. + - net user – Queries or manipulates user accounts. + - tasklist – Lists running processes. +- PowerShell + - Get-Process – Retrieves processes running on a system. + - Set-ExecutionPolicy – Changes PowerShell script execution policies. + - Invoke-WebRequest – Downloads remote resources. +- Linux Shell + - ls – Lists files in a directory. + - cat /etc/passwd – Reads the user accounts file. + - curl http://malicious-site.com – Retrieves content from a malicious URL. +- Container Environments + - docker exec – Executes a command inside a running container. + - kubectl exec – Runs commands in Kubernetes pods. +- macOS Terminal + - open – Opens files or URLs. + - dscl . -list /Users – Lists all users on the system. + - osascript -e – Executes AppleScript commands. |
| x_mitre_log_sources[4]['channel'] | /var/log/syslog or journalctl | cron activity |
| x_mitre_log_sources[10]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_sources[35]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_sources[226]['name'] | azure:signinLogs | azure:signinlogs |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Powershell', 'channel': 'EventCode=4104'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104,4105, 4106'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4105'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4106'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103, 4104'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | "Container Creation" data component captures details about t | t | 1 | "Container Creation" data component captures details about t |
| > | he initial construction of a container in a containerized en | > | he initial construction of a container in a containerized en | ||
| > | vironment. This includes events where a new container is ins | > | vironment. This includes events where a new container is ins | ||
| > | tantiated, such as through Docker, Kubernetes, or other cont | > | tantiated, such as through Docker, Kubernetes, or other cont | ||
| > | ainer orchestration platforms. Monitoring these events helps | > | ainer orchestration platforms. Monitoring these events helps | ||
| > | detect unauthorized or potentially malicious container crea | > | detect unauthorized or potentially malicious container crea | ||
| > | tion. Examples: - Docker Example: `docker create my-contain | > | tion. Examples: - Docker Example: `docker create my-contain | ||
| > | er`, `docker run --name=my-container nginx:latest` - Kuberne | > | er`, `docker run --name=my-container nginx:latest` - Kuberne | ||
| > | tes Example: `kubectl run my-pod --image=nginx`, `kubectl cr | > | tes Example: `kubectl run my-pod --image=nginx`, `kubectl cr | ||
| > | eate deployment my-deployment --image=nginx` - Cloud Contain | > | eate deployment my-deployment --image=nginx` - Cloud Contain | ||
| > | er Services Example - AWS ECS: Task or service creation | > | er Services Example - AWS ECS: Task or service creation | ||
| > | (`RunTask` or `CreateService`). - Azure Container Instan | > | (`RunTask` or `CreateService`). - Azure Container Instan | ||
| > | ces: Deployment of a container group. - Google Kubernete | > | ces: Deployment of a container group. - Google Kubernete | ||
| > | s Engine (GKE): Creation of new pods via GCP APIs. This dat | > | s Engine (GKE): Creation of new pods via GCP APIs. | ||
| > | a component can be collected through the following measures: | ||||
| > | - Docker Audit Logging: Enable Docker daemon logging to ca | ||||
| > | pture `create` commands. Configure the Docker daemon to use | ||||
| > | a log driver such as `syslog` or `json-file`. - Kubernetes A | ||||
| > | udit Logs: Enable Kubernetes API server audit logging: - Clo | ||||
| > | ud Provider Logs - AWS CloudTrail: Enable logging for EC | ||||
| > | S `RunTask` or `CreateService` events. - Azure Monitor: | ||||
| > | Enable activity logging for container group creation. - | ||||
| > | GCP Cloud Logging: Monitor API calls such as `container.proj | ||||
| > | ects.zones.clusters.create`. - SIEM Integration: Use a SIEM | ||||
| > | to collect logs from Docker, Kubernetes, or cloud platforms. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.681000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | "Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples: + +- Docker Example: `docker create my-container`, `docker run --name=my-container nginx:latest` +- Kubernetes Example: `kubectl run my-pod --image=nginx`, `kubectl create deployment my-deployment --image=nginx` +- Cloud Container Services Example + - AWS ECS: Task or service creation (`RunTask` or `CreateService`). + - Azure Container Instances: Deployment of a container group. + - Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs. + +This data component can be collected through the following measures: + +- Docker Audit Logging: Enable Docker daemon logging to capture `create` commands. Configure the Docker daemon to use a log driver such as `syslog` or `json-file`. +- Kubernetes Audit Logs: Enable Kubernetes API server audit logging: +- Cloud Provider Logs + - AWS CloudTrail: Enable logging for ECS `RunTask` or `CreateService` events. + - Azure Monitor: Enable activity logging for container group creation. + - GCP Cloud Logging: Monitor API calls such as `container.projects.zones.clusters.create`. +- SIEM Integration: Use a SIEM to collect logs from Docker, Kubernetes, or cloud platforms. | "Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples: + +- Docker Example: `docker create my-container`, `docker run --name=my-container nginx:latest` +- Kubernetes Example: `kubectl run my-pod --image=nginx`, `kubectl create deployment my-deployment --image=nginx` +- Cloud Container Services Example + - AWS ECS: Task or service creation (`RunTask` or `CreateService`). + - Azure Container Instances: Deployment of a container group. + - Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | "Container Enumeration" data component captures events and a | t | 1 | "Container Enumeration" data component captures events and a |
| > | ctions related to listing and identifying active or availabl | > | ctions related to listing and identifying active or availabl | ||
| > | e containers within a containerized environment. This includ | > | e containers within a containerized environment. This includ | ||
| > | es information about running, stopped, or configured contain | > | es information about running, stopped, or configured contain | ||
| > | ers, such as their names, IDs, statuses, or associated image | > | ers, such as their names, IDs, statuses, or associated image | ||
| > | s. Monitoring this activity is crucial for detecting unautho | > | s. Monitoring this activity is crucial for detecting unautho | ||
| > | rized discovery or reconnaissance efforts. Examples: - Doc | > | rized discovery or reconnaissance efforts. Examples: - Doc | ||
| > | ker Example: `docker ps`, `docker ps -a` - Kubernetes Exampl | > | ker Example: `docker ps`, `docker ps -a` - Kubernetes Exampl | ||
| > | e: `kubectl get pods`, `kubectl get deployments` - Cloud Con | > | e: `kubectl get pods`, `kubectl get deployments` - Cloud Con | ||
| > | tainer Services Example - AWS ECS: API Call: ListTasks o | > | tainer Services Example - AWS ECS: API Call: ListTasks o | ||
| > | r ListContainers - Azure Kubernetes Service: API Call: L | > | r ListContainers - Azure Kubernetes Service: API Call: L | ||
| > | ist pod or container instances. - Google Kubernetes Engi | > | ist pod or container instances. - Google Kubernetes Engi | ||
| > | ne (GKE): API Call: Retrieve deployments and their associate | > | ne (GKE): API Call: Retrieve deployments and their associate | ||
| > | d containers. This data component can be collected through | > | d containers. | ||
| > | the following measures: - Docker Audit Logging: Enable Dock | ||||
| > | er daemon logging to capture enumeration commands. Use tools | ||||
| > | like auditd to monitor terminal activity involving docker p | ||||
| > | s or similar commands. - Kubernetes Audit Logs: Enable Kuber | ||||
| > | netes API server audit logging. Capture events where users q | ||||
| > | uery resources such as pods, deployments, or services. - Clo | ||||
| > | ud Provider Logs - AWS CloudTrail: Enable logging for AP | ||||
| > | I calls like ListTasks or DescribeTasks. - Azure Monitor | ||||
| > | : Enable activity logging to track container-related queries | ||||
| > | . - GCP Cloud Logging: Track API events involving contai | ||||
| > | ner enumerations or deployments. - SIEM Integration: Collect | ||||
| > | logs from Docker, Kubernetes, and cloud services for centra | ||||
| > | lized analysis. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:40.609000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | "Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples: + +- Docker Example: `docker ps`, `docker ps -a` +- Kubernetes Example: `kubectl get pods`, `kubectl get deployments` +- Cloud Container Services Example + - AWS ECS: API Call: ListTasks or ListContainers + - Azure Kubernetes Service: API Call: List pod or container instances. + - Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers. + +This data component can be collected through the following measures: + +- Docker Audit Logging: Enable Docker daemon logging to capture enumeration commands. Use tools like auditd to monitor terminal activity involving docker ps or similar commands. +- Kubernetes Audit Logs: Enable Kubernetes API server audit logging. Capture events where users query resources such as pods, deployments, or services. +- Cloud Provider Logs + - AWS CloudTrail: Enable logging for API calls like ListTasks or DescribeTasks. + - Azure Monitor: Enable activity logging to track container-related queries. + - GCP Cloud Logging: Track API events involving container enumerations or deployments. +- SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services for centralized analysis. | "Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples: + +- Docker Example: `docker ps`, `docker ps -a` +- Kubernetes Example: `kubectl get pods`, `kubectl get deployments` +- Cloud Container Services Example + - AWS ECS: API Call: ListTasks or ListContainers + - Azure Kubernetes Service: API Call: List pod or container instances. + - Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to the act of accessing a data storage device, such a | t | 1 | Refers to the act of accessing a data storage device, such a |
| > | s a hard drive, SSD, USB, or network-mounted drive. This dat | > | s a hard drive, SSD, USB, or network-mounted drive. This dat | ||
| > | a component logs the opening or mounting of drives, capturin | > | a component logs the opening or mounting of drives, capturin | ||
| > | g activities such as reading, writing, or executing files wi | > | g activities such as reading, writing, or executing files wi | ||
| > | thin an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or | > | thin an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or | ||
| > | mount point. Examples: - Removable Drive Insertion: A USB | > | mount point. Examples: - Removable Drive Insertion: A USB | ||
| > | drive is inserted, assigned the letter `F:\`, and files are | > | drive is inserted, assigned the letter `F:\`, and files are | ||
| > | accessed. - Network Drive Mounting: A network share `\\serv | > | accessed. - Network Drive Mounting: A network share `\\serv | ||
| > | er\share` is mapped to the drive `Z:\`. - External Hard Driv | > | er\share` is mapped to the drive `Z:\`. - External Hard Driv | ||
| > | e Access: An external drive is connected, mounted at `/mnt/b | > | e Access: An external drive is connected, mounted at `/mnt/b | ||
| > | ackup`, and accessed for copying files. - System Volume Acce | > | ackup`, and accessed for copying files. - System Volume Acce | ||
| > | ss: The system volume `C:\` is accessed for modifications to | > | ss: The system volume `C:\` is accessed for modifications to | ||
| > | critical files. - Cloud-Synced Drives: Cloud storage drives | > | critical files. - Cloud-Synced Drives: Cloud storage drives | ||
| > | like OneDrive or Google Drive are accessed via local mounts | > | like OneDrive or Google Drive are accessed via local mounts | ||
| > | . This data component can be collected through the followin | > | . | ||
| > | g measures: Windows Event Logs - Relevant Events: - Eve | ||||
| > | nt ID 4663: Logs access to file or folder objects. - Eve | ||||
| > | nt ID 4656: Tracks a handle to an object like a drive or fil | ||||
| > | e. - Configuration: - Enable auditing for "Object Access | ||||
| > | " in Local Security Policy. - Use Group Policy for broad | ||||
| > | er deployment: `Computer Configuration > Windows Settings > | ||||
| > | Security Settings > Advanced Audit Policy Configuration > Ob | ||||
| > | ject Access` Linux System Logs - Command-Line Monitoring: | ||||
| > | Use the `dmesg` or `journalctl` command to monitor drive mou | ||||
| > | nt/unmount events. - Auditd Configuration: Add an audit rule | ||||
| > | for drive access: `auditctl -w /mnt/drive -p rwxa -k drive_ | ||||
| > | access` - Review logs via `/var/log/audit/audit.log`. macOS | ||||
| > | System Logs - Command-Line Monitoring: Use `diskutil list` | ||||
| > | or `fs_usage` to monitor drive access and mount points. - U | ||||
| > | nified Logs: Query unified logs using log show for drive-rel | ||||
| > | ated activities: `log show --info | grep "mount"` Endpoint | ||||
| > | Detection and Response (EDR) Tools - Use EDR solutions to m | ||||
| > | onitor drive activities and collect detailed forensic data. | ||||
| > | SIEM Tools - Ingest logs from endpoints to detect drive ac | ||||
| > | cess patterns. Configure rules to alert on unusual or unauth | ||||
| > | orized drive access. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:38.086000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or mount point. Examples: + +- Removable Drive Insertion: A USB drive is inserted, assigned the letter `F:\`, and files are accessed. +- Network Drive Mounting: A network share `\\server\share` is mapped to the drive `Z:\`. +- External Hard Drive Access: An external drive is connected, mounted at `/mnt/backup`, and accessed for copying files. +- System Volume Access: The system volume `C:\` is accessed for modifications to critical files. +- Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts. + +This data component can be collected through the following measures: + +Windows Event Logs +- Relevant Events: + - Event ID 4663: Logs access to file or folder objects. + - Event ID 4656: Tracks a handle to an object like a drive or file. +- Configuration: + - Enable auditing for "Object Access" in Local Security Policy. + - Use Group Policy for broader deployment: `Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access` + +Linux System Logs + +- Command-Line Monitoring: Use the `dmesg` or `journalctl` command to monitor drive mount/unmount events. +- Auditd Configuration: Add an audit rule for drive access: `auditctl -w /mnt/drive -p rwxa -k drive_access` +- Review logs via `/var/log/audit/audit.log`. + +macOS System Logs + +- Command-Line Monitoring: Use `diskutil list` or `fs_usage` to monitor drive access and mount points. +- Unified Logs: Query unified logs using log show for drive-related activities: `log show --info | grep "mount"` + +Endpoint Detection and Response (EDR) Tools + +- Use EDR solutions to monitor drive activities and collect detailed forensic data. + +SIEM Tools + +- Ingest logs from endpoints to detect drive access patterns. Configure rules to alert on unusual or unauthorized drive access. | Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or mount point. Examples: + +- Removable Drive Insertion: A USB drive is inserted, assigned the letter `F:\`, and files are accessed. +- Network Drive Mounting: A network share `\\server\share` is mapped to the drive `Z:\`. +- External Hard Drive Access: An external drive is connected, mounted at `/mnt/backup`, and accessed for copying files. +- System Volume Access: The system volume `C:\` is accessed for modifications to critical files. +- Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The activity of assigning a new drive letter or creating a m | t | 1 | The activity of assigning a new drive letter or creating a m |
| > | ount point for a data storage device, such as a USB, network | > | ount point for a data storage device, such as a USB, network | ||
| > | share, or external hard drive, enabling access to its conte | > | share, or external hard drive, enabling access to its conte | ||
| > | nt on a host system. Examples: - USB Drive Insertion: A US | > | nt on a host system. Examples: - USB Drive Insertion: A US | ||
| > | B drive is plugged in and automatically assigned the letter | > | B drive is plugged in and automatically assigned the letter | ||
| > | `E:\` on a Windows machine. - Network Drive Mapping: A netwo | > | `E:\` on a Windows machine. - Network Drive Mapping: A netwo | ||
| > | rk share `\\server\share` is mapped to the drive `Z:\`. - Vi | > | rk share `\\server\share` is mapped to the drive `Z:\`. - Vi | ||
| > | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir | > | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir | ||
| > | tualdrive` using an ISO image or a virtual hard disk (VHD). | > | tualdrive` using an ISO image or a virtual hard disk (VHD). | ||
| > | - Cloud Storage Mounting: Google Drive is mounted as `G:\` o | > | - Cloud Storage Mounting: Google Drive is mounted as `G:\` o | ||
| > | n a Windows machine using a cloud sync tool. - External Stor | > | n a Windows machine using a cloud sync tool. - External Stor | ||
| > | age Integration: An external HDD or SSD is connected and ass | > | age Integration: An external HDD or SSD is connected and ass | ||
| > | igned `/mnt/external` on a Linux system. This data componen | > | igned `/mnt/external` on a Linux system.. | ||
| > | t can be collected through the following measures: Windows | ||||
| > | Event Logs - Relevant Events: - Event ID 98: Logs the c | ||||
| > | reation of a volume (mount or new drive letter assignment). | ||||
| > | - Event ID 1006: Logs removable storage device insertion | ||||
| > | s. - Configuration: Enable "Removable Storage Events" in the | ||||
| > | Group Policy settings: `Computer Configuration > Administra | ||||
| > | tive Templates > System > Removable Storage Access` Linux S | ||||
| > | ystem Logs - Command-Line Monitoring: Use `dmesg` or `journ | ||||
| > | alctl` to monitor mount events. - Auditd Configuration: Add | ||||
| > | audit rules to track mount points. - Logs can be reviewed i | ||||
| > | n /var/log/audit/audit.log. macOS System Logs - Unified Lo | ||||
| > | gs: Monitor system logs for mount activity: - Command-Line T | ||||
| > | ools: Use `diskutil list` to verify newly created or mounted | ||||
| > | drives. Endpoint Detection and Response (EDR) Tools - EDR | ||||
| > | solutions can log removable drive usage and network-mounted | ||||
| > | drives. Configure EDR policies to alert on suspicious drive | ||||
| > | creation events. SIEM Tools - Centralize logs from multip | ||||
| > | le platforms into a SIEM (e.g., Splunk) to correlate and ale | ||||
| > | rt on suspicious drive creation activities. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.342000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: + +- USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine. +- Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`. +- Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD). +- Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool. +- External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system. + +This data component can be collected through the following measures: + +Windows Event Logs + +- Relevant Events: + - Event ID 98: Logs the creation of a volume (mount or new drive letter assignment). + - Event ID 1006: Logs removable storage device insertions. +- Configuration: Enable "Removable Storage Events" in the Group Policy settings: +`Computer Configuration > Administrative Templates > System > Removable Storage Access` + +Linux System Logs + +- Command-Line Monitoring: Use `dmesg` or `journalctl` to monitor mount events. + +- Auditd Configuration: Add audit rules to track mount points. +- Logs can be reviewed in /var/log/audit/audit.log. + +macOS System Logs + +- Unified Logs: Monitor system logs for mount activity: +- Command-Line Tools: Use `diskutil list` to verify newly created or mounted drives. + +Endpoint Detection and Response (EDR) Tools + +- EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events. + +SIEM Tools + +- Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities. | The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: + +- USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine. +- Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`. +- Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD). +- Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool. +- External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system.. |
| x_mitre_log_sources[4]['name'] | WinEventLog:Microsoft-Windows-Partition/Diagnostic | WinEventLog:System |
| x_mitre_log_sources[7]['channel'] | EventCode=1006,10001 | EventCode=1006, 10001 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational', 'channel': 'EventCode=2003'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:System', 'channel': 'EventCode=20001/20003'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:System', 'channel': '20001-20003'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 19:03:17.198000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0046 | https://attack.mitre.org/datacomponents/DC0046 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The process of attaching a driver, which is a software compo | t | 1 | The process of attaching a driver, which is a software compo |
| > | nent that allows the operating system and applications to in | > | nent that allows the operating system and applications to in | ||
| > | teract with hardware devices, to either user-mode or kernel- | > | teract with hardware devices, to either user-mode or kernel- | ||
| > | mode of a system. This can include benign actions (e.g., har | > | mode of a system. This can include benign actions (e.g., har | ||
| > | dware drivers) or malicious behavior (e.g., rootkits or unsi | > | dware drivers) or malicious behavior (e.g., rootkits or unsi | ||
| > | gned drivers). Examples: - Legitimate Driver Loading: A ne | > | gned drivers). Examples: - Legitimate Driver Loading: A ne | ||
| > | w graphics driver from a vendor like NVIDIA or AMD is loaded | > | w graphics driver from a vendor like NVIDIA or AMD is loaded | ||
| > | into the system. - Unsigned Driver Loading: A driver withou | > | into the system. - Unsigned Driver Loading: A driver withou | ||
| > | t a valid digital signature is loaded into the kernel. - Roo | > | t a valid digital signature is loaded into the kernel. - Roo | ||
| > | tkit Installation: A malicious rootkit driver is loaded to m | > | tkit Installation: A malicious rootkit driver is loaded to m | ||
| > | anipulate kernel-mode processes. - Anti-Virus or EDR Driver | > | anipulate kernel-mode processes. - Anti-Virus or EDR Driver | ||
| > | Loading: An Endpoint Detection and Response (EDR) solution l | > | Loading: An Endpoint Detection and Response (EDR) solution l | ||
| > | oads its driver to monitor system activities. - Driver Misus | > | oads its driver to monitor system activities. - Driver Misus | ||
| > | e: A legitimate driver is loaded and exploited to execute ma | > | e: A legitimate driver is loaded and exploited to execute ma | ||
| > | licious actions, such as using vulnerable drivers for bypass | > | licious actions, such as using vulnerable drivers for bypass | ||
| > | ing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) | > | ing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) | ||
| > | attacks). This data component can be collected through the | > | attacks). | ||
| > | following measures: Windows - Sysmon Logs: - Event I | ||||
| > | D 6: Captures driver loading activity, including file path, | ||||
| > | hashes, and signature information. - Configuration: Ensu | ||||
| > | re Sysmon is configured with a ruleset that monitors driver | ||||
| > | loading events - Windows Event Logs: Enable "Audit Kernel Ob | ||||
| > | ject" to capture kernel-related driver loading events. Linu | ||||
| > | x - Auditd: Configure audit rules to capture driver loading | ||||
| > | events: `auditctl -w /lib/modules/ -p rwxa -k driver_load` | ||||
| > | - Kernel Logs (dmesg): Use dmesg to monitor driver-related a | ||||
| > | ctivities: `dmesg | grep "module"` - Syslog or journald: Rev | ||||
| > | iew logs for module insertion or removal activities. macOS | ||||
| > | - Unified Logs: Use the macOS unified logging system to mon | ||||
| > | itor kext (kernel extension) loads: `log show --predicate 'e | ||||
| > | ventMessage contains "kext load"'` - Endpoint Security Frame | ||||
| > | work: Monitor driver loading via third-party security tools | ||||
| > | that leverage Apple’s Endpoint Security Framework. SIEM Too | ||||
| > | ls - Ingest driver load logs from Sysmon, Auditd, or macOS | ||||
| > | unified logs into a centralized SIEM (e.g., Splunk). - Creat | ||||
| > | e rules to detect unsigned drivers, rootkit activity, or kno | ||||
| > | wn vulnerable drivers. EDR Solutions - Use EDR tools to de | ||||
| > | tect and alert on anomalous driver loading activity. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.274000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples: + +- Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system. +- Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel. +- Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes. +- Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities. +- Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks). + +This data component can be collected through the following measures: + +Windows + +- Sysmon Logs: + - Event ID 6: Captures driver loading activity, including file path, hashes, and signature information. + - Configuration: Ensure Sysmon is configured with a ruleset that monitors driver loading events +- Windows Event Logs: Enable "Audit Kernel Object" to capture kernel-related driver loading events. + +Linux + +- Auditd: Configure audit rules to capture driver loading events: `auditctl -w /lib/modules/ -p rwxa -k driver_load` +- Kernel Logs (dmesg): Use dmesg to monitor driver-related activities: `dmesg | grep "module"` +- Syslog or journald: Review logs for module insertion or removal activities. + +macOS + +- Unified Logs: Use the macOS unified logging system to monitor kext (kernel extension) loads: +`log show --predicate 'eventMessage contains "kext load"'` +- Endpoint Security Framework: Monitor driver loading via third-party security tools that leverage Apple’s Endpoint Security Framework. + +SIEM Tools + +- Ingest driver load logs from Sysmon, Auditd, or macOS unified logs into a centralized SIEM (e.g., Splunk). +- Create rules to detect unsigned drivers, rootkit activity, or known vulnerable drivers. + +EDR Solutions + +- Use EDR tools to detect and alert on anomalous driver loading activity. | The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples: + +- Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system. +- Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel. +- Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes. +- Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities. +- Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks). |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:System', 'channel': 'EventCode=6'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | To events where a file is opened or accessed, making its con | t | 1 | To events where a file is opened or accessed, making its con |
| > | tents available to the requester. This includes reading, exe | > | tents available to the requester. This includes reading, exe | ||
| > | cuting, or interacting with files by authorized or unauthori | > | cuting, or interacting with files by authorized or unauthori | ||
| > | zed entities. Examples include logging file access events (e | > | zed entities. Examples include logging file access events (e | ||
| > | .g., Windows Event ID 4663), monitoring file reads, and dete | > | .g., Windows Event ID 4663), monitoring file reads, and dete | ||
| > | cting unusual file access patterns. Examples: - File Read | > | cting unusual file access patterns. Examples: - File Read | ||
| > | Operations: A user opens a sensitive document (e.g., financi | > | Operations: A user opens a sensitive document (e.g., financi | ||
| > | al_report.xlsx) on a shared drive. - File Execution: A scrip | > | al_report.xlsx) on a shared drive. - File Execution: A scrip | ||
| > | t or executable file is accessed and executed (e.g., malware | > | t or executable file is accessed and executed (e.g., malware | ||
| > | .exe is run from a temporary directory). - Unauthorized File | > | .exe is run from a temporary directory). - Unauthorized File | ||
| > | Access: An unauthorized user attempts to access a protected | > | Access: An unauthorized user attempts to access a protected | ||
| > | configuration file (e.g., `/etc/passwd` on Linux or `System | > | configuration file (e.g., `/etc/passwd` on Linux or `System | ||
| > | 32` files on Windows). - File Access Patterns: Bulk access t | > | 32` files on Windows). - File Access Patterns: Bulk access t | ||
| > | o multiple files in a short time (e.g., mass access to docum | > | o multiple files in a short time (e.g., mass access to docum | ||
| > | ents on a file server). - File Access via Network: Files on | > | ents on a file server). - File Access via Network: Files on | ||
| > | a network share are accessed remotely (e.g., logs of SMB fil | > | a network share are accessed remotely (e.g., logs of SMB fil | ||
| > | e access). This data component can be collected through the | > | e access). | ||
| > | following measures: Windows - Windows Event Logs: Event I | ||||
| > | D 4663: Captures file system auditing details, including who | ||||
| > | accessed the file, access type, and file name. - Sysmon: | ||||
| > | - Event ID 11: Logs file creation time changes. - Even | ||||
| > | t ID 1 (process creation): Can provide insight into files ex | ||||
| > | ecuted. - PowerShell: Commands to monitor file access in rea | ||||
| > | l-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; | ||||
| > | ID=4663}` Linux - Auditd: Monitor file access events usin | ||||
| > | g audit rules: `auditctl -w /path/to/file -p rwxa -k file_ac | ||||
| > | cess` - View logs: `ausearch -k file_access` - Inotify: Use | ||||
| > | inotify to track file access on Linux: `inotifywait -m /path | ||||
| > | /to/watch -e access` macOS - Unified Logs: Monitor file ac | ||||
| > | cess using the macOS Unified Logging System. - FSEvents: Fil | ||||
| > | e System Events can track file accesses: `fs_usage | grep op | ||||
| > | en` Network Devices - SMB/CIFS Logs: Monitor file access o | ||||
| > | ver network shares using logs from SMB or CIFS protocol. - N | ||||
| > | AS Logs: Collect logs from network-attached storage systems | ||||
| > | for file access events. SIEM Integration - Collect file ac | ||||
| > | cess logs from all platforms (Windows, Linux, macOS) and cen | ||||
| > | tralize in a SIEM for correlation and analysis. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.674000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: + +- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive. +- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory). +- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows). +- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server). +- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access). + +This data component can be collected through the following measures: + +Windows + +- Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name. +- Sysmon: + - Event ID 11: Logs file creation time changes. + - Event ID 1 (process creation): Can provide insight into files executed. +- PowerShell: Commands to monitor file access in real-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}` + +Linux + +- Auditd: Monitor file access events using audit rules: `auditctl -w /path/to/file -p rwxa -k file_access` +- View logs: `ausearch -k file_access` +- Inotify: Use inotify to track file access on Linux: `inotifywait -m /path/to/watch -e access` + +macOS + +- Unified Logs: Monitor file access using the macOS Unified Logging System. +- FSEvents: File System Events can track file accesses: `fs_usage | grep open` + +Network Devices + +- SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol. +- NAS Logs: Collect logs from network-attached storage systems for file access events. + +SIEM Integration + +- Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis. | To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: + +- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive. +- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory). +- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows). +- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server). +- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access). |
| x_mitre_log_sources[4]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4656, 4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4656,4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4670, 4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4656'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=5145, 4663'} | |
| x_mitre_log_sources | {'name': 'auditd:PATH', 'channel': 'path'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | A new file is created on a system or network storage. This a | t | 1 | A new file is created on a system or network storage. This a |
| > | ction often signifies an operation such as saving a document | > | ction often signifies an operation such as saving a document | ||
| > | , writing data, or deploying a file. Logging these events he | > | , writing data, or deploying a file. Logging these events he | ||
| > | lps identify legitimate or potentially malicious file creati | > | lps identify legitimate or potentially malicious file creati | ||
| > | on activities. Examples include logging file creation events | > | on activities. Examples include logging file creation events | ||
| > | (e.g., Sysmon Event ID 11 or Linux auditd logs). This dat | > | (e.g., Sysmon Event ID 11 or Linux auditd logs). | ||
| > | a component can be collected through the following measures: | ||||
| > | Windows - Sysmon: Event ID 11: Logs file creation events, | ||||
| > | capturing details like the file path, hash, and creation ti | ||||
| > | me. - Windows Event Log: Enable "Object Access" auditing in | ||||
| > | Group Policy to track file creation under Event ID 4663. - P | ||||
| > | owerShell: Real-time monitoring of file creation:`Get-WinEve | ||||
| > | nt -FilterHashtable @{LogName='Security'; ID=4663}` Linux | ||||
| > | - Auditd: Use audit rules to monitor file creation: `auditct | ||||
| > | l -w /path/to/directory -p w -k file_creation` - View logs: | ||||
| > | `ausearch -k file_creation` - Inotify: Monitor file creation | ||||
| > | with inotifywait: `inotifywait -m /path/to/watch -e create` | ||||
| > | macOS - Unified Logs: Use the macOS Unified Logging Syste | ||||
| > | m to capture file creation events. - FSEvents: Use File Syst | ||||
| > | em Events to monitor file creation: `fs_usage | grep create` | ||||
| > | Network Devices - NAS Logs: Monitor file creation events | ||||
| > | on network-attached storage devices. - SMB Logs: Collect log | ||||
| > | s of file creation activities over SMB/CIFS protocols. SIEM | ||||
| > | Integration - Forward logs from all platforms (Windows, Li | ||||
| > | nux, macOS) to a SIEM for central analysis and alerting. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 19:32:14.744000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0039 | https://attack.mitre.org/datacomponents/DC0039 |
| description | A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). + +This data component can be collected through the following measures: + +Windows + +- Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time. +- Windows Event Log: Enable "Object Access" auditing in Group Policy to track file creation under Event ID 4663. +- PowerShell: Real-time monitoring of file creation:`Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}` + +Linux + +- Auditd: Use audit rules to monitor file creation: `auditctl -w /path/to/directory -p w -k file_creation` +- View logs: `ausearch -k file_creation` +- Inotify: Monitor file creation with inotifywait: `inotifywait -m /path/to/watch -e create` + +macOS + +- Unified Logs: Use the macOS Unified Logging System to capture file creation events. +- FSEvents: Use File System Events to monitor file creation: `fs_usage | grep create` + +Network Devices + +- NAS Logs: Monitor file creation events on network-attached storage devices. +- SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols. + +SIEM Integration + +- Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting. | A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). |
| x_mitre_log_sources[37]['name'] | macos:unified | macos:unifiedlog |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'Modification of .asar in /opt or ~/.config directories'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to events where files are removed from a system or st | t | 1 | Refers to events where files are removed from a system or st |
| > | orage device. These events can indicate legitimate housekeep | > | orage device. These events can indicate legitimate housekeep | ||
| > | ing activities or malicious actions such as attackers attemp | > | ing activities or malicious actions such as attackers attemp | ||
| > | ting to cover their tracks. Monitoring file deletions helps | > | ting to cover their tracks. Monitoring file deletions helps | ||
| > | organizations identify unauthorized or suspicious activities | > | organizations identify unauthorized or suspicious activities | ||
| > | . This data component can be collected through the followin | > | . | ||
| > | g measures: Windows - Sysmon: Event ID 23: Logs file delet | ||||
| > | ion events, including details such as file paths and respons | ||||
| > | ible processes. - Windows Event Log: Enable "Object Access" | ||||
| > | auditing to monitor file deletions. - PowerShell: `Get-WinEv | ||||
| > | ent -FilterHashtable @{LogName='Security'; ID=4663} | Where- | ||||
| > | Object {$_.Message -like '*DELETE*'}` Linux - Auditd: Use | ||||
| > | audit rules to capture file deletion events: `auditctl -a al | ||||
| > | ways,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_d | ||||
| > | eletion` - Query logs: `ausearch -k file_deletion` - Inotify | ||||
| > | : Use inotifywait to monitor file deletions: `inotifywait -m | ||||
| > | /path/to/watch -e delete` macOS - Endpoint Security Frame | ||||
| > | work (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to | ||||
| > | capture file deletion activities. - FSEvents: Track file de | ||||
| > | letion activities in real-time: `fs_usage | grep unlink` SI | ||||
| > | EM Integration - Forward file deletion logs to a SIEM for c | ||||
| > | entralized monitoring and correlation with other events. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.450000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities. + +This data component can be collected through the following measures: + +Windows + +- Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes. +- Windows Event Log: Enable "Object Access" auditing to monitor file deletions. +- PowerShell: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -like '*DELETE*'}` + +Linux + +- Auditd: Use audit rules to capture file deletion events: `auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion` +- Query logs: `ausearch -k file_deletion` +- Inotify: Use inotifywait to monitor file deletions: `inotifywait -m /path/to/watch -e delete` + +macOS + +- Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities. +- FSEvents: Track file deletion activities in real-time: `fs_usage | grep unlink` + +SIEM Integration + +- Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events. + | Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | contextual information about a file, including attributes su | t | 1 | contextual information about a file, including attributes su |
| > | ch as the file's name, size, type, content (e.g., signatures | > | ch as the file's name, size, type, content (e.g., signatures | ||
| > | , headers, media), user/owner, permissions, timestamps, and | > | , headers, media), user/owner, permissions, timestamps, and | ||
| > | other related properties. File metadata provides insights in | > | other related properties. File metadata provides insights in | ||
| > | to a file's characteristics and can be used to detect malici | > | to a file's characteristics and can be used to detect malici | ||
| > | ous activity, unauthorized modifications, or other anomalies | > | ous activity, unauthorized modifications, or other anomalies | ||
| > | . Examples: - File Ownership and Permissions: Checking the | > | . Examples: - File Ownership and Permissions: Checking the | ||
| > | owner and permissions of a critical configuration file like | > | owner and permissions of a critical configuration file like | ||
| > | /etc/passwd on Linux or C:\Windows\System32\config\SAM on W | > | /etc/passwd on Linux or C:\Windows\System32\config\SAM on W | ||
| > | indows. - Timestamps: Analyzing the creation, modification, | > | indows. - Timestamps: Analyzing the creation, modification, | ||
| > | and access timestamps of a file. - File Content and Signatur | > | and access timestamps of a file. - File Content and Signatur | ||
| > | es: Extracting the headers of an executable file to verify i | > | es: Extracting the headers of an executable file to verify i | ||
| > | ts signature or detect packing/obfuscation. - File Attribute | > | ts signature or detect packing/obfuscation. - File Attribute | ||
| > | s: Analyzing attributes like hidden, system, or read-only fl | > | s: Analyzing attributes like hidden, system, or read-only fl | ||
| > | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA | > | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA | ||
| > | -256 hashes of files to compare against threat intelligence | > | -256 hashes of files to compare against threat intelligence | ||
| > | feeds. - File Location: Monitoring files located in unusual | > | feeds. - File Location: Monitoring files located in unusual | ||
| > | directories or paths, such as temporary or user folders. Th | > | directories or paths, such as temporary or user folders. | ||
| > | is data component can be collected through the following mea | ||||
| > | sures: Windows - Sysinternals Tools: Use `AccessEnum` or ` | ||||
| > | PSFile` to retrieve metadata about file access and permissio | ||||
| > | ns. - Windows Event Logs: Enable object access auditing and | ||||
| > | monitor events like 4663 (Object Access) and 5140 (A network | ||||
| > | share object was accessed). - PowerShell: Use Get-Item or G | ||||
| > | et-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Direc | ||||
| > | tory" -Recurse | Select-Object Name, Length, LastWriteTime, | ||||
| > | Attributes` Linux - File System Commands: Use `ls -l` or s | ||||
| > | tat to retrieve file metadata: `stat /path/to/file` - Auditd | ||||
| > | : Configure audit rules to log metadata access: `auditctl -w | ||||
| > | /path/to/file -p wa -k file_metadata` - Filesystem Integrit | ||||
| > | y Tools: Tools like tripwire or AIDE (Advanced Intrusion Det | ||||
| > | ection Environment) can monitor file metadata changes. macO | ||||
| > | S - FSEvents: Use FSEvents to track file metadata changes. | ||||
| > | - Endpoint Security Framework (ESF): Capture metadata-relate | ||||
| > | d events via ESF APIs. - Command-Line Tools: Use ls -l or xa | ||||
| > | ttr for file attributes: `ls -l@ /path/to/file` SIEM Integr | ||||
| > | ation - Forward file metadata logs from endpoint or network | ||||
| > | devices to a SIEM for centralized analysis. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.397000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: + +- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows. +- Timestamps: Analyzing the creation, modification, and access timestamps of a file. +- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation. +- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows. +- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds. +- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders. + +This data component can be collected through the following measures: + +Windows + +- Sysinternals Tools: Use `AccessEnum` or `PSFile` to retrieve metadata about file access and permissions. +- Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed). +- PowerShell: Use Get-Item or Get-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Directory" -Recurse | Select-Object Name, Length, LastWriteTime, Attributes` + +Linux + +- File System Commands: Use `ls -l` or stat to retrieve file metadata: `stat /path/to/file` +- Auditd: Configure audit rules to log metadata access: `auditctl -w /path/to/file -p wa -k file_metadata` +- Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes. + +macOS + +- FSEvents: Use FSEvents to track file metadata changes. +- Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs. +- Command-Line Tools: Use ls -l or xattr for file attributes: `ls -l@ /path/to/file` + +SIEM Integration + +- Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis. | contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: + +- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows. +- Timestamps: Analyzing the creation, modification, and access timestamps of a file. +- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation. +- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows. +- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds. +- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders. |
| x_mitre_log_sources[18]['channel'] | path | PATH |
| x_mitre_log_sources[42]['channel'] | EventCode=4670 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=15 '} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to a file, including updates to its contents, m | t | 1 | Changes made to a file, including updates to its contents, m |
| > | etadata, access permissions, or attributes. These modificati | > | etadata, access permissions, or attributes. These modificati | ||
| > | ons may indicate legitimate activity (e.g., software updates | > | ons may indicate legitimate activity (e.g., software updates | ||
| > | ) or unauthorized changes (e.g., tampering, ransomware, or a | > | ) or unauthorized changes (e.g., tampering, ransomware, or a | ||
| > | dversarial modifications). Examples: - Content Modificatio | > | dversarial modifications). Examples: - Content Modificatio | ||
| > | ns: Changes to the content of a configuration file, such as | > | ns: Changes to the content of a configuration file, such as | ||
| > | modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys | > | modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys | ||
| > | tem32\drivers\etc\hosts` on Windows. - Permission Changes: A | > | tem32\drivers\etc\hosts` on Windows. - Permission Changes: A | ||
| > | ltering file permissions to allow broader access, such as ch | > | ltering file permissions to allow broader access, such as ch | ||
| > | anging a file from `644` to `777` on Linux or modifying NTFS | > | anging a file from `644` to `777` on Linux or modifying NTFS | ||
| > | permissions on Windows. - Attribute Modifications: Changing | > | permissions on Windows. - Attribute Modifications: Changing | ||
| > | a file's attributes to hidden, read-only, or system on Wind | > | a file's attributes to hidden, read-only, or system on Wind | ||
| > | ows. - Timestamp Manipulation: Adjusting a file's creation o | > | ows. - Timestamp Manipulation: Adjusting a file's creation o | ||
| > | r modification timestamp using tools like `touch` in Linux o | > | r modification timestamp using tools like `touch` in Linux o | ||
| > | r timestomping tools on Windows. - Software or System File C | > | r timestomping tools on Windows. - Software or System File C | ||
| > | hanges: Modifying system files such as `boot.ini`, kernel mo | > | hanges: Modifying system files such as `boot.ini`, kernel mo | ||
| > | dules, or application binaries. This data component can be | > | dules, or application binaries. | ||
| > | collected through the following measures: Windows - Event | ||||
| > | Logs: Enable file system auditing to monitor file modificati | ||||
| > | ons using Security Event ID 4670 (File System Audit) or Sysm | ||||
| > | on Event ID 2 (File creation time changed). - PowerShell: Us | ||||
| > | e Get-ItemProperty or Get-Acl cmdlets to monitor file proper | ||||
| > | ties: `Get-Item -Path "C:\path\to\file" | Select-Object Name | ||||
| > | , Attributes, LastWriteTime` Linux - File System Monitorin | ||||
| > | g: Use tools like auditd with rules to monitor file modifica | ||||
| > | tions: `auditctl -w /path/to/file -p wa -k file_modification | ||||
| > | ` - Inotify: Use inotifywait to watch for real-time changes | ||||
| > | to files or directories: `inotifywait -m /path/to/file` mac | ||||
| > | OS - Endpoint Security Framework (ESF): Monitor file modifi | ||||
| > | cation events using ESF APIs. - Audit Framework: Configure a | ||||
| > | udit rules to track file changes. - Command-Line Tools: Use | ||||
| > | fs_usage to monitor file activities: `fs_usage -w /path/to/f | ||||
| > | ile` SIEM Tools - Collect logs from endpoint agents (e.g., | ||||
| > | Sysmon, Auditd) and file servers to centralize file modific | ||||
| > | ation event data. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.239000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: + +- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows. +- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows. +- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows. +- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows. +- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries. + +This data component can be collected through the following measures: + +Windows + +- Event Logs: Enable file system auditing to monitor file modifications using Security Event ID 4670 (File System Audit) or Sysmon Event ID 2 (File creation time changed). +- PowerShell: Use Get-ItemProperty or Get-Acl cmdlets to monitor file properties: `Get-Item -Path "C:\path\to\file" | Select-Object Name, Attributes, LastWriteTime` + +Linux + +- File System Monitoring: Use tools like auditd with rules to monitor file modifications: `auditctl -w /path/to/file -p wa -k file_modification` +- Inotify: Use inotifywait to watch for real-time changes to files or directories: `inotifywait -m /path/to/file` + +macOS + +- Endpoint Security Framework (ESF): Monitor file modification events using ESF APIs. +- Audit Framework: Configure audit rules to track file changes. +- Command-Line Tools: Use fs_usage to monitor file activities: `fs_usage -w /path/to/file` + +SIEM Tools + +- Collect logs from endpoint agents (e.g., Sysmon, Auditd) and file servers to centralize file modification event data. | Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: + +- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows. +- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows. +- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows. +- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows. +- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries. |
| x_mitre_log_sources[8]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_sources[59]['name'] | WinEventLog:Sysmon | WinEventLog:CodeIntegrity |
| x_mitre_log_sources[59]['channel'] | EvenCode=2 | EventCode=3033 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4656,4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Application', 'channel': '81,3033'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Querying and extracting a list of available firewalls or the | t | 1 | Querying and extracting a list of available firewalls or the |
| > | ir associated configurations and rules. This activity can oc | > | ir associated configurations and rules. This activity can oc | ||
| > | cur across host systems and cloud control planes, providing | > | cur across host systems and cloud control planes, providing | ||
| > | insight into the state and configuration of firewalls that p | > | insight into the state and configuration of firewalls that p | ||
| > | rotect the environment. Examples: - Querying Host-Based Fi | > | rotect the environment. Examples: - Querying Host-Based Fi | ||
| > | rewalls: Using Windows PowerShell commands like `Get-NetFire | > | rewalls: Using Windows PowerShell commands like `Get-NetFire | ||
| > | wallRule` or Linux commands such as `iptables -L` or `firewa | > | wallRule` or Linux commands such as `iptables -L` or `firewa | ||
| > | lld --list-all`. - Cloud Firewall Rule Listing: Running comm | > | lld --list-all`. - Cloud Firewall Rule Listing: Running comm | ||
| > | ands like `az network firewall list` for Azure or `aws ec2 d | > | ands like `az network firewall list` for Azure or `aws ec2 d | ||
| > | escribe-security-groups` for AWS. - Using Management APIs: L | > | escribe-security-groups` for AWS. - Using Management APIs: L | ||
| > | everaging APIs like Google Cloud Firewall's `list` API metho | > | everaging APIs like Google Cloud Firewall's `list` API metho | ||
| > | d or AWS's DescribeSecurityGroups API. Identifying Misconfig | > | d or AWS's DescribeSecurityGroups API. Identifying Misconfig | ||
| > | urations: Extracting firewall rules to identify “allow all” | > | urations: Extracting firewall rules to identify “allow all” | ||
| > | policies or rules that lack logging. - Enumerating with CLI | > | policies or rules that lack logging. - Enumerating with CLI | ||
| > | Tools: Using CLI commands like `gcloud compute firewall-rule | > | Tools: Using CLI commands like `gcloud compute firewall-rule | ||
| > | s list` to extract firewall settings in Google Cloud. This | > | s list` to extract firewall settings in Google Cloud. | ||
| > | data component can be collected through the following measur | ||||
| > | es: Cloud Control Plane - Azure Activity Logs:Collect logs | ||||
| > | from Azure Firewall to monitor rule listing commands. Enabl | ||||
| > | e logging for `az network firewall` commands. - AWS CloudTra | ||||
| > | il: Monitor calls to `DescribeSecurityGroups` or `DescribeNe | ||||
| > | tworkAcls` APIs. Google Cloud Operations Suite: Collect logs | ||||
| > | for `gcloud compute firewall-rules list` or API calls to `f | ||||
| > | irewalls.list`. Host-Based Firewalls - Windows Event Logs: | ||||
| > | Use PowerShell transcription logs to capture commands like | ||||
| > | `Get-NetFirewallRule`. - Linux Auditd: Track executions of c | ||||
| > | ommands like `iptables -L` or `ufw status` using auditd: `au | ||||
| > | ditctl -a always,exit -F arch=b64 -S execve -k firewall_enum | ||||
| > | ` - macOS: Monitor logs for firewall-related queries via the | ||||
| > | Console app or log monitoring tools. SIEM Integration - C | ||||
| > | ollect logs from endpoints and cloud platforms to centralize | ||||
| > | data and detect enumeration activity. Endpoint Detection a | ||||
| > | nd Response (EDR) - Use EDR tools to track enumeration comm | ||||
| > | ands or API calls performed on managed devices. CSPM Tools | ||||
| > | - Deploy Cloud Security Posture Management tools to monitor | ||||
| > | for unauthorized enumeration of firewall rules or configura | ||||
| > | tions. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples: + +- Querying Host-Based Firewalls: Using Windows PowerShell commands like `Get-NetFirewallRule` or Linux commands such as `iptables -L` or `firewalld --list-all`. +- Cloud Firewall Rule Listing: Running commands like `az network firewall list` for Azure or `aws ec2 describe-security-groups` for AWS. +- Using Management APIs: Leveraging APIs like Google Cloud Firewall's `list` API method or AWS's DescribeSecurityGroups API. +Identifying Misconfigurations: Extracting firewall rules to identify “allow all” policies or rules that lack logging. +- Enumerating with CLI Tools: Using CLI commands like `gcloud compute firewall-rules list` to extract firewall settings in Google Cloud. + +This data component can be collected through the following measures: + +Cloud Control Plane + +- Azure Activity Logs:Collect logs from Azure Firewall to monitor rule listing commands. Enable logging for `az network firewall` commands. +- AWS CloudTrail: Monitor calls to `DescribeSecurityGroups` or `DescribeNetworkAcls` APIs. +Google Cloud Operations Suite: Collect logs for `gcloud compute firewall-rules list` or API calls to `firewalls.list`. + +Host-Based Firewalls + +- Windows Event Logs: Use PowerShell transcription logs to capture commands like `Get-NetFirewallRule`. +- Linux Auditd: Track executions of commands like `iptables -L` or `ufw status` using auditd: `auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum` +- macOS: Monitor logs for firewall-related queries via the Console app or log monitoring tools. + +SIEM Integration + +- Collect logs from endpoints and cloud platforms to centralize data and detect enumeration activity. + +Endpoint Detection and Response (EDR) + +- Use EDR tools to track enumeration commands or API calls performed on managed devices. + +CSPM Tools + +- Deploy Cloud Security Posture Management tools to monitor for unauthorized enumeration of firewall rules or configurations. | Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples: + +- Querying Host-Based Firewalls: Using Windows PowerShell commands like `Get-NetFirewallRule` or Linux commands such as `iptables -L` or `firewalld --list-all`. +- Cloud Firewall Rule Listing: Running commands like `az network firewall list` for Azure or `aws ec2 describe-security-groups` for AWS. +- Using Management APIs: Leveraging APIs like Google Cloud Firewall's `list` API method or AWS's DescribeSecurityGroups API. +Identifying Misconfigurations: Extracting firewall rules to identify “allow all” policies or rules that lack logging. +- Enumerating with CLI Tools: Using CLI commands like `gcloud compute firewall-rules list` to extract firewall settings in Google Cloud. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.544000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[13]['name'] | CloudWatch:Metrics | AWS:CloudWatch |
| x_mitre_log_sources[17]['name'] | CloudWatch:InstanceMetrics | AWS:CloudWatch |
| x_mitre_log_sources[30]['name'] | CloudMetrics:InstanceHealth | AWS:CloudMetrics |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Initial construction of a virtual machine image within a clo | t | 1 | Initial construction of a virtual machine image within a clo |
| > | ud environment. Virtual machine images are templates contain | > | ud environment. Virtual machine images are templates contain | ||
| > | ing an operating system and installed applications, which ca | > | ing an operating system and installed applications, which ca | ||
| > | n be deployed to create new virtual machines. Monitoring the | > | n be deployed to create new virtual machines. Monitoring the | ||
| > | creation of these images is important because adversaries m | > | creation of these images is important because adversaries m | ||
| > | ay create custom images to include malicious software or mis | > | ay create custom images to include malicious software or mis | ||
| > | configurations for later exploitation. Examples: - Azure C | > | configurations for later exploitation. Examples: - Azure C | ||
| > | ompute Service Image Creation - Example: Creating a virt | > | ompute Service Image Creation - Example: Creating a virt | ||
| > | ual machine image in Azure using Azure CLI: `az image create | > | ual machine image in Azure using Azure CLI: `az image create | ||
| > | --resource-group MyResourceGroup --name MyImage --source My | > | --resource-group MyResourceGroup --name MyImage --source My | ||
| > | VM` - AWS EC2 AMI (Amazon Machine Image) Creation - Exam | > | VM` - AWS EC2 AMI (Amazon Machine Image) Creation - Exam | ||
| > | ple: Creating an AMI from an EC2 instance: `aws ec2 create-i | > | ple: Creating an AMI from an EC2 instance: `aws ec2 create-i | ||
| > | mage --instance-id i-1234567890abcdef0 --name "MyAMI" --desc | > | mage --instance-id i-1234567890abcdef0 --name "MyAMI" --desc | ||
| > | ription "An AMI for my app"` - Google Cloud Compute Engine I | > | ription "An AMI for my app"` - Google Cloud Compute Engine I | ||
| > | mage Creation - Example: Creating a custom image using g | > | mage Creation - Example: Creating a custom image using g | ||
| > | cloud: `gcloud compute images create my-custom-image --sourc | > | cloud: `gcloud compute images create my-custom-image --sourc | ||
| > | e-disk my-disk --source-disk-zone us-central1-a` - VMware vS | > | e-disk my-disk --source-disk-zone us-central1-a` - VMware vS | ||
| > | phere - Example: Exporting a VM to create an OVF (Open V | > | phere - Example: Exporting a VM to create an OVF (Open V | ||
| > | irtualization Format) template: This could later be imported | > | irtualization Format) template: This could later be imported | ||
| > | into other environments with potential tampering. This dat | > | into other environments with potential tampering. | ||
| > | a component can be collected through the following measures: | ||||
| > | Enable Cloud Platform Logging - Azure: Enable "Activity L | ||||
| > | ogs" to capture image-related events such as PUT requests to | ||||
| > | `Microsoft.Compute/images`. - AWS: Use AWS CloudTrail to mo | ||||
| > | nitor `CreateImage` API calls. - Google Cloud: Enable "Cloud | ||||
| > | Audit Logs" to track custom image creation events under `co | ||||
| > | mpute.googleapis.com/images`. API Monitoring - Monitor API | ||||
| > | activity to track the creation of new images using: - A | ||||
| > | WS SDK/CLI `CreateImage`. - Azure REST API for image cre | ||||
| > | ation. - Google Cloud Compute Engine APIs. Cloud SIEM I | ||||
| > | ntegration - Ingest cloud platform logs into a centralized | ||||
| > | SIEM for real-time monitoring and alerting. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:39.369000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples: + +- Azure Compute Service Image Creation + - Example: Creating a virtual machine image in Azure using Azure CLI: `az image create --resource-group MyResourceGroup --name MyImage --source MyVM` +- AWS EC2 AMI (Amazon Machine Image) Creation + - Example: Creating an AMI from an EC2 instance: `aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"` +- Google Cloud Compute Engine Image Creation + - Example: Creating a custom image using gcloud: `gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a` +- VMware vSphere + - Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering. + +This data component can be collected through the following measures: + +Enable Cloud Platform Logging + +- Azure: Enable "Activity Logs" to capture image-related events such as PUT requests to `Microsoft.Compute/images`. +- AWS: Use AWS CloudTrail to monitor `CreateImage` API calls. +- Google Cloud: Enable "Cloud Audit Logs" to track custom image creation events under `compute.googleapis.com/images`. + +API Monitoring + +- Monitor API activity to track the creation of new images using: + - AWS SDK/CLI `CreateImage`. + - Azure REST API for image creation. + - Google Cloud Compute Engine APIs. + +Cloud SIEM Integration + +- Ingest cloud platform logs into a centralized SIEM for real-time monitoring and alerting. + | Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples: + +- Azure Compute Service Image Creation + - Example: Creating a virtual machine image in Azure using Azure CLI: `az image create --resource-group MyResourceGroup --name MyImage --source MyVM` +- AWS EC2 AMI (Amazon Machine Image) Creation + - Example: Creating an AMI from an EC2 instance: `aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"` +- Google Cloud Compute Engine Image Creation + - Example: Creating a custom image using gcloud: `gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a` +- VMware vSphere + - Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | contextual information associated with a virtual machine ima | t | 1 | contextual information associated with a virtual machine ima |
| > | ge, such as its name, resource group, status (active or inac | > | ge, such as its name, resource group, status (active or inac | ||
| > | tive), type (custom or prebuilt), size, creation date, and p | > | tive), type (custom or prebuilt), size, creation date, and p | ||
| > | ermissions. This metadata is critical for understanding the | > | ermissions. This metadata is critical for understanding the | ||
| > | state and configuration of virtual machine images in cloud e | > | state and configuration of virtual machine images in cloud e | ||
| > | nvironments. Examples: - Azure Compute Service Image Metad | > | nvironments. Examples: - Azure Compute Service Image Metad | ||
| > | ata Example: - Name: MyCustomImage - Resource Group: | > | ata Example: - Name: MyCustomImage - Resource Group: | ||
| > | MyResourceGroup - State: Available - Type: Managed | > | MyResourceGroup - State: Available - Type: Managed | ||
| > | Image - AWS EC2 AMI Metadata Example: - Image ID: ami-12 | > | Image - AWS EC2 AMI Metadata Example: - Image ID: ami-12 | ||
| > | 34567890abcdef0 - Name: ProdImage - State: Available | > | 34567890abcdef0 - Name: ProdImage - State: Available | ||
| > | - Platform: Windows - Google Cloud Compute Engine Image | > | - Platform: Windows - Google Cloud Compute Engine Image | ||
| > | Metadata Example: - Image Name: webserver-image - P | > | Metadata Example: - Image Name: webserver-image - P | ||
| > | roject: my-project-id - Family: webserver - Source D | > | roject: my-project-id - Family: webserver - Source D | ||
| > | isk: my-disk-id - VMware vSphere Template Metadata Example: | > | isk: my-disk-id - VMware vSphere Template Metadata Example: | ||
| > | - Name: LinuxTemplate - Disk Size: 40GB - Networ | > | - Name: LinuxTemplate - Disk Size: 40GB - Networ | ||
| > | k Adapter: VM Network This data component can be collected | > | k Adapter: VM Network | ||
| > | through the following measures: Cloud Platform-Specific Too | ||||
| > | ls - Azure: - Use Azure CLI to query metadata: `az imag | ||||
| > | e show --name MyCustomImage --resource-group MyResourceGroup | ||||
| > | ` - AWS: - Use AWS CLI to describe AMI metadata: `aws ec | ||||
| > | 2 describe-images --image-ids ami-1234567890abcdef0` - Googl | ||||
| > | e Cloud: - Use Google Cloud SDK to retrieve image metada | ||||
| > | ta: `gcloud compute images describe webserver-image` APIs | ||||
| > | - Azure: `GET /subscriptions/{subscriptionId}/resourceGroup | ||||
| > | s/{resourceGroupName}/providers/Microsoft.Compute/images/{im | ||||
| > | ageName}` - AWS: `DescribeImages` API. - Google Cloud: `GET | ||||
| > | https://compute.googleapis.com/compute/v1/projects/{project} | ||||
| > | /global/images/{image}.` Cloud Management Portals - View m | ||||
| > | etadata directly from the cloud provider's management consol | ||||
| > | e or dashboard. SIEM Integration - Aggregate metadata into | ||||
| > | SIEM platforms for centralized monitoring: | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:38.423000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples: + +- Azure Compute Service Image Metadata Example: + - Name: MyCustomImage + - Resource Group: MyResourceGroup + - State: Available + - Type: Managed Image +- AWS EC2 AMI Metadata Example: + - Image ID: ami-1234567890abcdef0 + - Name: ProdImage + - State: Available + - Platform: Windows +- Google Cloud Compute Engine Image Metadata Example: + - Image Name: webserver-image + - Project: my-project-id + - Family: webserver + - Source Disk: my-disk-id +- VMware vSphere Template Metadata Example: + - Name: LinuxTemplate + - Disk Size: 40GB + - Network Adapter: VM Network + +This data component can be collected through the following measures: + +Cloud Platform-Specific Tools + +- Azure: + - Use Azure CLI to query metadata: `az image show --name MyCustomImage --resource-group MyResourceGroup` +- AWS: + - Use AWS CLI to describe AMI metadata: `aws ec2 describe-images --image-ids ami-1234567890abcdef0` +- Google Cloud: + - Use Google Cloud SDK to retrieve image metadata: `gcloud compute images describe webserver-image` + +APIs + +- Azure: `GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/images/{imageName}` +- AWS: `DescribeImages` API. +- Google Cloud: `GET https://compute.googleapis.com/compute/v1/projects/{project}/global/images/{image}.` + +Cloud Management Portals + +- View metadata directly from the cloud provider's management console or dashboard. + +SIEM Integration + +- Aggregate metadata into SIEM platforms for centralized monitoring: + | contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples: + +- Azure Compute Service Image Metadata Example: + - Name: MyCustomImage + - Resource Group: MyResourceGroup + - State: Available + - Type: Managed Image +- AWS EC2 AMI Metadata Example: + - Image ID: ami-1234567890abcdef0 + - Name: ProdImage + - State: Available + - Platform: Windows +- Google Cloud Compute Engine Image Metadata Example: + - Image Name: webserver-image + - Project: my-project-id + - Family: webserver + - Source Disk: my-disk-id +- VMware vSphere Template Metadata Example: + - Name: LinuxTemplate + - Disk Size: 40GB + - Network Adapter: VM Network |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The initial provisioning and construction of a virtual machi | t | 1 | The initial provisioning and construction of a virtual machi |
| > | ne (VM) or compute instance within a cloud infrastructure en | > | ne (VM) or compute instance within a cloud infrastructure en | ||
| > | vironment. This activity involves defining and allocating re | > | vironment. This activity involves defining and allocating re | ||
| > | sources such as CPU, memory, storage, and networking to spin | > | sources such as CPU, memory, storage, and networking to spin | ||
| > | up a new compute instance. Examples: - AWS: creating an EC | > | up a new compute instance. Examples: - AWS: creating an EC | ||
| > | 2 instance using RunInstances API calls. - Azure, creating a | > | 2 instance using RunInstances API calls. - Azure, creating a | ||
| > | VM through the Azure Resource Manager (ARM). - GCP, an `ins | > | VM through the Azure Resource Manager (ARM). - GCP, an `ins | ||
| > | tance.insert` action recorded. *Data Collection Measures:* | > | tance.insert` action recorded. | ||
| > | - AWS CloudTrail: CloudTrail logs stored in S3 or accessibl | ||||
| > | e via CloudWatch. - Azure Activity Logs: Accessible in Azure | ||||
| > | Monitor or exported to a storage account. - GCP Audit Logs: | ||||
| > | Logs Explorer or BigQuery. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:39.434000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples: + +- AWS: creating an EC2 instance using RunInstances API calls. +- Azure, creating a VM through the Azure Resource Manager (ARM). +- GCP, an `instance.insert` action recorded. + +*Data Collection Measures:* + +- AWS CloudTrail: CloudTrail logs stored in S3 or accessible via CloudWatch. +- Azure Activity Logs: Accessible in Azure Monitor or exported to a storage account. +- GCP Audit Logs: Logs Explorer or BigQuery. | The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples: + +- AWS: creating an EC2 instance using RunInstances API calls. +- Azure, creating a VM through the Azure Resource Manager (ARM). +- GCP, an `instance.insert` action recorded. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Removal of a virtual machine (VM) or compute instance within | t | 1 | Removal of a virtual machine (VM) or compute instance within |
| > | a cloud infrastructure. This activity results in the termin | > | a cloud infrastructure. This activity results in the termin | ||
| > | ation and deletion of the allocated resources (e.g., CPU, me | > | ation and deletion of the allocated resources (e.g., CPU, me | ||
| > | mory, storage), making the instance unavailable for future u | > | mory, storage), making the instance unavailable for future u | ||
| > | se. Examples: - AWS: instance deletion involves the `Termin | > | se. Examples: - AWS: instance deletion involves the `Termin | ||
| > | ateInstances` API call, which is recorded in CloudTrail logs | > | ateInstances` API call, which is recorded in CloudTrail logs | ||
| > | . - Azure: VM deletion can be monitored via Azure Activity L | > | . - Azure: VM deletion can be monitored via Azure Activity L | ||
| > | ogs, showing the `Microsoft.Compute/virtualMachines/delete` | > | ogs, showing the `Microsoft.Compute/virtualMachines/delete` | ||
| > | operation. - GCP: instance deletion is logged as an instance | > | operation. - GCP: instance deletion is logged as an instance | ||
| > | .delete operation within GCP Audit Logs. *Data Collection M | > | .delete operation within GCP Audit Logs. | ||
| > | easures: - AWS CloudTrail: CloudTrail logs stored in S3 or | ||||
| > | forwarded to CloudWatch. - Azure Activity Logs: Accessible | ||||
| > | via Azure Monitor or exported to a storage account. - GCP Au | ||||
| > | dit Logs: Logs Explorer or BigQuery. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.952000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples: + +- AWS: instance deletion involves the `TerminateInstances` API call, which is recorded in CloudTrail logs. +- Azure: VM deletion can be monitored via Azure Activity Logs, showing the `Microsoft.Compute/virtualMachines/delete` operation. +- GCP: instance deletion is logged as an instance.delete operation within GCP Audit Logs. + +*Data Collection Measures: + +- AWS CloudTrail: CloudTrail logs stored in S3 or forwarded to CloudWatch. +- Azure Activity Logs: Accessible via Azure Monitor or exported to a storage account. +- GCP Audit Logs: Logs Explorer or BigQuery. | Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples: + +- AWS: instance deletion involves the `TerminateInstances` API call, which is recorded in CloudTrail logs. +- Azure: VM deletion can be monitored via Azure Activity Logs, showing the `Microsoft.Compute/virtualMachines/delete` operation. +- GCP: instance deletion is logged as an instance.delete operation within GCP Audit Logs. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.885000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'CloudTrail:EC2', 'channel': 'DescribeInstances'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The initiation or activation of a virtual machine instance w | t | 1 | The initiation or activation of a virtual machine instance w |
| > | ithin a cloud infrastructure. This action typically involves | > | ithin a cloud infrastructure. This action typically involves | ||
| > | starting an existing instance that had been stopped or paus | > | starting an existing instance that had been stopped or paus | ||
| > | ed, allowing it to resume operation. Examples: - Google Cl | > | ed, allowing it to resume operation. Examples: - Google Cl | ||
| > | oud Platform (GCP): Starting an instance through `instance.s | > | oud Platform (GCP): Starting an instance through `instance.s | ||
| > | tart` API activity. - AWS: Logging of `StartInstances` in AW | > | tart` API activity. - AWS: Logging of `StartInstances` in AW | ||
| > | S CloudTrail for EC2 instances. - Azure: `Microsoft.Compute/ | > | S CloudTrail for EC2 instances. - Azure: `Microsoft.Compute/ | ||
| > | virtualMachines/start` entries indicate a VM instance being | > | virtualMachines/start` entries indicate a VM instance being | ||
| > | started. *Data Collection Measures:* - Google Cloud Platfo | > | started. | ||
| > | rm: Enable GCP Audit Logs for Compute Engine. - Log Even | ||||
| > | t: Look for instance.start entries in Cloud Logging. - Amazo | ||||
| > | n Web Services (AWS): AWS CloudTrail. - Log Event: Searc | ||||
| > | h for StartInstances events associated with EC2. - Microsoft | ||||
| > | Azure: Azure Activity Logs. - Log Event: Filter for Mic | ||||
| > | rosoft.Compute/virtualMachines/start operations. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.515000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples: + +- Google Cloud Platform (GCP): Starting an instance through `instance.start` API activity. +- AWS: Logging of `StartInstances` in AWS CloudTrail for EC2 instances. +- Azure: `Microsoft.Compute/virtualMachines/start` entries indicate a VM instance being started. + +*Data Collection Measures:* + +- Google Cloud Platform: Enable GCP Audit Logs for Compute Engine. + - Log Event: Look for instance.start entries in Cloud Logging. +- Amazon Web Services (AWS): AWS CloudTrail. + - Log Event: Search for StartInstances events associated with EC2. +- Microsoft Azure: Azure Activity Logs. + - Log Event: Filter for Microsoft.Compute/virtualMachines/start operations. | The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples: + +- Google Cloud Platform (GCP): Starting an instance through `instance.start` API activity. +- AWS: Logging of `StartInstances` in AWS CloudTrail for EC2 instances. +- Azure: `Microsoft.Compute/virtualMachines/start` entries indicate a VM instance being started. |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'CloudTrail:RunInstances', 'channel': 'RunInstances'} | |
| x_mitre_log_sources | {'name': 'CloudTrail:RunInstances', 'channel': 'RunInstances: AMI not in allowlist OR AMI owner != enterprise owner/account'} | |
| x_mitre_log_sources | {'name': 'AWS:CloudTrail', 'channel': 'StartInstances: Instance starts from suspicious AMI or with userData present'} | |
| x_mitre_log_sources | {'name': 'CloudTrail:EC2', 'channel': 'RunInstances'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The successful establishment of a new user session following | t | 1 | The successful establishment of a new user session following |
| > | a successful authentication attempt. This typically signifi | > | a successful authentication attempt. This typically signifi | ||
| > | es that a user has provided valid credentials or authenticat | > | es that a user has provided valid credentials or authenticat | ||
| > | ion tokens, and the system has initiated a session associate | > | ion tokens, and the system has initiated a session associate | ||
| > | d with that user account. This data is crucial for tracking | > | d with that user account. This data is crucial for tracking | ||
| > | authentication events and identifying potential unauthorized | > | authentication events and identifying potential unauthorized | ||
| > | access. Examples: - Windows Systems - Event ID: 4624 | > | access. Examples: - Windows Systems - Event ID: 4624 | ||
| > | - Logon Type: 2 (Interactive) or 10 (Remote Interact | > | - Logon Type: 2 (Interactive) or 10 (Remote Interact | ||
| > | ive via RDP). - Account Name: JohnDoe - Sour | > | ive via RDP). - Account Name: JohnDoe - Sour | ||
| > | ce Network Address: 192.168.1.100 - Authentication P | > | ce Network Address: 192.168.1.100 - Authentication P | ||
| > | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log | > | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log | ||
| > | /wtmp: - Log format: login user [tty] from [source_i | > | /wtmp: - Log format: login user [tty] from [source_i | ||
| > | p] - User: jane - IP: 10.0.0.5 - Tim | > | p] - User: jane - IP: 10.0.0.5 - Tim | ||
| > | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a | > | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a | ||
| > | sl.log or unified logging framework: - Log: com.appl | > | sl.log or unified logging framework: - Log: com.appl | ||
| > | e.securityd: Authentication succeeded for user 'admin' - Clo | > | e.securityd: Authentication succeeded for user 'admin' - Clo | ||
| > | ud Environments - Azure Sign-In Logs: - Activity | > | ud Environments - Azure Sign-In Logs: - Activity | ||
| > | : Sign-in successful - Client App: Browser - | > | : Sign-in successful - Client App: Browser - | ||
| > | Location: Unknown (Country: X) - Google Workspace - Act | > | Location: Unknown (Country: X) - Google Workspace - Act | ||
| > | ivity: Login - Event Type: successful_login | > | ivity: Login - Event Type: successful_login | ||
| > | - Source IP: 203.0.113.55 This data component can be collec | > | - Source IP: 203.0.113.55 | ||
| > | ted through the following measures: - Windows Systems - | ||||
| > | Event Logs: Monitor Security Event Logs using Event ID 4624 | ||||
| > | for successful logons. - PowerShell Example: `Get-Event | ||||
| > | Log -LogName Security -InstanceId 4624` - Linux Systems | ||||
| > | - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/ | ||||
| > | var/log/auth.log` for logon events. - Tools: Use `last` | ||||
| > | or `who` commands to parse login records. - macOS Systems | ||||
| > | - Log Sources: Monitor `/var/log/asl.log` or Apple Unified | ||||
| > | Logs using the `log show` command. - Command Example: ` | ||||
| > | log show --predicate 'eventMessage contains "Authentication | ||||
| > | succeeded"' --info` - Cloud Environments - Azure AD: Use | ||||
| > | Azure Monitor to analyze sign-in logs. Example CLI Query: ` | ||||
| > | az monitor log-analytics query -w <workspace_id> --analytics | ||||
| > | -query "AzureActivity | where ActivityStatus == 'Success' an | ||||
| > | d OperationName == 'Sign-in'"` - Google Workspace: Enabl | ||||
| > | e and monitor Login Audit logs from the Admin Console. - | ||||
| > | Office 365: Use Audit Log Search in Microsoft 365 Security | ||||
| > | & Compliance Center for login-related events. - Network Logs | ||||
| > | - Sources: Network authentication mechanisms (e.g., RAD | ||||
| > | IUS or TACACS logs). - Enable EDR Monitoring: - EDR too | ||||
| > | ls monitor logon session activity, including the creation of | ||||
| > | new sessions. - Configure alerts for: Suspicious logon | ||||
| > | types (e.g., Logon Type 10 for RDP or Type 5 for Service). L | ||||
| > | ogons from unusual locations, accounts, or devices. - Le | ||||
| > | verage EDR telemetry for session attributes like source IP, | ||||
| > | session duration, and originating process. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.022000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples:
+
+- Windows Systems
+ - Event ID: 4624
+ - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP).
+ - Account Name: JohnDoe
+ - Source Network Address: 192.168.1.100
+ - Authentication Package: NTLM
+- Linux Systems
+ - /var/log/utmp or /var/log/wtmp:
+ - Log format: login user [tty] from [source_ip]
+ - User: jane
+ - IP: 10.0.0.5
+ - Timestamp: 2024-12-28 08:30:00
+- macOS Systems
+ - /var/log/asl.log or unified logging framework:
+ - Log: com.apple.securityd: Authentication succeeded for user 'admin'
+- Cloud Environments
+ - Azure Sign-In Logs:
+ - Activity: Sign-in successful
+ - Client App: Browser
+ - Location: Unknown (Country: X)
+- Google Workspace
+ - Activity: Login
+ - Event Type: successful_login
+ - Source IP: 203.0.113.55
+
+This data component can be collected through the following measures:
+
+- Windows Systems
+ - Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons.
+ - PowerShell Example: `Get-EventLog -LogName Security -InstanceId 4624`
+- Linux Systems
+ - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/var/log/auth.log` for logon events.
+ - Tools: Use `last` or `who` commands to parse login records.
+- macOS Systems
+ - Log Sources: Monitor `/var/log/asl.log` or Apple Unified Logs using the `log show` command.
+ - Command Example: `log show --predicate 'eventMessage contains "Authentication succeeded"' --info`
+- Cloud Environments
+ - Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: `az monitor log-analytics query -w | The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: + +- Windows Systems + - Event ID: 4624 + - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP). + - Account Name: JohnDoe + - Source Network Address: 192.168.1.100 + - Authentication Package: NTLM +- Linux Systems + - /var/log/utmp or /var/log/wtmp: + - Log format: login user [tty] from [source_ip] + - User: jane + - IP: 10.0.0.5 + - Timestamp: 2024-12-28 08:30:00 +- macOS Systems + - /var/log/asl.log or unified logging framework: + - Log: com.apple.securityd: Authentication succeeded for user 'admin' +- Cloud Environments + - Azure Sign-In Logs: + - Activity: Sign-in successful + - Client App: Browser + - Location: Unknown (Country: X) +- Google Workspace + - Activity: Login + - Event Type: successful_login + - Source IP: 203.0.113.55 |
| x_mitre_log_sources[5]['name'] | m365:signin | m365:signinlogs |
| x_mitre_log_sources[31]['name'] | m365:signin | m365:signinlogs |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 with LogonType=9 or smartcard logon'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=10 or 3), EventCode=4648'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=3)'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=10), EventCode=4648'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672, 4648'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': '4624'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648, 4672'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648,4672,4769'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventID=4624'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4634'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.246000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[4]['name'] | azure:signinLogs | azure:signinlogs |
| x_mitre_log_sources[3]['channel'] | EventCode=4624, 4634, 4672, 4768, 4769 | EventCode=4776, 4771, 4770 |
| x_mitre_log_sources[32]['name'] | m365:signin | m365:signinlogs |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4672, 4634'} |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4634, 4672, 4769'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4776,4771,4770'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4672'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672, 4634, 4768, 4769'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | When a process or program dynamically attaches a shared libr | t | 1 | When a process or program dynamically attaches a shared libr |
| > | ary, module, or plugin into its memory space. This action is | > | ary, module, or plugin into its memory space. This action is | ||
| > | typically performed to extend the functionality of an appli | > | typically performed to extend the functionality of an appli | ||
| > | cation, access shared system resources, or interact with ker | > | cation, access shared system resources, or interact with ker | ||
| > | nel-mode components. *Data Collection Measures:* - Event L | > | nel-mode components. | ||
| > | ogging (Windows): - Sysmon Event ID 7: Logs when a DLL i | ||||
| > | s loaded into a process. - Windows Security Event ID 468 | ||||
| > | 8: Captures process creation events, often useful for correl | ||||
| > | ating module loads. - Windows Defender ATP: Can provide | ||||
| > | visibility into suspicious module loads. - Event Logging (Li | ||||
| > | nux/macOS): - AuditD (`execve` and `open` syscalls): Cap | ||||
| > | tures when shared libraries (`.so` files) are loaded. - | ||||
| > | Ltrace/Strace: Monitors process behavior, including library | ||||
| > | calls (`dlopen`, `execve`). - MacOS Endpoint Security Fr | ||||
| > | amework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY | ||||
| > | _DYLD_INSERT_LIBRARIES`). - Endpoint Detection & Response (E | ||||
| > | DR): - Provide real-time telemetry on module loads and | ||||
| > | process injections. - Sysinternals Process Monitor (`pro | ||||
| > | cmon`): Captures loaded modules and their execution context. | ||||
| > | - Memory Forensics: - Volatility Framework (`malfind`, | ||||
| > | `ldrmodules`): Detects injected DLLs and anomalous module lo | ||||
| > | ads. - Rekall Framework: Useful for kernel-mode module d | ||||
| > | etection. - SIEM and Log Analysis: - Centralized log agg | ||||
| > | regation to correlate suspicious module loads across the env | ||||
| > | ironment. - Detection rules using correlation searches a | ||||
| > | nd behavioral analytics. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.471000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components. + +*Data Collection Measures:* + +- Event Logging (Windows): + - Sysmon Event ID 7: Logs when a DLL is loaded into a process. + - Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads. + - Windows Defender ATP: Can provide visibility into suspicious module loads. +- Event Logging (Linux/macOS): + - AuditD (`execve` and `open` syscalls): Captures when shared libraries (`.so` files) are loaded. + - Ltrace/Strace: Monitors process behavior, including library calls (`dlopen`, `execve`). + - MacOS Endpoint Security Framework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES`). +- Endpoint Detection & Response (EDR): + - Provide real-time telemetry on module loads and process injections. + - Sysinternals Process Monitor (`procmon`): Captures loaded modules and their execution context. +- Memory Forensics: + - Volatility Framework (`malfind`, `ldrmodules`): Detects injected DLLs and anomalous module loads. + - Rekall Framework: Useful for kernel-mode module detection. +- SIEM and Log Analysis: + - Centralized log aggregation to correlate suspicious module loads across the environment. + - Detection rules using correlation searches and behavioral analytics. | When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.190000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[19]['channel'] | EventCode=22 | EventCode=3, 22 |
| x_mitre_log_sources[27]['channel'] | EventCode=5156 | EventCode=5156, 5157 |
| x_mitre_log_sources[90]['channel'] | 8001, 8002, 8003 | EventCode=8001, 8002, 8003 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'} | |
| x_mitre_log_sources | {'name': 'auditd:SYSCALL', 'channel': 'netconnect'} | |
| x_mitre_log_sources | {'name': 'auditd:SYSCALL', 'channel': 'open or connect'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=5156,5157'} | |
| x_mitre_log_sources | {'name': 'linux:Sysmon', 'channel': 'EventCode=3'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Opening a network share, which makes the contents available | t | 1 | Opening a network share, which makes the contents available |
| > | to the requestor (ex: Windows EID 5140 or 5145) *Data Colle | > | to the requestor (ex: Windows EID 5140 or 5145) | ||
| > | ction Measures:* - Windows: - Event ID 5140 – Network S | ||||
| > | hare Object Access Logs every access attempt to a network sh | ||||
| > | are. - Event ID 5145 – Detailed Network Share Object Acc | ||||
| > | ess Captures granular access control information, including | ||||
| > | the requesting user, source IP, and access permissions. | ||||
| > | - Sysmon Event ID 3 – Network Connection Initiated Helps tra | ||||
| > | ck SMB connections to suspicious or unauthorized network sha | ||||
| > | res. - Enable Audit Policy for Network Share Access: `au | ||||
| > | ditpol /set /subcategory:"File Share" /success:enable /failu | ||||
| > | re:enable` - Enable PowerShell Logging to Detect Unautho | ||||
| > | rized SMB Access: `Set-ExecutionPolicy RemoteSigned` - R | ||||
| > | estrict Network Share Access with Group Policy (GPO): `Compu | ||||
| > | ter Configuration → Windows Settings → Security Settings → L | ||||
| > | ocal Policies → User Rights Assignment` Set "Access this com | ||||
| > | puter from the network" to restrict unauthorized accounts. - | ||||
| > | Linux/macOS: - AuditD (`open`, `read`, `write`, `connec | ||||
| > | t` syscalls) Detects access to NFS, CIFS, and SMB network sh | ||||
| > | ares. - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Id | ||||
| > | entifies active network share connections. - Mount (`mou | ||||
| > | nt | grep nfs` or `mount | grep cifs`) Lists currently mount | ||||
| > | ed network shares. - Enable AuditD for SMB/NFS Access: ` | ||||
| > | auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/sha | ||||
| > | re -k network_share_access` - Monitor Active Network Sha | ||||
| > | res Using Netstat: `netstat -an | grep :445` - Endpoint Dete | ||||
| > | ction & Response (EDR): - Detects abnormal network share | ||||
| > | access behavior, such as unusual account usage, large file | ||||
| > | transfers, or encrypted file activity. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.412000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) + +*Data Collection Measures:* + +- Windows: + - Event ID 5140 – Network Share Object Access Logs every access attempt to a network share. + - Event ID 5145 – Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions. + - Sysmon Event ID 3 – Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares. + - Enable Audit Policy for Network Share Access: `auditpol /set /subcategory:"File Share" /success:enable /failure:enable` + - Enable PowerShell Logging to Detect Unauthorized SMB Access: `Set-ExecutionPolicy RemoteSigned` + - Restrict Network Share Access with Group Policy (GPO): `Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment` Set "Access this computer from the network" to restrict unauthorized accounts. +- Linux/macOS: + - AuditD (`open`, `read`, `write`, `connect` syscalls) Detects access to NFS, CIFS, and SMB network shares. + - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Identifies active network share connections. + - Mount (`mount | grep nfs` or `mount | grep cifs`) Lists currently mounted network shares. + - Enable AuditD for SMB/NFS Access: `auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access` + - Monitor Active Network Shares Using Netstat: `netstat -an | grep :445` +- Endpoint Detection & Response (EDR): + - Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity. | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) |
| x_mitre_log_sources[1]['channel'] | EventID=31001 | EventCode=31001 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Summarized network packet data that captures session-level d | t | 1 | Summarized network packet data that captures session-level d |
| > | etails such as source/destination IPs, ports, protocol types | > | etails such as source/destination IPs, ports, protocol types | ||
| > | , timestamps, and data volume, without storing full packet p | > | , timestamps, and data volume, without storing full packet p | ||
| > | ayloads. This is commonly used for traffic analysis, anomaly | > | ayloads. This is commonly used for traffic analysis, anomaly | ||
| > | detection, and network performance monitoring. *Data Colle | > | detection, and network performance monitoring. | ||
| > | ction Measures:* - Network Flow Logs (Metadata Collection) | ||||
| > | - NetFlow - Summarized metadata for network con | ||||
| > | versations (no packet payloads). - sFlow (Sampled Flow L | ||||
| > | ogging) - Captures sampled packets from switches and | ||||
| > | routers. - Used for real-time traffic monitoring an | ||||
| > | d anomaly detection. - Zeek (Bro) Flow Logs - Ze | ||||
| > | ek logs session-level details in logs like conn.log, http.lo | ||||
| > | g, dns.log, etc. - Host-Based Collection - Sysmon Event | ||||
| > | ID 3 – Network Connection Initiated - Logs process-l | ||||
| > | evel network activity, useful for detecting malicious outbou | ||||
| > | nd connections. - AuditD (Linux) – syscall=connect | ||||
| > | - Monitors system calls for network connections. `auditct | ||||
| > | l -a always,exit -F arch=b64 -S connect -k network_activity` | ||||
| > | - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs | ||||
| > | - Captures metadata for traffic between EC2 instances, s | ||||
| > | ecurity groups, and internet gateways. - Azure NSG Flow | ||||
| > | Logs / Google VPC Flow Logs - Logs ingress/egress tr | ||||
| > | affic for cloud-based resources. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.703000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. + +*Data Collection Measures:* + +- Network Flow Logs (Metadata Collection) + - NetFlow + - Summarized metadata for network conversations (no packet payloads). + - sFlow (Sampled Flow Logging) + - Captures sampled packets from switches and routers. + - Used for real-time traffic monitoring and anomaly detection. + - Zeek (Bro) Flow Logs + - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc. +- Host-Based Collection + - Sysmon Event ID 3 – Network Connection Initiated + - Logs process-level network activity, useful for detecting malicious outbound connections. + - AuditD (Linux) – syscall=connect + - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity` +- Cloud & SaaS Flow Monitoring + - AWS VPC Flow Logs + - Captures metadata for traffic between EC2 instances, security groups, and internet gateways. + - Azure NSG Flow Logs / Google VPC Flow Logs + - Logs ingress/egress traffic for cloud-based resources. | Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. |
| x_mitre_log_sources[72]['channel'] | EventCode=2004,2005,2006 | EventCode=2004, 2005, 2006 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Calls made by a process to operating system-provided Applica | t | 1 | Calls made by a process to operating system-provided Applica |
| > | tion Programming Interfaces (APIs). These calls are essentia | > | tion Programming Interfaces (APIs). These calls are essentia | ||
| > | l for interacting with system resources such as memory, file | > | l for interacting with system resources such as memory, file | ||
| > | s, and hardware, or for performing system-level tasks. Monit | > | s, and hardware, or for performing system-level tasks. Monit | ||
| > | oring these calls can provide insight into a process's inten | > | oring these calls can provide insight into a process's inten | ||
| > | t, especially if the process is malicious. *Data Collection | > | t, especially if the process is malicious. | ||
| > | Measures:* - Endpoint Detection and Response (EDR) Tools: | ||||
| > | - Leverage tools to monitor API execution behaviors at t | ||||
| > | he process level. - Example: Sysmon Event ID 10 captures | ||||
| > | API call traces for process access and memory allocation. - | ||||
| > | Process Monitor (ProcMon): - Use ProcMon to collect det | ||||
| > | ailed logs of process and API activity. ProcMon can provide | ||||
| > | granular details on API usage and identify malicious behavio | ||||
| > | r during analysis. - Windows Event Logs: - Use Event IDs | ||||
| > | from Windows logs for specific API-related activities: | ||||
| > | - Event ID 4688: A new process has been created (can ind | ||||
| > | irectly infer API use). - Event ID 4657: A registry | ||||
| > | value has been modified (to monitor registry-altering APIs). | ||||
| > | - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, | ||||
| > | Flare VM, or Hybrid Analysis monitor API execution during ma | ||||
| > | lware detonation. - Host-Based Logs: - On Linux/macOS sy | ||||
| > | stems, leverage audit frameworks (e.g., `auditd`, `strace`) | ||||
| > | to capture and analyze system call usage that APIs map to. - | ||||
| > | Runtime Monitors: - Runtime security tools like Falco c | ||||
| > | an monitor system-level calls for API execution. - Debugging | ||||
| > | and Tracing: - Use debugging tools like gdb (Linux) or | ||||
| > | WinDbg (Windows) for deep tracing of API executions in real | ||||
| > | time. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.999000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - Leverage tools to monitor API execution behaviors at the process level. + - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation. +- Process Monitor (ProcMon): + - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis. +- Windows Event Logs: + - Use Event IDs from Windows logs for specific API-related activities: + - Event ID 4688: A new process has been created (can indirectly infer API use). + - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs). +- Dynamic Analysis Tools: + - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation. +- Host-Based Logs: + - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to. +- Runtime Monitors: + - Runtime security tools like Falco can monitor system-level calls for API execution. +- Debugging and Tracing: + - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time. | Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. |
| x_mitre_log_sources[19]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.539000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[13]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=10, 7'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to the event in which a new process (executable) is i | t | 1 | Refers to the event in which a new process (executable) is i |
| > | nitialized by an operating system. This can involve parent-c | > | nitialized by an operating system. This can involve parent-c | ||
| > | hild process relationships, process arguments, and environme | > | hild process relationships, process arguments, and environme | ||
| > | ntal variables. Monitoring process creation is crucial for d | > | ntal variables. Monitoring process creation is crucial for d | ||
| > | etecting malicious behaviors, such as execution of unauthori | > | etecting malicious behaviors, such as execution of unauthori | ||
| > | zed binaries, scripting abuse, or privilege escalation attem | > | zed binaries, scripting abuse, or privilege escalation attem | ||
| > | pts. *Data Collection Measures:* - Endpoint Detection and | > | pts.. | ||
| > | Response (EDR) Tools: - EDRs provide process telemetry, | ||||
| > | tracking execution flows and arguments. - Windows Event Logs | ||||
| > | : - Event ID 4688 (Audit Process Creation): Captures pro | ||||
| > | cess creation with associated parent process. - Sysmon (Wind | ||||
| > | ows): - Event ID 1 (Process Creation): Provides detailed | ||||
| > | logging - Linux/macOS Monitoring: - AuditD (execve sysc | ||||
| > | all): Logs process creation. - eBPF/XDP: Used for low-le | ||||
| > | vel monitoring of system calls related to process execution. | ||||
| > | - OSQuery: Allows SQL-like queries to track process eve | ||||
| > | nts (process_events table). - Apple Endpoint Security Fr | ||||
| > | amework (ESF): Monitors process creation on macOS. - Network | ||||
| > | -Based Monitoring: - Zeek (Bro) Logs: Captures network-b | ||||
| > | ased process execution related to remote shells. - Syslo | ||||
| > | g/OSSEC: Tracks execution of processes on distributed system | ||||
| > | s. - Behavioral SIEM Rules: - Monitor process creation f | ||||
| > | or uncommon binaries in user directories. - Detect proce | ||||
| > | sses with suspicious command-line arguments. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 19:28:39.339000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0032 | https://attack.mitre.org/datacomponents/DC0032 |
| description | Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - EDRs provide process telemetry, tracking execution flows and arguments. +- Windows Event Logs: + - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process. +- Sysmon (Windows): + - Event ID 1 (Process Creation): Provides detailed logging +- Linux/macOS Monitoring: + - AuditD (execve syscall): Logs process creation. + - eBPF/XDP: Used for low-level monitoring of system calls related to process execution. + - OSQuery: Allows SQL-like queries to track process events (process_events table). + - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS. +- Network-Based Monitoring: + - Zeek (Bro) Logs: Captures network-based process execution related to remote shells. + - Syslog/OSSEC: Tracks execution of processes on distributed systems. +- Behavioral SIEM Rules: + - Monitor process creation for uncommon binaries in user directories. + - Detect processes with suspicious command-line arguments. | Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.. |
| x_mitre_log_sources[293]['channel'] | EventCode=8003,8004 | EventCode=8003, 8004 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventlog:Security', 'channel': 'EventCode=4688'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Microsoft-Windows-Security-Auditing', 'channel': 'EventCode=4688'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:security', 'channel': 'EventCode=4688'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.331000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[36]['channel'] | EventCode=400,403 | EventCode=400, 403 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to a running process, such as writing data into | t | 1 | Changes made to a running process, such as writing data into |
| > | memory, modifying execution behavior, or injecting code int | > | memory, modifying execution behavior, or injecting code int | ||
| > | o an existing process. Adversaries frequently modify process | > | o an existing process. Adversaries frequently modify process | ||
| > | es to execute malicious payloads, evade detection, or gain e | > | es to execute malicious payloads, evade detection, or gain e | ||
| > | scalated privileges. *Data Collection Measures:* - Endpoi | > | scalated privileges. | ||
| > | nt Detection and Response (EDR) Tools: - EDRs can monito | ||||
| > | r memory modifications and API-level calls. - Sysmon (Window | ||||
| > | s): - Event ID 8 (CreateRemoteThread) – Detects cross-pr | ||||
| > | ocess thread injection, commonly used in process hollowing. | ||||
| > | - Event ID 10 (Process Access) – Detects access attempts | ||||
| > | to another process, often preceding injection attempts. - L | ||||
| > | inux/macOS Monitoring: - AuditD (ptrace, mmap, mprotect | ||||
| > | syscalls): Detects memory modifications and debugging attemp | ||||
| > | ts. - eBPF/XDP: Monitors low-level system calls related | ||||
| > | to process modifications. - OSQuery: The processes table | ||||
| > | can be queried for unusual modifications. - Network-Based M | ||||
| > | onitoring: - Zeek (Bro) Logs: Captures lateral movement | ||||
| > | attempts where adversaries remotely modify a process. - | ||||
| > | Syslog/OSSEC: Monitors logs for suspicious modifications. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.747000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - EDRs can monitor memory modifications and API-level calls. +- Sysmon (Windows): + - Event ID 8 (CreateRemoteThread) – Detects cross-process thread injection, commonly used in process hollowing. + - Event ID 10 (Process Access) – Detects access attempts to another process, often preceding injection attempts. +- Linux/macOS Monitoring: + - AuditD (ptrace, mmap, mprotect syscalls): Detects memory modifications and debugging attempts. + - eBPF/XDP: Monitors low-level system calls related to process modifications. + - OSQuery: The processes table can be queried for unusual modifications. +- Network-Based Monitoring: + - Zeek (Bro) Logs: Captures lateral movement attempts where adversaries remotely modify a process. + - Syslog/OSSEC: Monitors logs for suspicious modifications. | Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The exit or termination of a running process on a system. Th | t | 1 | The exit or termination of a running process on a system. Th |
| > | is can occur due to normal operations, user-initiated comman | > | is can occur due to normal operations, user-initiated comman | ||
| > | ds, or malicious actions such as process termination by malw | > | ds, or malicious actions such as process termination by malw | ||
| > | are to disable security controls. *Data Collection Measures | > | are to disable security controls. | ||
| > | :* - Endpoint Detection and Response (EDR) Tools: - Mon | ||||
| > | itor process termination events. - Windows Event Logs: - | ||||
| > | Event ID 4689 (Process Termination) – Captures when a proce | ||||
| > | ss exits, including process ID and parent process. - Eve | ||||
| > | nt ID 7036 (Service Control Manager) – Monitors system servi | ||||
| > | ce stops. - Sysmon (Windows): - Event ID 5 (Process Term | ||||
| > | ination) – Detects when a process exits, including parent-ch | ||||
| > | ild relationships. - Linux/macOS Monitoring: - AuditD (` | ||||
| > | execve`, `exit_group`, `kill` syscalls) – Captures process t | ||||
| > | ermination via command-line interactions. - eBPF/XDP: Mo | ||||
| > | nitors low-level system calls related to process termination | ||||
| > | . - OSQuery: The processes table can be queried for abno | ||||
| > | rmal exits. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.181000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - Monitor process termination events. +- Windows Event Logs: + - Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process. + - Event ID 7036 (Service Control Manager) – Monitors system service stops. +- Sysmon (Windows): + - Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships. +- Linux/macOS Monitoring: + - AuditD (`execve`, `exit_group`, `kill` syscalls) – Captures process termination via command-line interactions. + - eBPF/XDP: Monitors low-level system calls related to process termination. + - OSQuery: The processes table can be queried for abnormal exits. | The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Captured network traffic that provides details about respons | t | 1 | Captured network traffic that provides details about respons |
| > | es received during an internet scan. This data includes both | > | es received during an internet scan. This data includes both | ||
| > | protocol header values (e.g., HTTP status codes, IP headers | > | protocol header values (e.g., HTTP status codes, IP headers | ||
| > | , or DNS response codes) and response body content (e.g., HT | > | , or DNS response codes) and response body content (e.g., HT | ||
| > | ML, JSON, or raw data). Examples: - HTTP Scan: A web server | > | ML, JSON, or raw data). Examples: - HTTP Scan: A web server | ||
| > | responds to a probe with an HTTP 200 status code and an HTM | > | responds to a probe with an HTTP 200 status code and an HTM | ||
| > | L body indicating the default page is accessible. - DNS Scan | > | L body indicating the default page is accessible. - DNS Scan | ||
| > | : A DNS server replies to a query with a resolved IP address | > | : A DNS server replies to a query with a resolved IP address | ||
| > | for a domain, along with details like Time-To-Live (TTL) an | > | for a domain, along with details like Time-To-Live (TTL) an | ||
| > | d authoritative information. - TCP Banner Grab: A service li | > | d authoritative information. - TCP Banner Grab: A service li | ||
| > | stening on a port (e.g., SSH or FTP) responds with a banner | > | stening on a port (e.g., SSH or FTP) responds with a banner | ||
| > | containing service name, version, or other metadata. *Data | > | containing service name, version, or other metadata. | ||
| > | Collection Measures:* - Network Traffic Monitoring: - D | ||||
| > | eploy packet capture tools like Wireshark, tcpdump, or Suric | ||||
| > | ata to log both headers and body content of response traffic | ||||
| > | . - Use network appliances like firewalls, intrusion det | ||||
| > | ection systems (IDS), or intrusion prevention systems (IPS) | ||||
| > | with logging enabled to capture scan responses. - Cloud Logg | ||||
| > | ing Services: - AWS VPC Flow Logs: Capture metadata abou | ||||
| > | t network flows, including source and destination, protocol, | ||||
| > | and response codes. - GCP Packet Mirroring: Use mirrore | ||||
| > | d packets to analyze responses. - Azure NSG Flow Logs: R | ||||
| > | ecord network traffic flow information for analysis. - Speci | ||||
| > | fic Tools: - Zmap or Masscan: Can perform internet-wide | ||||
| > | scans and collect response content for analysis. - Nmap: | ||||
| > | Use custom scripts to capture and log detailed response dat | ||||
| > | a during scans. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:40.412000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Captured network traffic that provides details about responses received during an internet scan. This data includes both protocol header values (e.g., HTTP status codes, IP headers, or DNS response codes) and response body content (e.g., HTML, JSON, or raw data). Examples: + +- HTTP Scan: A web server responds to a probe with an HTTP 200 status code and an HTML body indicating the default page is accessible. +- DNS Scan: A DNS server replies to a query with a resolved IP address for a domain, along with details like Time-To-Live (TTL) and authoritative information. +- TCP Banner Grab: A service listening on a port (e.g., SSH or FTP) responds with a banner containing service name, version, or other metadata. + +*Data Collection Measures:* + +- Network Traffic Monitoring: + - Deploy packet capture tools like Wireshark, tcpdump, or Suricata to log both headers and body content of response traffic. + - Use network appliances like firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS) with logging enabled to capture scan responses. +- Cloud Logging Services: + - AWS VPC Flow Logs: Capture metadata about network flows, including source and destination, protocol, and response codes. + - GCP Packet Mirroring: Use mirrored packets to analyze responses. + - Azure NSG Flow Logs: Record network traffic flow information for analysis. +- Specific Tools: + - Zmap or Masscan: Can perform internet-wide scans and collect response content for analysis. + - Nmap: Use custom scripts to capture and log detailed response data during scans. | Captured network traffic that provides details about responses received during an internet scan. This data includes both protocol header values (e.g., HTTP status codes, IP headers, or DNS response codes) and response body content (e.g., HTML, JSON, or raw data). Examples: + +- HTTP Scan: A web server responds to a probe with an HTTP 200 status code and an HTML body indicating the default page is accessible. +- DNS Scan: A DNS server replies to a query with a resolved IP address for a domain, along with details like Time-To-Live (TTL) and authoritative information. +- TCP Banner Grab: A service listening on a port (e.g., SSH or FTP) responds with a banner containing service name, version, or other metadata. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The establishment of a task or job that will execute at a pr | t | 1 | The establishment of a task or job that will execute at a pr |
| > | edefined time or based on specific triggers. *Data Collecti | > | edefined time or based on specific triggers. | ||
| > | on Measures: * - Windows Event Logs: - Event ID 4698 (S | ||||
| > | cheduled Task Created) – Detects the creation of new schedul | ||||
| > | ed tasks. - Event ID 4702 (Scheduled Task Updated) – Ide | ||||
| > | ntifies modifications to existing scheduled jobs. - Even | ||||
| > | t ID 106 (TaskScheduler Operational Log) – Provides details | ||||
| > | about scheduled task execution. - Sysmon (Windows): - Ev | ||||
| > | ent ID 1 (Process Creation) – Detects the execution of suspi | ||||
| > | cious tasks started by `schtasks.exe`, `at.exe`, or `taskeng | ||||
| > | .exe`. - Linux/macOS Monitoring: - AuditD: Monitor modif | ||||
| > | ications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` | ||||
| > | files. - Syslog: Capture cron job execution logs from `/ | ||||
| > | var/log/cron`. - OSQuery: Query the `crontab` and `launc | ||||
| > | hd` tables for scheduled job configurations. - Endpoint Dete | ||||
| > | ction and Response (EDR) Tools: - Track scheduled task c | ||||
| > | reation and modification events. - SIEM & XDR Detection Rule | ||||
| > | s: - Monitor for scheduled jobs created by unusual users | ||||
| > | . - Detect tasks executing scripts from non-standard dir | ||||
| > | ectories. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.814000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The establishment of a task or job that will execute at a predefined time or based on specific triggers. + +*Data Collection Measures: * + +- Windows Event Logs: + - Event ID 4698 (Scheduled Task Created) – Detects the creation of new scheduled tasks. + - Event ID 4702 (Scheduled Task Updated) – Identifies modifications to existing scheduled jobs. + - Event ID 106 (TaskScheduler Operational Log) – Provides details about scheduled task execution. +- Sysmon (Windows): + - Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by `schtasks.exe`, `at.exe`, or `taskeng.exe`. +- Linux/macOS Monitoring: + - AuditD: Monitor modifications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` files. + - Syslog: Capture cron job execution logs from `/var/log/cron`. + - OSQuery: Query the `crontab` and `launchd` tables for scheduled job configurations. +- Endpoint Detection and Response (EDR) Tools: + - Track scheduled task creation and modification events. +- SIEM & XDR Detection Rules: + - Monitor for scheduled jobs created by unusual users. + - Detect tasks executing scripts from non-standard directories. | The establishment of a task or job that will execute at a predefined time or based on specific triggers. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 19:03:38.549000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0005 | https://attack.mitre.org/datacomponents/DC0005 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'linux:cron', 'channel': '/var/log/syslog or journalctl'} | |
| x_mitre_log_sources | {'name': 'linux::cron', 'channel': 'crontab or at job created within TimeWindow post time discovery'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The execution of a text file that contains code via the inte | t | 1 | The execution of a text file that contains code via the inte |
| > | rpreter. *Data Collection Measures:* - Windows Event Logs: | > | rpreter. | ||
| > | - Event ID 4104 (PowerShell Script Block Logging) – Cap | ||||
| > | tures full command-line execution of PowerShell scripts. | ||||
| > | - Event ID 4688 (Process Creation) – Detects script executi | ||||
| > | on by tracking process launches (`powershell.exe`, `wscript. | ||||
| > | exe`, `cscript.exe`). - Event ID 5861 (Script Execution) | ||||
| > | – Captures script execution via Windows Defender AMSI loggi | ||||
| > | ng. - Sysmon (Windows): - Event ID 1 (Process Creation) | ||||
| > | – Monitors script execution initiated by scripting engines. | ||||
| > | - Event ID 11 (File Creation) – Detects new script files | ||||
| > | written to disk before execution. - Endpoint Detection and | ||||
| > | Response (EDR) Tools: - Track script execution behavior, | ||||
| > | detect obfuscated commands, and prevent malicious scripts. | ||||
| > | - PowerShell Logging: - Enable Module Logging: Logs all | ||||
| > | loaded modules and cmdlets. - Enable Script Block Loggin | ||||
| > | g: Captures complete PowerShell script execution history. - | ||||
| > | SIEM Detection Rules: - Detect script execution with obf | ||||
| > | uscated, encoded, or remote URLs. - Alert on script exec | ||||
| > | utions using `-EncodedCommand` or `iex(iwr)`. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.018000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The execution of a text file that contains code via the interpreter. + +*Data Collection Measures:* + +- Windows Event Logs: + - Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts. + - Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (`powershell.exe`, `wscript.exe`, `cscript.exe`). + - Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging. +- Sysmon (Windows): + - Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines. + - Event ID 11 (File Creation) – Detects new script files written to disk before execution. +- Endpoint Detection and Response (EDR) Tools: + - Track script execution behavior, detect obfuscated commands, and prevent malicious scripts. +- PowerShell Logging: + - Enable Module Logging: Logs all loaded modules and cmdlets. + - Enable Script Block Logging: Captures complete PowerShell script execution history. +- SIEM Detection Rules: + - Detect script execution with obfuscated, encoded, or remote URLs. + - Alert on script executions using `-EncodedCommand` or `iex(iwr)`. | The execution of a text file that contains code via the interpreter. |
| x_mitre_log_sources[11]['channel'] | EventCode=4103, 4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_sources[22]['channel'] | EventCode=4016,5312 | EventCode=4016, 5312 |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.315000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=7045'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.382000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[1]['name'] | WinEventLog:sysmon | WinEventLog:Sysmon |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to an existing service or daemon, such as modif | t | 1 | Changes made to an existing service or daemon, such as modif |
| > | ying the service name, start type, execution parameters, or | > | ying the service name, start type, execution parameters, or | ||
| > | security configurations. *Data Collection Measures: * - Wi | > | security configurations. | ||
| > | ndows Event Logs - Event ID 7040 - Detects modifications | ||||
| > | to the startup behavior of a service. - Event ID 7045 - | ||||
| > | Can capture changes made to existing services. - Event | ||||
| > | ID 7036 - Tracks when services start or stop, potentially in | ||||
| > | dicating malicious tampering. - Event ID 4697 - Can dete | ||||
| > | ct when an adversary reinstalls a service with different par | ||||
| > | ameters. - Sysmon Logs - Sysmon Event ID 13 - Detects ch | ||||
| > | anges to service configurations in the Windows Registry (e.g | ||||
| > | ., `HKLM\SYSTEM\CurrentControlSet\Services\`). - Sysmon | ||||
| > | Event ID 1 - Can track execution of `sc.exe` or `PowerShell | ||||
| > | Set-Service`. - PowerShell Logging - Event ID 4104 (Scri | ||||
| > | pt Block Logging) - Captures execution of commands like `Set | ||||
| > | -Service`, `New-Service`, or `sc config`. - Command-Line | ||||
| > | Logging (Event ID 4688) - Tracks usage of service modificat | ||||
| > | ion commands: - `sc config <service_name> start= aut | ||||
| > | o` - `sc qc <service_name>` - Linux/macOS Collec | ||||
| > | tion Methods - Systemd Journals (`journalctl -u <service | ||||
| > | _name>`) Tracks modifications to systemd service configurati | ||||
| > | ons. - Daemon Logs (`/var/log/syslog`, `/var/log/message | ||||
| > | s`, `/var/log/daemon.log`) Captures changes to service state | ||||
| > | and execution parameters. - AuditD Rules for Service Mo | ||||
| > | dification - Monitor modifications to `/etc/systemd | ||||
| > | /system/` for new or altered service unit files: `auditctl - | ||||
| > | w /etc/systemd/system/ -p wa -k service_modification` | ||||
| > | - Track execution of `systemctl` or `service` commands: `a | ||||
| > | uditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl | ||||
| > | -F key=service_mod` - OSQuery for Linux/macOS Monitorin | ||||
| > | g - Query modified services using OSQuery’s `process | ||||
| > | es` or `system_info` tables: `SELECT * FROM systemd_units WH | ||||
| > | ERE state != 'running';` - macOS Launch Daemon/Agent Mod | ||||
| > | ification - Monitor for changes in: - `/ | ||||
| > | Library/LaunchDaemons/` - `/Library/LaunchAgents | ||||
| > | /` - Track modifications to `.plist` files indicatin | ||||
| > | g persistence attempts. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.211000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.
+
+*Data Collection Measures: *
+
+- Windows Event Logs
+ - Event ID 7040 - Detects modifications to the startup behavior of a service.
+ - Event ID 7045 - Can capture changes made to existing services.
+ - Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering.
+ - Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters.
+- Sysmon Logs
+ - Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., `HKLM\SYSTEM\CurrentControlSet\Services\`).
+ - Sysmon Event ID 1 - Can track execution of `sc.exe` or `PowerShell Set-Service`.
+- PowerShell Logging
+ - Event ID 4104 (Script Block Logging) - Captures execution of commands like `Set-Service`, `New-Service`, or `sc config`.
+ - Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands:
+ - `sc config | Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The process of taking a point-in-time copy of a cloud storag | t | 1 | The process of taking a point-in-time copy of a cloud storag |
| > | e volume (files, settings, configurations, etc.), virtual ma | > | e volume (files, settings, configurations, etc.), virtual ma | ||
| > | chine (VM), or database that can be created and deployed in | > | chine (VM), or database that can be created and deployed in | ||
| > | cloud environments. *Data Collection Measures:* - Cloud Pl | > | cloud environments. | ||
| > | atform Logs (IaaS) - AWS CloudTrail Logs: Monitor API ca | ||||
| > | lls related to snapshot creation (`CreateSnapshot`). - A | ||||
| > | zure Monitor Logs: Track snapshot creation (`Microsoft.Compu | ||||
| > | te/snapshots/write`). - Google Cloud Logging: Detect `co | ||||
| > | mpute.disks.createSnapshot`. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:39.640000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments. + +*Data Collection Measures:* + +- Cloud Platform Logs (IaaS) + - AWS CloudTrail Logs: Monitor API calls related to snapshot creation (`CreateSnapshot`). + - Azure Monitor Logs: Track snapshot creation (`Microsoft.Compute/snapshots/write`). + - Google Cloud Logging: Detect `compute.disks.createSnapshot`. | The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An attempt (successful and failed login attempts) by a user, | t | 1 | An attempt (successful and failed login attempts) by a user, |
| > | service, or application to gain access to a network, system | > | service, or application to gain access to a network, system | ||
| > | , or cloud-based resource. This typically involves credentia | > | , or cloud-based resource. This typically involves credentia | ||
| > | ls such as passwords, tokens, multi-factor authentication (M | > | ls such as passwords, tokens, multi-factor authentication (M | ||
| > | FA), or biometric validation. *Data Collection Measures:* | > | FA), or biometric validation. | ||
| > | - Host-Based Authentication Logs - Windows Event Logs | ||||
| > | - Event ID 4776 – NTLM authentication attempt. | ||||
| > | - Event ID 4624 – Successful user logon. - Event ID | ||||
| > | 4625 – Failed authentication attempt. - Event ID 46 | ||||
| > | 48 – Explicit logon with alternate credentials. - Linux/ | ||||
| > | macOS Authentication Logs - `/var/log/auth.log`, `/v | ||||
| > | ar/log/secure` – Logs SSH, sudo, and other authentication at | ||||
| > | tempts. - AuditD – Tracks authentication events via | ||||
| > | PAM modules. - macOS Unified Logs – `/var/db/diagnos | ||||
| > | tics` captures authentication failures. - Cloud Authenticati | ||||
| > | on Logs - Azure AD Logs - Sign-in Logs – Tracks | ||||
| > | authentication attempts, MFA challenges, and conditional acc | ||||
| > | ess failures. - Audit Logs – Captures authentication | ||||
| > | -related configuration changes. - Microsoft Graph AP | ||||
| > | I – Provides real-time sign-in analytics. - Google Works | ||||
| > | pace & Office 365 - Google Admin Console – `User Log | ||||
| > | in Report` tracks login attempts and failures. - Off | ||||
| > | ice 365 Unified Audit Logs – Captures logins across Exchange | ||||
| > | , SharePoint, and Teams. - AWS CloudTrail & IAM | ||||
| > | - Tracks authentication via `AWS IAM AuthenticateUser` and ` | ||||
| > | sts:GetSessionToken`. - Logs failed authentications | ||||
| > | to AWS Management Console and API requests. - Container Auth | ||||
| > | entication Monitoring - Kubernetes Authentication Logs | ||||
| > | - kubectl audit logs – Captures authentication attemp | ||||
| > | ts for service accounts and admin users. - Azure Kub | ||||
| > | ernetes Service (AKS) and Google Kubernetes Engine (GKE) – L | ||||
| > | ogs IAM authentication events. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.948000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation. + +*Data Collection Measures:* + +- Host-Based Authentication Logs + - Windows Event Logs + - Event ID 4776 – NTLM authentication attempt. + - Event ID 4624 – Successful user logon. + - Event ID 4625 – Failed authentication attempt. + - Event ID 4648 – Explicit logon with alternate credentials. + - Linux/macOS Authentication Logs + - `/var/log/auth.log`, `/var/log/secure` – Logs SSH, sudo, and other authentication attempts. + - AuditD – Tracks authentication events via PAM modules. + - macOS Unified Logs – `/var/db/diagnostics` captures authentication failures. +- Cloud Authentication Logs + - Azure AD Logs + - Sign-in Logs – Tracks authentication attempts, MFA challenges, and conditional access failures. + - Audit Logs – Captures authentication-related configuration changes. + - Microsoft Graph API – Provides real-time sign-in analytics. + - Google Workspace & Office 365 + - Google Admin Console – `User Login Report` tracks login attempts and failures. + - Office 365 Unified Audit Logs – Captures logins across Exchange, SharePoint, and Teams. + - AWS CloudTrail & IAM + - Tracks authentication via `AWS IAM AuthenticateUser` and `sts:GetSessionToken`. + - Logs failed authentications to AWS Management Console and API requests. +- Container Authentication Monitoring + - Kubernetes Authentication Logs + - kubectl audit logs – Captures authentication attempts for service accounts and admin users. + - Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) – Logs IAM authentication events. | An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation. |
| x_mitre_log_sources[12]['name'] | m365:signin | m365:signinlogs |
| x_mitre_log_sources[15]['channel'] | EventCode=4769,1200,1202 | EventCode=4776, 4625 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4769, 1200, 1202'} |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4625'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4625, 4624'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': '4624, 4625'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventID=4625'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The initial establishment of a new user, service, or machine | t | 1 | The initial establishment of a new user, service, or machine |
| > | account within an operating system, cloud environment, or i | > | account within an operating system, cloud environment, or i | ||
| > | dentity management system. *Data Collection Measures:* - H | > | dentity management system. | ||
| > | ost-Based Logging - Windows Event Logs - Event I | ||||
| > | D 4720 – A new user account was created. - Event ID | ||||
| > | 4732/4735 – A user was added to a privileged group. | ||||
| > | - Event ID 4798 – Enumeration of user accounts. - Linux/ | ||||
| > | macOS Authentication Logs - `/var/log/auth.log`, `/v | ||||
| > | ar/log/secure` – Logs `useradd`, `adduser`, `passwd`, and `g | ||||
| > | roupmod` activities. - AuditD – Detects new account | ||||
| > | creation via PAM (`useradd`, `usermod`). - OSQuery – | ||||
| > | The `users` table tracks newly created accounts. - Cloud-Ba | ||||
| > | sed Logging - Azure AD Logs - Azure AD Audit Log | ||||
| > | s – Tracks new user and service account creation. - | ||||
| > | Azure Graph API – Provides logs on new account provisioning. | ||||
| > | - AWS IAM & CloudTrail Logs - CreateUser, Creat | ||||
| > | eRole – Tracks new IAM user creation. - AttachRolePo | ||||
| > | licy – Identifies privilege escalation via account creation. | ||||
| > | - Google Workspace & Office 365 Logs - Google A | ||||
| > | dmin Console – Logs user creation in User Accounts API. | ||||
| > | - Microsoft 365 Unified Audit Log – Tracks new account p | ||||
| > | rovisioning. - Container & Network Account Creation Logs | ||||
| > | - Kubernetes Account Creation Logs - kubectl audit | ||||
| > | logs – Detects new service account provisioning. - G | ||||
| > | KE/Azure AKS Logs – Track new container service accounts. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.784000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system. + +*Data Collection Measures:* + +- Host-Based Logging + - Windows Event Logs + - Event ID 4720 – A new user account was created. + - Event ID 4732/4735 – A user was added to a privileged group. + - Event ID 4798 – Enumeration of user accounts. + - Linux/macOS Authentication Logs + - `/var/log/auth.log`, `/var/log/secure` – Logs `useradd`, `adduser`, `passwd`, and `groupmod` activities. + - AuditD – Detects new account creation via PAM (`useradd`, `usermod`). + - OSQuery – The `users` table tracks newly created accounts. +- Cloud-Based Logging + - Azure AD Logs + - Azure AD Audit Logs – Tracks new user and service account creation. + - Azure Graph API – Provides logs on new account provisioning. + - AWS IAM & CloudTrail Logs + - CreateUser, CreateRole – Tracks new IAM user creation. + - AttachRolePolicy – Identifies privilege escalation via account creation. + - Google Workspace & Office 365 Logs + - Google Admin Console – Logs user creation in User Accounts API. + - Microsoft 365 Unified Audit Log – Tracks new account provisioning. +- Container & Network Account Creation Logs + - Kubernetes Account Creation Logs + - kubectl audit logs – Detects new service account provisioning. + - GKE/Azure AKS Logs – Track new container service accounts. | The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system. |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4720, EventCode=4781'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The removal of a user, service, or machine account from an o | t | 1 | The removal of a user, service, or machine account from an o |
| > | perating system, cloud identity management system, or direct | > | perating system, cloud identity management system, or direct | ||
| > | ory service. *Data Collection Measures:* - Host-Based Logg | > | ory service. | ||
| > | ing - Windows Event Logs - Event ID 4726 – A use | ||||
| > | r account was deleted. - Event ID 4733/4735 – A user | ||||
| > | was removed from a privileged group. - Event ID 110 | ||||
| > | 2 – Security log was cleared (potential cover-up). - Lin | ||||
| > | ux/macOS Authentication Logs - `/var/log/auth.log`, | ||||
| > | `/var/log/secure` – Logs `userdel`, `deluser`, `passwd -l`. | ||||
| > | - AuditD – Tracks account deletions via PAM events ( | ||||
| > | `userdel`). - OSQuery – The `users` table can detect | ||||
| > | account removal. - Cloud-Based Logging - Azure AD Logs | ||||
| > | - Azure AD Audit Logs – Tracks user and service acco | ||||
| > | unt deletions. - Azure Graph API – Monitors identity | ||||
| > | changes. - AWS IAM & CloudTrail Logs - `DeleteU | ||||
| > | ser`, `DeleteRole` – Tracks IAM user deletion. - Det | ||||
| > | achRolePolicy – Identifies privilege revocation before delet | ||||
| > | ion. - Google Workspace & Office 365 Logs - Goog | ||||
| > | le Admin Console – Logs user removal activities. - M | ||||
| > | icrosoft 365 Unified Audit Log – Captures deleted accounts i | ||||
| > | n Active Directory. - Container & Network Account Deletion L | ||||
| > | ogs - Kubernetes Service Account Deletion - kube | ||||
| > | ctl audit logs – Detects when service accounts are removed f | ||||
| > | rom pods. - GKE/Azure AKS Logs – Track containerized | ||||
| > | identity removals. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.864000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service. + +*Data Collection Measures:* + +- Host-Based Logging + - Windows Event Logs + - Event ID 4726 – A user account was deleted. + - Event ID 4733/4735 – A user was removed from a privileged group. + - Event ID 1102 – Security log was cleared (potential cover-up). + - Linux/macOS Authentication Logs + - `/var/log/auth.log`, `/var/log/secure` – Logs `userdel`, `deluser`, `passwd -l`. + - AuditD – Tracks account deletions via PAM events (`userdel`). + - OSQuery – The `users` table can detect account removal. +- Cloud-Based Logging + - Azure AD Logs + - Azure AD Audit Logs – Tracks user and service account deletions. + - Azure Graph API – Monitors identity changes. + - AWS IAM & CloudTrail Logs + - `DeleteUser`, `DeleteRole` – Tracks IAM user deletion. + - DetachRolePolicy – Identifies privilege revocation before deletion. + - Google Workspace & Office 365 Logs + - Google Admin Console – Logs user removal activities. + - Microsoft 365 Unified Audit Log – Captures deleted accounts in Active Directory. +- Container & Network Account Deletion Logs + - Kubernetes Service Account Deletion + - kubectl audit logs – Detects when service accounts are removed from pods. + - GKE/Azure AKS Logs – Track containerized identity removals. | The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to an existing user, service, or machine accoun | t | 1 | Changes made to an existing user, service, or machine accoun |
| > | t, including alterations to attributes, permissions, roles, | > | t, including alterations to attributes, permissions, roles, | ||
| > | authentication methods, or group memberships. *Data Collect | > | authentication methods, or group memberships. | ||
| > | ion Measures:* - Host-Based Logging - Windows Event Log | ||||
| > | s - Event ID 4738 – A user account was changed. | ||||
| > | - Event ID 4725 – A user account was disabled. - | ||||
| > | Event ID 4724 – An attempt was made to reset an account's p | ||||
| > | assword. - Event ID 4767 – A user account was unlock | ||||
| > | ed. - Linux/macOS Authentication Logs - `/var/lo | ||||
| > | g/auth.log`, `/var/log/secure` – Tracks account modification | ||||
| > | s (`usermod`, `chage`, `passwd`). - AuditD – Monitor | ||||
| > | s account changes (`useradd`, `usermod`, `gpasswd`). | ||||
| > | - OSQuery – Queries the `users` table for recent modificati | ||||
| > | ons. - Cloud-Based Logging - Azure AD Logs - Azu | ||||
| > | re AD Audit Logs – Tracks modifications to users and securit | ||||
| > | y groups. - Azure Graph API – Captures changes to au | ||||
| > | thentication policies and MFA settings. - AWS IAM & Clou | ||||
| > | dTrail Logs - `ModifyUser`, `UpdateLoginProfile` – C | ||||
| > | aptures changes to IAM user attributes. - `AttachUse | ||||
| > | rPolicy`, `AddUserToGroup` – Detects policy and group modifi | ||||
| > | cations. - Google Workspace & Office 365 Logs - | ||||
| > | Google Admin Console – Logs account changes, role modificati | ||||
| > | ons, and group membership updates. - Microsoft 365 U | ||||
| > | nified Audit Log – Captures modifications to security settin | ||||
| > | gs and privileged account changes. - Container & Network Acc | ||||
| > | ount Modification Logs - Kubernetes Service Account Chan | ||||
| > | ges - kubectl audit logs – Detects service account m | ||||
| > | odifications in Kubernetes clusters. - GKE/Azure AKS | ||||
| > | Logs – Monitors role and permission changes. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.735000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships. + +*Data Collection Measures:* + +- Host-Based Logging + - Windows Event Logs + - Event ID 4738 – A user account was changed. + - Event ID 4725 – A user account was disabled. + - Event ID 4724 – An attempt was made to reset an account's password. + - Event ID 4767 – A user account was unlocked. + - Linux/macOS Authentication Logs + - `/var/log/auth.log`, `/var/log/secure` – Tracks account modifications (`usermod`, `chage`, `passwd`). + - AuditD – Monitors account changes (`useradd`, `usermod`, `gpasswd`). + - OSQuery – Queries the `users` table for recent modifications. +- Cloud-Based Logging + - Azure AD Logs + - Azure AD Audit Logs – Tracks modifications to users and security groups. + - Azure Graph API – Captures changes to authentication policies and MFA settings. + - AWS IAM & CloudTrail Logs + - `ModifyUser`, `UpdateLoginProfile` – Captures changes to IAM user attributes. + - `AttachUserPolicy`, `AddUserToGroup` – Detects policy and group modifications. + - Google Workspace & Office 365 Logs + - Google Admin Console – Logs account changes, role modifications, and group membership updates. + - Microsoft 365 Unified Audit Log – Captures modifications to security settings and privileged account changes. +- Container & Network Account Modification Logs + - Kubernetes Service Account Changes + - kubectl audit logs – Detects service account modifications in Kubernetes clusters. + - GKE/Azure AKS Logs – Monitors role and permission changes. | Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships. |
| x_mitre_log_sources[11]['channel'] | EventCode=4723, 4724, 4726, 4740 | EventCode=4723, 4724, 4740 |
| x_mitre_log_sources[30]['name'] | azure:signinLogs | azure:signinlogs |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:DirectoryService', 'channel': 'EventID 5136'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The initial provisioning of block storage volumes in cloud o | t | 1 | The initial provisioning of block storage volumes in cloud o |
| > | r on-prem environments, typically used for data storage, bac | > | r on-prem environments, typically used for data storage, bac | ||
| > | kup, or workload scaling. *Data Collection Measures:* - Cl | > | kup, or workload scaling. | ||
| > | oud-Based Logging & Monitoring - AWS CloudTrail | ||||
| > | - `CreateVolume` – Logs the creation of new Amazon Elastic B | ||||
| > | lock Store (EBS) volumes. - `RunInstances` – Can be | ||||
| > | correlated to detect automatic volume provisioning. - Az | ||||
| > | ure Monitor & Log Analytics - `Microsoft.Compute/dis | ||||
| > | ks/write` – Captures creation of new managed/unmanaged disks | ||||
| > | . - `Microsoft.Storage/storageAccounts/write` – Dete | ||||
| > | cts creation of new Azure Blob Storage volumes. - Google | ||||
| > | Cloud Logging (GCP) - `compute.disks.insert` – Trac | ||||
| > | ks new persistent disk creation. - `compute.instance | ||||
| > | s.attachDisk` – Logs attachment of a volume to a running VM. | ||||
| > | - OpenStack Logs - `volume.create` – Captures n | ||||
| > | ew storage volume provisioning. - `cinder.volume.cre | ||||
| > | ate` – Logs OpenStack Cinder block storage creation. - Host- | ||||
| > | Based & SIEM Detection - Linux/macOS System Logs | ||||
| > | - `/var/log/syslog` & `/var/log/messages` – Detects new mou | ||||
| > | nt points or attached storage. - `dmesg | grep "new | ||||
| > | disk"` – Identifies kernel messages for volume attachment. | ||||
| > | - AuditD: Tracks `mkfs` (filesystem creation) for new | ||||
| > | volume provisioning. - Windows Event Logs - Eve | ||||
| > | nt ID 1006 (Storage Management Events) – Captures disk volum | ||||
| > | e creation. - Event ID 5145 (Object Access: File Sha | ||||
| > | re) – Detects access to newly created storage shares. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:39.832000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling. + +*Data Collection Measures:* + +- Cloud-Based Logging & Monitoring + - AWS CloudTrail + - `CreateVolume` – Logs the creation of new Amazon Elastic Block Store (EBS) volumes. + - `RunInstances` – Can be correlated to detect automatic volume provisioning. + - Azure Monitor & Log Analytics + - `Microsoft.Compute/disks/write` – Captures creation of new managed/unmanaged disks. + - `Microsoft.Storage/storageAccounts/write` – Detects creation of new Azure Blob Storage volumes. + - Google Cloud Logging (GCP) + - `compute.disks.insert` – Tracks new persistent disk creation. + - `compute.instances.attachDisk` – Logs attachment of a volume to a running VM. + - OpenStack Logs + - `volume.create` – Captures new storage volume provisioning. + - `cinder.volume.create` – Logs OpenStack Cinder block storage creation. +- Host-Based & SIEM Detection + - Linux/macOS System Logs + - `/var/log/syslog` & `/var/log/messages` – Detects new mount points or attached storage. + - `dmesg | grep "new disk"` – Identifies kernel messages for volume attachment. + - AuditD: Tracks `mkfs` (filesystem creation) for new volume provisioning. + - Windows Event Logs + - Event ID 1006 (Storage Management Events) – Captures disk volume creation. + - Event ID 5145 (Object Access: File Share) – Detects access to newly created storage shares. | The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:38.711000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[1]['channel'] | DeleteVolume, ModifyVolume | DeleteVolume |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:38.841000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[0]['name'] | WinEventLog:Security | Metadata |
| x_mitre_log_sources[0]['channel'] | 4673, 4674 | None |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Initial construction of a WMI object, such as a filter, cons | t | 1 | Initial construction of a WMI object, such as a filter, cons |
| > | umer, subscription, binding, or providers. *Data Collectio | > | umer, subscription, binding, or providers. | ||
| > | n Measures:* - Windows Security Event Logs: - Event ID | ||||
| > | 5861 (WMI Permanent Event Subscription) - Event ID 5860 | ||||
| > | (WMI Event Filter Activity) - Event ID 5857 (WMI Event C | ||||
| > | onsumer Activity) - Sysmon Logs: - Sysmon Event ID 19 – | ||||
| > | WMI Event Filter Created - Sysmon Event ID 20 – WMI Even | ||||
| > | t Consumer Created - Sysmon Event ID 21 – WMI Event Bind | ||||
| > | ing Created - Endpoint Detection & Response (EDR) - Dete | ||||
| > | cts WMI-based persistence techniques. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.880000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers. + +*Data Collection Measures:* + +- Windows Security Event Logs: + - Event ID 5861 (WMI Permanent Event Subscription) + - Event ID 5860 (WMI Event Filter Activity) + - Event ID 5857 (WMI Event Consumer Activity) +- Sysmon Logs: + - Sysmon Event ID 19 – WMI Event Filter Created + - Sysmon Event ID 20 – WMI Event Consumer Created + - Sysmon Event ID 21 – WMI Event Binding Created +- Endpoint Detection & Response (EDR) + - Detects WMI-based persistence techniques. | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers. |
| x_mitre_log_sources[3]['channel'] | EventCode=5857, 5858 | EventCode=5857, 5858, 5860, 5861 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational', 'channel': 'EventCode=5861'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational', 'channel': 'EventCode=5857, 5860, 5861'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:WMI', 'channel': 'EventCode=5857, 5860, 5861'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:38.777000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[2]['name'] | azure:signinLogs | azure:signinlogs |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.480000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[16]['name'] | azure:signinLogs | azure:signinlogs |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The action of opening a specific Windows Registry key, typic | t | 1 | The action of opening a specific Windows Registry key, typic |
| > | ally to read its associated value. This activity can be used | > | ally to read its associated value. This activity can be used | ||
| > | for system configuration, application settings retrieval, a | > | for system configuration, application settings retrieval, a | ||
| > | nd security policies. *Data Collection Measures:* - Window | > | nd security policies. | ||
| > | s Event Logs - Event ID 4656 - Handle to an Object was R | ||||
| > | equested: Logs attempts to open registry keys. - Event I | ||||
| > | D 4663 - An Object was Accessed: Captures read/write operati | ||||
| > | ons on registry keys. - Event ID 4657 - Registry Value M | ||||
| > | odification: Useful for detecting changes to registry keys a | ||||
| > | fter being accessed. - Sysmon - Sysmon Event ID 13 - Reg | ||||
| > | istry Value Set: Captures modifications to existing registry | ||||
| > | keys. - Endpoint Detection and Response (EDR) Solutions | ||||
| > | - Provide telemetry on registry key access activities, espe | ||||
| > | cially when linked to suspicious processes. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:39.242000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies. + +*Data Collection Measures:* + +- Windows Event Logs + - Event ID 4656 - Handle to an Object was Requested: Logs attempts to open registry keys. + - Event ID 4663 - An Object was Accessed: Captures read/write operations on registry keys. + - Event ID 4657 - Registry Value Modification: Useful for detecting changes to registry keys after being accessed. +- Sysmon + - Sysmon Event ID 13 - Registry Value Set: Captures modifications to existing registry keys. +- Endpoint Detection and Response (EDR) Solutions + - Provide telemetry on registry key access activities, especially when linked to suspicious processes. | The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies. |
| x_mitre_log_sources[0]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Initial construction of a new registry key within the Window | t | 1 | Initial construction of a new registry key within the Window |
| > | s operating system. *Data Collection Measures:* - Window | > | s operating system. | ||
| > | s Event Logs - Event ID 4656 - Registry Object Handle Re | ||||
| > | quested: Tracks registry key access, including newly created | ||||
| > | keys. - Event ID 4657 - Registry Value Modification: De | ||||
| > | tects modifications to an existing registry key after creati | ||||
| > | on. - Sysmon (System Monitor) for Windows - Sysmon Event | ||||
| > | ID 12 - Registry Key Created: Logs when a new registry key | ||||
| > | is created. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.143000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Initial construction of a new registry key within the Windows operating system. + +*Data Collection Measures:* + +- Windows Event Logs + - Event ID 4656 - Registry Object Handle Requested: Tracks registry key access, including newly created keys. + - Event ID 4657 - Registry Value Modification: Detects modifications to an existing registry key after creation. +- Sysmon (System Monitor) for Windows + - Sysmon Event ID 12 - Registry Key Created: Logs when a new registry key is created. + | Initial construction of a new registry key within the Windows operating system. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 18:34:46.572000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0063 | https://attack.mitre.org/datacomponents/DC0063 |
| x_mitre_log_sources[3]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=13'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=14'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Command Execution involves monitoring and capturing the exec | t | 1 | Command Execution involves monitoring and capturing the exec |
| > | ution of textual commands (including shell commands, cmdlets | > | ution of textual commands (including shell commands, cmdlets | ||
| > | , and scripts) within an operating system or application. Th | > | , and scripts) within an operating system or application. Th | ||
| > | ese commands may include arguments or parameters and are typ | > | ese commands may include arguments or parameters and are typ | ||
| > | ically executed through interpreters such as `cmd.exe`, `bas | > | ically executed through interpreters such as `cmd.exe`, `bas | ||
| > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | ||
| > | : - Windows Command Prompt - dir – Lists directory con | > | : - Windows Command Prompt - dir – Lists directory con | ||
| > | tents. - net user – Queries or manipulates user accounts | > | tents. - net user – Queries or manipulates user accounts | ||
| > | . - tasklist – Lists running processes. - PowerShell | > | . - tasklist – Lists running processes. - PowerShell | ||
| > | - Get-Process – Retrieves processes running on a system. | > | - Get-Process – Retrieves processes running on a system. | ||
| > | - Set-ExecutionPolicy – Changes PowerShell script executio | > | - Set-ExecutionPolicy – Changes PowerShell script executio | ||
| > | n policies. - Invoke-WebRequest – Downloads remote resou | > | n policies. - Invoke-WebRequest – Downloads remote resou | ||
| > | rces. - Linux Shell - ls – Lists files in a directory. | > | rces. - Linux Shell - ls – Lists files in a directory. | ||
| > | - cat /etc/passwd – Reads the user accounts file. - c | > | - cat /etc/passwd – Reads the user accounts file. - c | ||
| > | url http://malicious-site.com – Retrieves content from a mal | > | url http://malicious-site.com – Retrieves content from a mal | ||
| > | icious URL. - Container Environments - docker exec – Exe | > | icious URL. - Container Environments - docker exec – Exe | ||
| > | cutes a command inside a running container. - kubectl ex | > | cutes a command inside a running container. - kubectl ex | ||
| > | ec – Runs commands in Kubernetes pods. - macOS Terminal | > | ec – Runs commands in Kubernetes pods. - macOS Terminal | ||
| > | - open – Opens files or URLs. - dscl . -list /Users – Li | > | - open – Opens files or URLs. - dscl . -list /Users – Li | ||
| > | sts all users on the system. - osascript -e – Executes A | > | sts all users on the system. - osascript -e – Executes A | ||
| > | ppleScript commands. This data component can be collected t | > | ppleScript commands. | ||
| > | hrough the following measures: Enable Command Logging - Wi | ||||
| > | ndows: - Enable PowerShell logging: `Set-ExecutionPolicy | ||||
| > | Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\M | ||||
| > | icrosoft\Windows\PowerShell\ScriptBlockLogging" -Name Enable | ||||
| > | ScriptBlockLogging -Value 1` - Enable Windows Event Logg | ||||
| > | ing: - Event ID 4688: Tracks process creation, inclu | ||||
| > | ding command-line arguments. - Event ID 4104: Logs P | ||||
| > | owerShell script block execution. - Linux/macOS: - Enabl | ||||
| > | e shell history logging in `.bashrc` or `.zshrc`: `export HI | ||||
| > | STTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='histor | ||||
| > | y -a; history -w'` - Use audit frameworks (e.g., `auditd | ||||
| > | `) to log command executions. Example rule to log all `execv | ||||
| > | e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex | ||||
| > | ec` - Containers: - Use runtime-specific tools like Dock | ||||
| > | er’s --log-driver or Kubernetes Audit Logs to capture exec c | ||||
| > | ommands. Integrate with Centralized Logging - Collect logs | ||||
| > | using a SIEM (e.g., Splunk) or cloud-based log aggregation | ||||
| > | tools like AWS CloudWatch or Azure Monitor. Example Splunk S | ||||
| > | earch for Windows Event 4688: `index=windows EventID=4688 Co | ||||
| > | mmandLine=*` Use Endpoint Detection and Response (EDR) Tool | ||||
| > | s - Monitor command executions via EDR solutions Deploy S | ||||
| > | ysmon for Advanced Logging (Windows) - Use Sysmon's Event I | ||||
| > | D 1 to log process creation with command-line arguments | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.849000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: + +- Windows Command Prompt + - dir – Lists directory contents. + - net user – Queries or manipulates user accounts. + - tasklist – Lists running processes. +- PowerShell + - Get-Process – Retrieves processes running on a system. + - Set-ExecutionPolicy – Changes PowerShell script execution policies. + - Invoke-WebRequest – Downloads remote resources. +- Linux Shell + - ls – Lists files in a directory. + - cat /etc/passwd – Reads the user accounts file. + - curl http://malicious-site.com – Retrieves content from a malicious URL. +- Container Environments + - docker exec – Executes a command inside a running container. + - kubectl exec – Runs commands in Kubernetes pods. +- macOS Terminal + - open – Opens files or URLs. + - dscl . -list /Users – Lists all users on the system. + - osascript -e – Executes AppleScript commands. + +This data component can be collected through the following measures: + +Enable Command Logging + +- Windows: + - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1` + - Enable Windows Event Logging: + - Event ID 4688: Tracks process creation, including command-line arguments. + - Event ID 4104: Logs PowerShell script block execution. +- Linux/macOS: + - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='history -a; history -w'` + - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec` +- Containers: + - Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands. + +Integrate with Centralized Logging + +- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688: +`index=windows EventID=4688 CommandLine=*` + +Use Endpoint Detection and Response (EDR) Tools + +- Monitor command executions via EDR solutions + +Deploy Sysmon for Advanced Logging (Windows) + +- Use Sysmon's Event ID 1 to log process creation with command-line arguments | Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: + +- Windows Command Prompt + - dir – Lists directory contents. + - net user – Queries or manipulates user accounts. + - tasklist – Lists running processes. +- PowerShell + - Get-Process – Retrieves processes running on a system. + - Set-ExecutionPolicy – Changes PowerShell script execution policies. + - Invoke-WebRequest – Downloads remote resources. +- Linux Shell + - ls – Lists files in a directory. + - cat /etc/passwd – Reads the user accounts file. + - curl http://malicious-site.com – Retrieves content from a malicious URL. +- Container Environments + - docker exec – Executes a command inside a running container. + - kubectl exec – Runs commands in Kubernetes pods. +- macOS Terminal + - open – Opens files or URLs. + - dscl . -list /Users – Lists all users on the system. + - osascript -e – Executes AppleScript commands. |
| x_mitre_log_sources[4]['channel'] | /var/log/syslog or journalctl | cron activity |
| x_mitre_log_sources[10]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_sources[35]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_sources[226]['name'] | azure:signinLogs | azure:signinlogs |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Powershell', 'channel': 'EventCode=4104'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104,4105, 4106'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4105'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4106'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103, 4104'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.544000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[13]['name'] | CloudWatch:Metrics | AWS:CloudWatch |
| x_mitre_log_sources[17]['name'] | CloudWatch:InstanceMetrics | AWS:CloudWatch |
| x_mitre_log_sources[30]['name'] | CloudMetrics:InstanceHealth | AWS:CloudMetrics |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.190000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[19]['channel'] | EventCode=22 | EventCode=3, 22 |
| x_mitre_log_sources[27]['channel'] | EventCode=5156 | EventCode=5156, 5157 |
| x_mitre_log_sources[90]['channel'] | 8001, 8002, 8003 | EventCode=8001, 8002, 8003 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'} | |
| x_mitre_log_sources | {'name': 'auditd:SYSCALL', 'channel': 'netconnect'} | |
| x_mitre_log_sources | {'name': 'auditd:SYSCALL', 'channel': 'open or connect'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=5156,5157'} | |
| x_mitre_log_sources | {'name': 'linux:Sysmon', 'channel': 'EventCode=3'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Summarized network packet data that captures session-level d | t | 1 | Summarized network packet data that captures session-level d |
| > | etails such as source/destination IPs, ports, protocol types | > | etails such as source/destination IPs, ports, protocol types | ||
| > | , timestamps, and data volume, without storing full packet p | > | , timestamps, and data volume, without storing full packet p | ||
| > | ayloads. This is commonly used for traffic analysis, anomaly | > | ayloads. This is commonly used for traffic analysis, anomaly | ||
| > | detection, and network performance monitoring. *Data Colle | > | detection, and network performance monitoring. | ||
| > | ction Measures:* - Network Flow Logs (Metadata Collection) | ||||
| > | - NetFlow - Summarized metadata for network con | ||||
| > | versations (no packet payloads). - sFlow (Sampled Flow L | ||||
| > | ogging) - Captures sampled packets from switches and | ||||
| > | routers. - Used for real-time traffic monitoring an | ||||
| > | d anomaly detection. - Zeek (Bro) Flow Logs - Ze | ||||
| > | ek logs session-level details in logs like conn.log, http.lo | ||||
| > | g, dns.log, etc. - Host-Based Collection - Sysmon Event | ||||
| > | ID 3 – Network Connection Initiated - Logs process-l | ||||
| > | evel network activity, useful for detecting malicious outbou | ||||
| > | nd connections. - AuditD (Linux) – syscall=connect | ||||
| > | - Monitors system calls for network connections. `auditct | ||||
| > | l -a always,exit -F arch=b64 -S connect -k network_activity` | ||||
| > | - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs | ||||
| > | - Captures metadata for traffic between EC2 instances, s | ||||
| > | ecurity groups, and internet gateways. - Azure NSG Flow | ||||
| > | Logs / Google VPC Flow Logs - Logs ingress/egress tr | ||||
| > | affic for cloud-based resources. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.703000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. + +*Data Collection Measures:* + +- Network Flow Logs (Metadata Collection) + - NetFlow + - Summarized metadata for network conversations (no packet payloads). + - sFlow (Sampled Flow Logging) + - Captures sampled packets from switches and routers. + - Used for real-time traffic monitoring and anomaly detection. + - Zeek (Bro) Flow Logs + - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc. +- Host-Based Collection + - Sysmon Event ID 3 – Network Connection Initiated + - Logs process-level network activity, useful for detecting malicious outbound connections. + - AuditD (Linux) – syscall=connect + - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity` +- Cloud & SaaS Flow Monitoring + - AWS VPC Flow Logs + - Captures metadata for traffic between EC2 instances, security groups, and internet gateways. + - Azure NSG Flow Logs / Google VPC Flow Logs + - Logs ingress/egress traffic for cloud-based resources. | Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. |
| x_mitre_log_sources[72]['channel'] | EventCode=2004,2005,2006 | EventCode=2004, 2005, 2006 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Calls made by a process to operating system-provided Applica | t | 1 | Calls made by a process to operating system-provided Applica |
| > | tion Programming Interfaces (APIs). These calls are essentia | > | tion Programming Interfaces (APIs). These calls are essentia | ||
| > | l for interacting with system resources such as memory, file | > | l for interacting with system resources such as memory, file | ||
| > | s, and hardware, or for performing system-level tasks. Monit | > | s, and hardware, or for performing system-level tasks. Monit | ||
| > | oring these calls can provide insight into a process's inten | > | oring these calls can provide insight into a process's inten | ||
| > | t, especially if the process is malicious. *Data Collection | > | t, especially if the process is malicious. | ||
| > | Measures:* - Endpoint Detection and Response (EDR) Tools: | ||||
| > | - Leverage tools to monitor API execution behaviors at t | ||||
| > | he process level. - Example: Sysmon Event ID 10 captures | ||||
| > | API call traces for process access and memory allocation. - | ||||
| > | Process Monitor (ProcMon): - Use ProcMon to collect det | ||||
| > | ailed logs of process and API activity. ProcMon can provide | ||||
| > | granular details on API usage and identify malicious behavio | ||||
| > | r during analysis. - Windows Event Logs: - Use Event IDs | ||||
| > | from Windows logs for specific API-related activities: | ||||
| > | - Event ID 4688: A new process has been created (can ind | ||||
| > | irectly infer API use). - Event ID 4657: A registry | ||||
| > | value has been modified (to monitor registry-altering APIs). | ||||
| > | - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, | ||||
| > | Flare VM, or Hybrid Analysis monitor API execution during ma | ||||
| > | lware detonation. - Host-Based Logs: - On Linux/macOS sy | ||||
| > | stems, leverage audit frameworks (e.g., `auditd`, `strace`) | ||||
| > | to capture and analyze system call usage that APIs map to. - | ||||
| > | Runtime Monitors: - Runtime security tools like Falco c | ||||
| > | an monitor system-level calls for API execution. - Debugging | ||||
| > | and Tracing: - Use debugging tools like gdb (Linux) or | ||||
| > | WinDbg (Windows) for deep tracing of API executions in real | ||||
| > | time. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.999000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - Leverage tools to monitor API execution behaviors at the process level. + - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation. +- Process Monitor (ProcMon): + - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis. +- Windows Event Logs: + - Use Event IDs from Windows logs for specific API-related activities: + - Event ID 4688: A new process has been created (can indirectly infer API use). + - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs). +- Dynamic Analysis Tools: + - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation. +- Host-Based Logs: + - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to. +- Runtime Monitors: + - Runtime security tools like Falco can monitor system-level calls for API execution. +- Debugging and Tracing: + - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time. | Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. |
| x_mitre_log_sources[19]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to the event in which a new process (executable) is i | t | 1 | Refers to the event in which a new process (executable) is i |
| > | nitialized by an operating system. This can involve parent-c | > | nitialized by an operating system. This can involve parent-c | ||
| > | hild process relationships, process arguments, and environme | > | hild process relationships, process arguments, and environme | ||
| > | ntal variables. Monitoring process creation is crucial for d | > | ntal variables. Monitoring process creation is crucial for d | ||
| > | etecting malicious behaviors, such as execution of unauthori | > | etecting malicious behaviors, such as execution of unauthori | ||
| > | zed binaries, scripting abuse, or privilege escalation attem | > | zed binaries, scripting abuse, or privilege escalation attem | ||
| > | pts. *Data Collection Measures:* - Endpoint Detection and | > | pts.. | ||
| > | Response (EDR) Tools: - EDRs provide process telemetry, | ||||
| > | tracking execution flows and arguments. - Windows Event Logs | ||||
| > | : - Event ID 4688 (Audit Process Creation): Captures pro | ||||
| > | cess creation with associated parent process. - Sysmon (Wind | ||||
| > | ows): - Event ID 1 (Process Creation): Provides detailed | ||||
| > | logging - Linux/macOS Monitoring: - AuditD (execve sysc | ||||
| > | all): Logs process creation. - eBPF/XDP: Used for low-le | ||||
| > | vel monitoring of system calls related to process execution. | ||||
| > | - OSQuery: Allows SQL-like queries to track process eve | ||||
| > | nts (process_events table). - Apple Endpoint Security Fr | ||||
| > | amework (ESF): Monitors process creation on macOS. - Network | ||||
| > | -Based Monitoring: - Zeek (Bro) Logs: Captures network-b | ||||
| > | ased process execution related to remote shells. - Syslo | ||||
| > | g/OSSEC: Tracks execution of processes on distributed system | ||||
| > | s. - Behavioral SIEM Rules: - Monitor process creation f | ||||
| > | or uncommon binaries in user directories. - Detect proce | ||||
| > | sses with suspicious command-line arguments. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 19:28:39.339000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0032 | https://attack.mitre.org/datacomponents/DC0032 |
| description | Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - EDRs provide process telemetry, tracking execution flows and arguments. +- Windows Event Logs: + - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process. +- Sysmon (Windows): + - Event ID 1 (Process Creation): Provides detailed logging +- Linux/macOS Monitoring: + - AuditD (execve syscall): Logs process creation. + - eBPF/XDP: Used for low-level monitoring of system calls related to process execution. + - OSQuery: Allows SQL-like queries to track process events (process_events table). + - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS. +- Network-Based Monitoring: + - Zeek (Bro) Logs: Captures network-based process execution related to remote shells. + - Syslog/OSSEC: Tracks execution of processes on distributed systems. +- Behavioral SIEM Rules: + - Monitor process creation for uncommon binaries in user directories. + - Detect processes with suspicious command-line arguments. | Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.. |
| x_mitre_log_sources[293]['channel'] | EventCode=8003,8004 | EventCode=8003, 8004 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventlog:Security', 'channel': 'EventCode=4688'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Microsoft-Windows-Security-Auditing', 'channel': 'EventCode=4688'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:security', 'channel': 'EventCode=4688'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.331000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[36]['channel'] | EventCode=400,403 | EventCode=400, 403 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The exit or termination of a running process on a system. Th | t | 1 | The exit or termination of a running process on a system. Th |
| > | is can occur due to normal operations, user-initiated comman | > | is can occur due to normal operations, user-initiated comman | ||
| > | ds, or malicious actions such as process termination by malw | > | ds, or malicious actions such as process termination by malw | ||
| > | are to disable security controls. *Data Collection Measures | > | are to disable security controls. | ||
| > | :* - Endpoint Detection and Response (EDR) Tools: - Mon | ||||
| > | itor process termination events. - Windows Event Logs: - | ||||
| > | Event ID 4689 (Process Termination) – Captures when a proce | ||||
| > | ss exits, including process ID and parent process. - Eve | ||||
| > | nt ID 7036 (Service Control Manager) – Monitors system servi | ||||
| > | ce stops. - Sysmon (Windows): - Event ID 5 (Process Term | ||||
| > | ination) – Detects when a process exits, including parent-ch | ||||
| > | ild relationships. - Linux/macOS Monitoring: - AuditD (` | ||||
| > | execve`, `exit_group`, `kill` syscalls) – Captures process t | ||||
| > | ermination via command-line interactions. - eBPF/XDP: Mo | ||||
| > | nitors low-level system calls related to process termination | ||||
| > | . - OSQuery: The processes table can be queried for abno | ||||
| > | rmal exits. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.181000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - Monitor process termination events. +- Windows Event Logs: + - Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process. + - Event ID 7036 (Service Control Manager) – Monitors system service stops. +- Sysmon (Windows): + - Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships. +- Linux/macOS Monitoring: + - AuditD (`execve`, `exit_group`, `kill` syscalls) – Captures process termination via command-line interactions. + - eBPF/XDP: Monitors low-level system calls related to process termination. + - OSQuery: The processes table can be queried for abnormal exits. | The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Application Log Content refers to logs generated by applicat | t | 1 | Application Log Content refers to logs generated by applicat |
| > | ions or services, providing a record of their activity. Thes | > | ions or services, providing a record of their activity. Thes | ||
| > | e logs may include metrics, errors, performance data, and op | > | e logs may include metrics, errors, performance data, and op | ||
| > | erational alerts from web, mail, or other applications. Thes | > | erational alerts from web, mail, or other applications. Thes | ||
| > | e logs are vital for monitoring application behavior and det | > | e logs are vital for monitoring application behavior and det | ||
| > | ecting malicious activities or anomalies. Examples: - Web | > | ecting malicious activities or anomalies. Examples: - Web | ||
| > | Application Logs: These logs include information about reque | > | Application Logs: These logs include information about reque | ||
| > | sts, responses, errors, and security events (e.g., unauthori | > | sts, responses, errors, and security events (e.g., unauthori | ||
| > | zed access attempts). - Email Application Logs: Logs contain | > | zed access attempts). - Email Application Logs: Logs contain | ||
| > | metadata about emails sent, received, or blocked (e.g., sen | > | metadata about emails sent, received, or blocked (e.g., sen | ||
| > | der/receiver addresses, message IDs). - SaaS Application Log | > | der/receiver addresses, message IDs). - SaaS Application Log | ||
| > | s: Activity logs include user logins, configuration changes, | > | s: Activity logs include user logins, configuration changes, | ||
| > | and access to sensitive resources. - Cloud Application Logs | > | and access to sensitive resources. - Cloud Application Logs | ||
| > | : Logs detail control plane activities, including API calls, | > | : Logs detail control plane activities, including API calls, | ||
| > | instance modifications, and network changes. - System/Appli | > | instance modifications, and network changes. - System/Appli | ||
| > | cation Monitoring Logs: Logs provide insights into applicati | > | cation Monitoring Logs: Logs provide insights into applicati | ||
| > | on performance, errors, and anomalies. This data component | > | on performance, errors, and anomalies. | ||
| > | can be collected through the following measures: Configure | ||||
| > | Application Logging - Enable logging within the application | ||||
| > | or service. - Examples: - Web Servers: Enable access an | ||||
| > | d error logs in NGINX or Apache. - Email Systems: Enable | ||||
| > | audit logging in Microsoft Exchange or Gmail. Centralized | ||||
| > | Log Management - Use log management solutions like Splunk, | ||||
| > | or a cloud-native logging solution. - Configure the applicat | ||||
| > | ion to send logs to a centralized system for analysis. Clou | ||||
| > | d-Specific Collection - Use services like AWS CloudWatch, A | ||||
| > | zure Monitor, or Google Cloud Operations Suite for cloud-bas | ||||
| > | ed applications. - Ensure logging is enabled for all critica | ||||
| > | l resources (e.g., API calls, IAM changes). SIEM Integratio | ||||
| > | n - Integrate application logs with a SIEM platform (e.g., | ||||
| > | Splunk, QRadar) for real-time correlation and analysis. - Us | ||||
| > | e parsers to standardize log formats and extract key fields | ||||
| > | like timestamps, user IDs, and error codes. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.580000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: + +- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts). +- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs). +- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources. +- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes. +- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies. + +This data component can be collected through the following measures: + +Configure Application Logging + +- Enable logging within the application or service. +- Examples: + - Web Servers: Enable access and error logs in NGINX or Apache. + - Email Systems: Enable audit logging in Microsoft Exchange or Gmail. + +Centralized Log Management + +- Use log management solutions like Splunk, or a cloud-native logging solution. +- Configure the application to send logs to a centralized system for analysis. + +Cloud-Specific Collection + +- Use services like AWS CloudWatch, Azure Monitor, or Google Cloud Operations Suite for cloud-based applications. +- Ensure logging is enabled for all critical resources (e.g., API calls, IAM changes). + +SIEM Integration + +- Integrate application logs with a SIEM platform (e.g., Splunk, QRadar) for real-time correlation and analysis. +- Use parsers to standardize log formats and extract key fields like timestamps, user IDs, and error codes. | Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: + +- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts). +- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs). +- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources. +- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes. +- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies. |
| x_mitre_log_sources[17]['name'] | WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational | WinEventLog:System |
| x_mitre_log_sources[37]['name'] | azure:signinLogs | azure:signinlogs |
| x_mitre_log_sources[75]['name'] | WinEventLog:Application | WinEventLog:System |
| x_mitre_log_sources[75]['channel'] | EventCode=1000-1026 | EventCode=1000 |
| x_mitre_log_sources[44]['channel'] | EventCode=7031,7034,1000,1001 | EventCode=1341, 1342, 1020, 1063 |
| x_mitre_log_sources[172]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Application', 'channel': 'EventCode=1000, 1001, 1002'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:System', 'channel': 'EventCode=1341,1342,1020,1063'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Application', 'channel': 'EventCode=1000,1001'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Command Execution involves monitoring and capturing the exec | t | 1 | Command Execution involves monitoring and capturing the exec |
| > | ution of textual commands (including shell commands, cmdlets | > | ution of textual commands (including shell commands, cmdlets | ||
| > | , and scripts) within an operating system or application. Th | > | , and scripts) within an operating system or application. Th | ||
| > | ese commands may include arguments or parameters and are typ | > | ese commands may include arguments or parameters and are typ | ||
| > | ically executed through interpreters such as `cmd.exe`, `bas | > | ically executed through interpreters such as `cmd.exe`, `bas | ||
| > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | ||
| > | : - Windows Command Prompt - dir – Lists directory con | > | : - Windows Command Prompt - dir – Lists directory con | ||
| > | tents. - net user – Queries or manipulates user accounts | > | tents. - net user – Queries or manipulates user accounts | ||
| > | . - tasklist – Lists running processes. - PowerShell | > | . - tasklist – Lists running processes. - PowerShell | ||
| > | - Get-Process – Retrieves processes running on a system. | > | - Get-Process – Retrieves processes running on a system. | ||
| > | - Set-ExecutionPolicy – Changes PowerShell script executio | > | - Set-ExecutionPolicy – Changes PowerShell script executio | ||
| > | n policies. - Invoke-WebRequest – Downloads remote resou | > | n policies. - Invoke-WebRequest – Downloads remote resou | ||
| > | rces. - Linux Shell - ls – Lists files in a directory. | > | rces. - Linux Shell - ls – Lists files in a directory. | ||
| > | - cat /etc/passwd – Reads the user accounts file. - c | > | - cat /etc/passwd – Reads the user accounts file. - c | ||
| > | url http://malicious-site.com – Retrieves content from a mal | > | url http://malicious-site.com – Retrieves content from a mal | ||
| > | icious URL. - Container Environments - docker exec – Exe | > | icious URL. - Container Environments - docker exec – Exe | ||
| > | cutes a command inside a running container. - kubectl ex | > | cutes a command inside a running container. - kubectl ex | ||
| > | ec – Runs commands in Kubernetes pods. - macOS Terminal | > | ec – Runs commands in Kubernetes pods. - macOS Terminal | ||
| > | - open – Opens files or URLs. - dscl . -list /Users – Li | > | - open – Opens files or URLs. - dscl . -list /Users – Li | ||
| > | sts all users on the system. - osascript -e – Executes A | > | sts all users on the system. - osascript -e – Executes A | ||
| > | ppleScript commands. This data component can be collected t | > | ppleScript commands. | ||
| > | hrough the following measures: Enable Command Logging - Wi | ||||
| > | ndows: - Enable PowerShell logging: `Set-ExecutionPolicy | ||||
| > | Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\M | ||||
| > | icrosoft\Windows\PowerShell\ScriptBlockLogging" -Name Enable | ||||
| > | ScriptBlockLogging -Value 1` - Enable Windows Event Logg | ||||
| > | ing: - Event ID 4688: Tracks process creation, inclu | ||||
| > | ding command-line arguments. - Event ID 4104: Logs P | ||||
| > | owerShell script block execution. - Linux/macOS: - Enabl | ||||
| > | e shell history logging in `.bashrc` or `.zshrc`: `export HI | ||||
| > | STTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='histor | ||||
| > | y -a; history -w'` - Use audit frameworks (e.g., `auditd | ||||
| > | `) to log command executions. Example rule to log all `execv | ||||
| > | e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex | ||||
| > | ec` - Containers: - Use runtime-specific tools like Dock | ||||
| > | er’s --log-driver or Kubernetes Audit Logs to capture exec c | ||||
| > | ommands. Integrate with Centralized Logging - Collect logs | ||||
| > | using a SIEM (e.g., Splunk) or cloud-based log aggregation | ||||
| > | tools like AWS CloudWatch or Azure Monitor. Example Splunk S | ||||
| > | earch for Windows Event 4688: `index=windows EventID=4688 Co | ||||
| > | mmandLine=*` Use Endpoint Detection and Response (EDR) Tool | ||||
| > | s - Monitor command executions via EDR solutions Deploy S | ||||
| > | ysmon for Advanced Logging (Windows) - Use Sysmon's Event I | ||||
| > | D 1 to log process creation with command-line arguments | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.849000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: + +- Windows Command Prompt + - dir – Lists directory contents. + - net user – Queries or manipulates user accounts. + - tasklist – Lists running processes. +- PowerShell + - Get-Process – Retrieves processes running on a system. + - Set-ExecutionPolicy – Changes PowerShell script execution policies. + - Invoke-WebRequest – Downloads remote resources. +- Linux Shell + - ls – Lists files in a directory. + - cat /etc/passwd – Reads the user accounts file. + - curl http://malicious-site.com – Retrieves content from a malicious URL. +- Container Environments + - docker exec – Executes a command inside a running container. + - kubectl exec – Runs commands in Kubernetes pods. +- macOS Terminal + - open – Opens files or URLs. + - dscl . -list /Users – Lists all users on the system. + - osascript -e – Executes AppleScript commands. + +This data component can be collected through the following measures: + +Enable Command Logging + +- Windows: + - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1` + - Enable Windows Event Logging: + - Event ID 4688: Tracks process creation, including command-line arguments. + - Event ID 4104: Logs PowerShell script block execution. +- Linux/macOS: + - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='history -a; history -w'` + - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec` +- Containers: + - Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands. + +Integrate with Centralized Logging + +- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688: +`index=windows EventID=4688 CommandLine=*` + +Use Endpoint Detection and Response (EDR) Tools + +- Monitor command executions via EDR solutions + +Deploy Sysmon for Advanced Logging (Windows) + +- Use Sysmon's Event ID 1 to log process creation with command-line arguments | Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: + +- Windows Command Prompt + - dir – Lists directory contents. + - net user – Queries or manipulates user accounts. + - tasklist – Lists running processes. +- PowerShell + - Get-Process – Retrieves processes running on a system. + - Set-ExecutionPolicy – Changes PowerShell script execution policies. + - Invoke-WebRequest – Downloads remote resources. +- Linux Shell + - ls – Lists files in a directory. + - cat /etc/passwd – Reads the user accounts file. + - curl http://malicious-site.com – Retrieves content from a malicious URL. +- Container Environments + - docker exec – Executes a command inside a running container. + - kubectl exec – Runs commands in Kubernetes pods. +- macOS Terminal + - open – Opens files or URLs. + - dscl . -list /Users – Lists all users on the system. + - osascript -e – Executes AppleScript commands. |
| x_mitre_log_sources[4]['channel'] | /var/log/syslog or journalctl | cron activity |
| x_mitre_log_sources[10]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_sources[35]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_sources[226]['name'] | azure:signinLogs | azure:signinlogs |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Powershell', 'channel': 'EventCode=4104'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104,4105, 4106'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4105'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4106'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103, 4104'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The activity of assigning a new drive letter or creating a m | t | 1 | The activity of assigning a new drive letter or creating a m |
| > | ount point for a data storage device, such as a USB, network | > | ount point for a data storage device, such as a USB, network | ||
| > | share, or external hard drive, enabling access to its conte | > | share, or external hard drive, enabling access to its conte | ||
| > | nt on a host system. Examples: - USB Drive Insertion: A US | > | nt on a host system. Examples: - USB Drive Insertion: A US | ||
| > | B drive is plugged in and automatically assigned the letter | > | B drive is plugged in and automatically assigned the letter | ||
| > | `E:\` on a Windows machine. - Network Drive Mapping: A netwo | > | `E:\` on a Windows machine. - Network Drive Mapping: A netwo | ||
| > | rk share `\\server\share` is mapped to the drive `Z:\`. - Vi | > | rk share `\\server\share` is mapped to the drive `Z:\`. - Vi | ||
| > | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir | > | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir | ||
| > | tualdrive` using an ISO image or a virtual hard disk (VHD). | > | tualdrive` using an ISO image or a virtual hard disk (VHD). | ||
| > | - Cloud Storage Mounting: Google Drive is mounted as `G:\` o | > | - Cloud Storage Mounting: Google Drive is mounted as `G:\` o | ||
| > | n a Windows machine using a cloud sync tool. - External Stor | > | n a Windows machine using a cloud sync tool. - External Stor | ||
| > | age Integration: An external HDD or SSD is connected and ass | > | age Integration: An external HDD or SSD is connected and ass | ||
| > | igned `/mnt/external` on a Linux system. This data componen | > | igned `/mnt/external` on a Linux system.. | ||
| > | t can be collected through the following measures: Windows | ||||
| > | Event Logs - Relevant Events: - Event ID 98: Logs the c | ||||
| > | reation of a volume (mount or new drive letter assignment). | ||||
| > | - Event ID 1006: Logs removable storage device insertion | ||||
| > | s. - Configuration: Enable "Removable Storage Events" in the | ||||
| > | Group Policy settings: `Computer Configuration > Administra | ||||
| > | tive Templates > System > Removable Storage Access` Linux S | ||||
| > | ystem Logs - Command-Line Monitoring: Use `dmesg` or `journ | ||||
| > | alctl` to monitor mount events. - Auditd Configuration: Add | ||||
| > | audit rules to track mount points. - Logs can be reviewed i | ||||
| > | n /var/log/audit/audit.log. macOS System Logs - Unified Lo | ||||
| > | gs: Monitor system logs for mount activity: - Command-Line T | ||||
| > | ools: Use `diskutil list` to verify newly created or mounted | ||||
| > | drives. Endpoint Detection and Response (EDR) Tools - EDR | ||||
| > | solutions can log removable drive usage and network-mounted | ||||
| > | drives. Configure EDR policies to alert on suspicious drive | ||||
| > | creation events. SIEM Tools - Centralize logs from multip | ||||
| > | le platforms into a SIEM (e.g., Splunk) to correlate and ale | ||||
| > | rt on suspicious drive creation activities. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.342000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: + +- USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine. +- Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`. +- Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD). +- Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool. +- External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system. + +This data component can be collected through the following measures: + +Windows Event Logs + +- Relevant Events: + - Event ID 98: Logs the creation of a volume (mount or new drive letter assignment). + - Event ID 1006: Logs removable storage device insertions. +- Configuration: Enable "Removable Storage Events" in the Group Policy settings: +`Computer Configuration > Administrative Templates > System > Removable Storage Access` + +Linux System Logs + +- Command-Line Monitoring: Use `dmesg` or `journalctl` to monitor mount events. + +- Auditd Configuration: Add audit rules to track mount points. +- Logs can be reviewed in /var/log/audit/audit.log. + +macOS System Logs + +- Unified Logs: Monitor system logs for mount activity: +- Command-Line Tools: Use `diskutil list` to verify newly created or mounted drives. + +Endpoint Detection and Response (EDR) Tools + +- EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events. + +SIEM Tools + +- Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities. | The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: + +- USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine. +- Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`. +- Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD). +- Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool. +- External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system.. |
| x_mitre_log_sources[4]['name'] | WinEventLog:Microsoft-Windows-Partition/Diagnostic | WinEventLog:System |
| x_mitre_log_sources[7]['channel'] | EventCode=1006,10001 | EventCode=1006, 10001 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational', 'channel': 'EventCode=2003'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:System', 'channel': 'EventCode=20001/20003'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:System', 'channel': '20001-20003'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 19:03:17.198000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0046 | https://attack.mitre.org/datacomponents/DC0046 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | To events where a file is opened or accessed, making its con | t | 1 | To events where a file is opened or accessed, making its con |
| > | tents available to the requester. This includes reading, exe | > | tents available to the requester. This includes reading, exe | ||
| > | cuting, or interacting with files by authorized or unauthori | > | cuting, or interacting with files by authorized or unauthori | ||
| > | zed entities. Examples include logging file access events (e | > | zed entities. Examples include logging file access events (e | ||
| > | .g., Windows Event ID 4663), monitoring file reads, and dete | > | .g., Windows Event ID 4663), monitoring file reads, and dete | ||
| > | cting unusual file access patterns. Examples: - File Read | > | cting unusual file access patterns. Examples: - File Read | ||
| > | Operations: A user opens a sensitive document (e.g., financi | > | Operations: A user opens a sensitive document (e.g., financi | ||
| > | al_report.xlsx) on a shared drive. - File Execution: A scrip | > | al_report.xlsx) on a shared drive. - File Execution: A scrip | ||
| > | t or executable file is accessed and executed (e.g., malware | > | t or executable file is accessed and executed (e.g., malware | ||
| > | .exe is run from a temporary directory). - Unauthorized File | > | .exe is run from a temporary directory). - Unauthorized File | ||
| > | Access: An unauthorized user attempts to access a protected | > | Access: An unauthorized user attempts to access a protected | ||
| > | configuration file (e.g., `/etc/passwd` on Linux or `System | > | configuration file (e.g., `/etc/passwd` on Linux or `System | ||
| > | 32` files on Windows). - File Access Patterns: Bulk access t | > | 32` files on Windows). - File Access Patterns: Bulk access t | ||
| > | o multiple files in a short time (e.g., mass access to docum | > | o multiple files in a short time (e.g., mass access to docum | ||
| > | ents on a file server). - File Access via Network: Files on | > | ents on a file server). - File Access via Network: Files on | ||
| > | a network share are accessed remotely (e.g., logs of SMB fil | > | a network share are accessed remotely (e.g., logs of SMB fil | ||
| > | e access). This data component can be collected through the | > | e access). | ||
| > | following measures: Windows - Windows Event Logs: Event I | ||||
| > | D 4663: Captures file system auditing details, including who | ||||
| > | accessed the file, access type, and file name. - Sysmon: | ||||
| > | - Event ID 11: Logs file creation time changes. - Even | ||||
| > | t ID 1 (process creation): Can provide insight into files ex | ||||
| > | ecuted. - PowerShell: Commands to monitor file access in rea | ||||
| > | l-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; | ||||
| > | ID=4663}` Linux - Auditd: Monitor file access events usin | ||||
| > | g audit rules: `auditctl -w /path/to/file -p rwxa -k file_ac | ||||
| > | cess` - View logs: `ausearch -k file_access` - Inotify: Use | ||||
| > | inotify to track file access on Linux: `inotifywait -m /path | ||||
| > | /to/watch -e access` macOS - Unified Logs: Monitor file ac | ||||
| > | cess using the macOS Unified Logging System. - FSEvents: Fil | ||||
| > | e System Events can track file accesses: `fs_usage | grep op | ||||
| > | en` Network Devices - SMB/CIFS Logs: Monitor file access o | ||||
| > | ver network shares using logs from SMB or CIFS protocol. - N | ||||
| > | AS Logs: Collect logs from network-attached storage systems | ||||
| > | for file access events. SIEM Integration - Collect file ac | ||||
| > | cess logs from all platforms (Windows, Linux, macOS) and cen | ||||
| > | tralize in a SIEM for correlation and analysis. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.674000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: + +- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive. +- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory). +- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows). +- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server). +- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access). + +This data component can be collected through the following measures: + +Windows + +- Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name. +- Sysmon: + - Event ID 11: Logs file creation time changes. + - Event ID 1 (process creation): Can provide insight into files executed. +- PowerShell: Commands to monitor file access in real-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}` + +Linux + +- Auditd: Monitor file access events using audit rules: `auditctl -w /path/to/file -p rwxa -k file_access` +- View logs: `ausearch -k file_access` +- Inotify: Use inotify to track file access on Linux: `inotifywait -m /path/to/watch -e access` + +macOS + +- Unified Logs: Monitor file access using the macOS Unified Logging System. +- FSEvents: File System Events can track file accesses: `fs_usage | grep open` + +Network Devices + +- SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol. +- NAS Logs: Collect logs from network-attached storage systems for file access events. + +SIEM Integration + +- Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis. | To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: + +- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive. +- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory). +- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows). +- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server). +- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access). |
| x_mitre_log_sources[4]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4656, 4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4656,4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4670, 4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4656'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=5145, 4663'} | |
| x_mitre_log_sources | {'name': 'auditd:PATH', 'channel': 'path'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | A new file is created on a system or network storage. This a | t | 1 | A new file is created on a system or network storage. This a |
| > | ction often signifies an operation such as saving a document | > | ction often signifies an operation such as saving a document | ||
| > | , writing data, or deploying a file. Logging these events he | > | , writing data, or deploying a file. Logging these events he | ||
| > | lps identify legitimate or potentially malicious file creati | > | lps identify legitimate or potentially malicious file creati | ||
| > | on activities. Examples include logging file creation events | > | on activities. Examples include logging file creation events | ||
| > | (e.g., Sysmon Event ID 11 or Linux auditd logs). This dat | > | (e.g., Sysmon Event ID 11 or Linux auditd logs). | ||
| > | a component can be collected through the following measures: | ||||
| > | Windows - Sysmon: Event ID 11: Logs file creation events, | ||||
| > | capturing details like the file path, hash, and creation ti | ||||
| > | me. - Windows Event Log: Enable "Object Access" auditing in | ||||
| > | Group Policy to track file creation under Event ID 4663. - P | ||||
| > | owerShell: Real-time monitoring of file creation:`Get-WinEve | ||||
| > | nt -FilterHashtable @{LogName='Security'; ID=4663}` Linux | ||||
| > | - Auditd: Use audit rules to monitor file creation: `auditct | ||||
| > | l -w /path/to/directory -p w -k file_creation` - View logs: | ||||
| > | `ausearch -k file_creation` - Inotify: Monitor file creation | ||||
| > | with inotifywait: `inotifywait -m /path/to/watch -e create` | ||||
| > | macOS - Unified Logs: Use the macOS Unified Logging Syste | ||||
| > | m to capture file creation events. - FSEvents: Use File Syst | ||||
| > | em Events to monitor file creation: `fs_usage | grep create` | ||||
| > | Network Devices - NAS Logs: Monitor file creation events | ||||
| > | on network-attached storage devices. - SMB Logs: Collect log | ||||
| > | s of file creation activities over SMB/CIFS protocols. SIEM | ||||
| > | Integration - Forward logs from all platforms (Windows, Li | ||||
| > | nux, macOS) to a SIEM for central analysis and alerting. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 19:32:14.744000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0039 | https://attack.mitre.org/datacomponents/DC0039 |
| description | A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). + +This data component can be collected through the following measures: + +Windows + +- Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time. +- Windows Event Log: Enable "Object Access" auditing in Group Policy to track file creation under Event ID 4663. +- PowerShell: Real-time monitoring of file creation:`Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}` + +Linux + +- Auditd: Use audit rules to monitor file creation: `auditctl -w /path/to/directory -p w -k file_creation` +- View logs: `ausearch -k file_creation` +- Inotify: Monitor file creation with inotifywait: `inotifywait -m /path/to/watch -e create` + +macOS + +- Unified Logs: Use the macOS Unified Logging System to capture file creation events. +- FSEvents: Use File System Events to monitor file creation: `fs_usage | grep create` + +Network Devices + +- NAS Logs: Monitor file creation events on network-attached storage devices. +- SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols. + +SIEM Integration + +- Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting. | A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). |
| x_mitre_log_sources[37]['name'] | macos:unified | macos:unifiedlog |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'Modification of .asar in /opt or ~/.config directories'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to events where files are removed from a system or st | t | 1 | Refers to events where files are removed from a system or st |
| > | orage device. These events can indicate legitimate housekeep | > | orage device. These events can indicate legitimate housekeep | ||
| > | ing activities or malicious actions such as attackers attemp | > | ing activities or malicious actions such as attackers attemp | ||
| > | ting to cover their tracks. Monitoring file deletions helps | > | ting to cover their tracks. Monitoring file deletions helps | ||
| > | organizations identify unauthorized or suspicious activities | > | organizations identify unauthorized or suspicious activities | ||
| > | . This data component can be collected through the followin | > | . | ||
| > | g measures: Windows - Sysmon: Event ID 23: Logs file delet | ||||
| > | ion events, including details such as file paths and respons | ||||
| > | ible processes. - Windows Event Log: Enable "Object Access" | ||||
| > | auditing to monitor file deletions. - PowerShell: `Get-WinEv | ||||
| > | ent -FilterHashtable @{LogName='Security'; ID=4663} | Where- | ||||
| > | Object {$_.Message -like '*DELETE*'}` Linux - Auditd: Use | ||||
| > | audit rules to capture file deletion events: `auditctl -a al | ||||
| > | ways,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_d | ||||
| > | eletion` - Query logs: `ausearch -k file_deletion` - Inotify | ||||
| > | : Use inotifywait to monitor file deletions: `inotifywait -m | ||||
| > | /path/to/watch -e delete` macOS - Endpoint Security Frame | ||||
| > | work (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to | ||||
| > | capture file deletion activities. - FSEvents: Track file de | ||||
| > | letion activities in real-time: `fs_usage | grep unlink` SI | ||||
| > | EM Integration - Forward file deletion logs to a SIEM for c | ||||
| > | entralized monitoring and correlation with other events. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.450000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities. + +This data component can be collected through the following measures: + +Windows + +- Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes. +- Windows Event Log: Enable "Object Access" auditing to monitor file deletions. +- PowerShell: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -like '*DELETE*'}` + +Linux + +- Auditd: Use audit rules to capture file deletion events: `auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion` +- Query logs: `ausearch -k file_deletion` +- Inotify: Use inotifywait to monitor file deletions: `inotifywait -m /path/to/watch -e delete` + +macOS + +- Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities. +- FSEvents: Track file deletion activities in real-time: `fs_usage | grep unlink` + +SIEM Integration + +- Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events. + | Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | contextual information about a file, including attributes su | t | 1 | contextual information about a file, including attributes su |
| > | ch as the file's name, size, type, content (e.g., signatures | > | ch as the file's name, size, type, content (e.g., signatures | ||
| > | , headers, media), user/owner, permissions, timestamps, and | > | , headers, media), user/owner, permissions, timestamps, and | ||
| > | other related properties. File metadata provides insights in | > | other related properties. File metadata provides insights in | ||
| > | to a file's characteristics and can be used to detect malici | > | to a file's characteristics and can be used to detect malici | ||
| > | ous activity, unauthorized modifications, or other anomalies | > | ous activity, unauthorized modifications, or other anomalies | ||
| > | . Examples: - File Ownership and Permissions: Checking the | > | . Examples: - File Ownership and Permissions: Checking the | ||
| > | owner and permissions of a critical configuration file like | > | owner and permissions of a critical configuration file like | ||
| > | /etc/passwd on Linux or C:\Windows\System32\config\SAM on W | > | /etc/passwd on Linux or C:\Windows\System32\config\SAM on W | ||
| > | indows. - Timestamps: Analyzing the creation, modification, | > | indows. - Timestamps: Analyzing the creation, modification, | ||
| > | and access timestamps of a file. - File Content and Signatur | > | and access timestamps of a file. - File Content and Signatur | ||
| > | es: Extracting the headers of an executable file to verify i | > | es: Extracting the headers of an executable file to verify i | ||
| > | ts signature or detect packing/obfuscation. - File Attribute | > | ts signature or detect packing/obfuscation. - File Attribute | ||
| > | s: Analyzing attributes like hidden, system, or read-only fl | > | s: Analyzing attributes like hidden, system, or read-only fl | ||
| > | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA | > | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA | ||
| > | -256 hashes of files to compare against threat intelligence | > | -256 hashes of files to compare against threat intelligence | ||
| > | feeds. - File Location: Monitoring files located in unusual | > | feeds. - File Location: Monitoring files located in unusual | ||
| > | directories or paths, such as temporary or user folders. Th | > | directories or paths, such as temporary or user folders. | ||
| > | is data component can be collected through the following mea | ||||
| > | sures: Windows - Sysinternals Tools: Use `AccessEnum` or ` | ||||
| > | PSFile` to retrieve metadata about file access and permissio | ||||
| > | ns. - Windows Event Logs: Enable object access auditing and | ||||
| > | monitor events like 4663 (Object Access) and 5140 (A network | ||||
| > | share object was accessed). - PowerShell: Use Get-Item or G | ||||
| > | et-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Direc | ||||
| > | tory" -Recurse | Select-Object Name, Length, LastWriteTime, | ||||
| > | Attributes` Linux - File System Commands: Use `ls -l` or s | ||||
| > | tat to retrieve file metadata: `stat /path/to/file` - Auditd | ||||
| > | : Configure audit rules to log metadata access: `auditctl -w | ||||
| > | /path/to/file -p wa -k file_metadata` - Filesystem Integrit | ||||
| > | y Tools: Tools like tripwire or AIDE (Advanced Intrusion Det | ||||
| > | ection Environment) can monitor file metadata changes. macO | ||||
| > | S - FSEvents: Use FSEvents to track file metadata changes. | ||||
| > | - Endpoint Security Framework (ESF): Capture metadata-relate | ||||
| > | d events via ESF APIs. - Command-Line Tools: Use ls -l or xa | ||||
| > | ttr for file attributes: `ls -l@ /path/to/file` SIEM Integr | ||||
| > | ation - Forward file metadata logs from endpoint or network | ||||
| > | devices to a SIEM for centralized analysis. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.397000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: + +- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows. +- Timestamps: Analyzing the creation, modification, and access timestamps of a file. +- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation. +- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows. +- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds. +- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders. + +This data component can be collected through the following measures: + +Windows + +- Sysinternals Tools: Use `AccessEnum` or `PSFile` to retrieve metadata about file access and permissions. +- Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed). +- PowerShell: Use Get-Item or Get-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Directory" -Recurse | Select-Object Name, Length, LastWriteTime, Attributes` + +Linux + +- File System Commands: Use `ls -l` or stat to retrieve file metadata: `stat /path/to/file` +- Auditd: Configure audit rules to log metadata access: `auditctl -w /path/to/file -p wa -k file_metadata` +- Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes. + +macOS + +- FSEvents: Use FSEvents to track file metadata changes. +- Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs. +- Command-Line Tools: Use ls -l or xattr for file attributes: `ls -l@ /path/to/file` + +SIEM Integration + +- Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis. | contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: + +- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows. +- Timestamps: Analyzing the creation, modification, and access timestamps of a file. +- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation. +- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows. +- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds. +- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders. |
| x_mitre_log_sources[18]['channel'] | path | PATH |
| x_mitre_log_sources[42]['channel'] | EventCode=4670 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=15 '} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to a file, including updates to its contents, m | t | 1 | Changes made to a file, including updates to its contents, m |
| > | etadata, access permissions, or attributes. These modificati | > | etadata, access permissions, or attributes. These modificati | ||
| > | ons may indicate legitimate activity (e.g., software updates | > | ons may indicate legitimate activity (e.g., software updates | ||
| > | ) or unauthorized changes (e.g., tampering, ransomware, or a | > | ) or unauthorized changes (e.g., tampering, ransomware, or a | ||
| > | dversarial modifications). Examples: - Content Modificatio | > | dversarial modifications). Examples: - Content Modificatio | ||
| > | ns: Changes to the content of a configuration file, such as | > | ns: Changes to the content of a configuration file, such as | ||
| > | modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys | > | modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys | ||
| > | tem32\drivers\etc\hosts` on Windows. - Permission Changes: A | > | tem32\drivers\etc\hosts` on Windows. - Permission Changes: A | ||
| > | ltering file permissions to allow broader access, such as ch | > | ltering file permissions to allow broader access, such as ch | ||
| > | anging a file from `644` to `777` on Linux or modifying NTFS | > | anging a file from `644` to `777` on Linux or modifying NTFS | ||
| > | permissions on Windows. - Attribute Modifications: Changing | > | permissions on Windows. - Attribute Modifications: Changing | ||
| > | a file's attributes to hidden, read-only, or system on Wind | > | a file's attributes to hidden, read-only, or system on Wind | ||
| > | ows. - Timestamp Manipulation: Adjusting a file's creation o | > | ows. - Timestamp Manipulation: Adjusting a file's creation o | ||
| > | r modification timestamp using tools like `touch` in Linux o | > | r modification timestamp using tools like `touch` in Linux o | ||
| > | r timestomping tools on Windows. - Software or System File C | > | r timestomping tools on Windows. - Software or System File C | ||
| > | hanges: Modifying system files such as `boot.ini`, kernel mo | > | hanges: Modifying system files such as `boot.ini`, kernel mo | ||
| > | dules, or application binaries. This data component can be | > | dules, or application binaries. | ||
| > | collected through the following measures: Windows - Event | ||||
| > | Logs: Enable file system auditing to monitor file modificati | ||||
| > | ons using Security Event ID 4670 (File System Audit) or Sysm | ||||
| > | on Event ID 2 (File creation time changed). - PowerShell: Us | ||||
| > | e Get-ItemProperty or Get-Acl cmdlets to monitor file proper | ||||
| > | ties: `Get-Item -Path "C:\path\to\file" | Select-Object Name | ||||
| > | , Attributes, LastWriteTime` Linux - File System Monitorin | ||||
| > | g: Use tools like auditd with rules to monitor file modifica | ||||
| > | tions: `auditctl -w /path/to/file -p wa -k file_modification | ||||
| > | ` - Inotify: Use inotifywait to watch for real-time changes | ||||
| > | to files or directories: `inotifywait -m /path/to/file` mac | ||||
| > | OS - Endpoint Security Framework (ESF): Monitor file modifi | ||||
| > | cation events using ESF APIs. - Audit Framework: Configure a | ||||
| > | udit rules to track file changes. - Command-Line Tools: Use | ||||
| > | fs_usage to monitor file activities: `fs_usage -w /path/to/f | ||||
| > | ile` SIEM Tools - Collect logs from endpoint agents (e.g., | ||||
| > | Sysmon, Auditd) and file servers to centralize file modific | ||||
| > | ation event data. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.239000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: + +- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows. +- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows. +- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows. +- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows. +- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries. + +This data component can be collected through the following measures: + +Windows + +- Event Logs: Enable file system auditing to monitor file modifications using Security Event ID 4670 (File System Audit) or Sysmon Event ID 2 (File creation time changed). +- PowerShell: Use Get-ItemProperty or Get-Acl cmdlets to monitor file properties: `Get-Item -Path "C:\path\to\file" | Select-Object Name, Attributes, LastWriteTime` + +Linux + +- File System Monitoring: Use tools like auditd with rules to monitor file modifications: `auditctl -w /path/to/file -p wa -k file_modification` +- Inotify: Use inotifywait to watch for real-time changes to files or directories: `inotifywait -m /path/to/file` + +macOS + +- Endpoint Security Framework (ESF): Monitor file modification events using ESF APIs. +- Audit Framework: Configure audit rules to track file changes. +- Command-Line Tools: Use fs_usage to monitor file activities: `fs_usage -w /path/to/file` + +SIEM Tools + +- Collect logs from endpoint agents (e.g., Sysmon, Auditd) and file servers to centralize file modification event data. | Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: + +- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows. +- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows. +- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows. +- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows. +- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries. |
| x_mitre_log_sources[8]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_sources[59]['name'] | WinEventLog:Sysmon | WinEventLog:CodeIntegrity |
| x_mitre_log_sources[59]['channel'] | EvenCode=2 | EventCode=3033 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4656,4663'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Application', 'channel': '81,3033'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The successful establishment of a new user session following | t | 1 | The successful establishment of a new user session following |
| > | a successful authentication attempt. This typically signifi | > | a successful authentication attempt. This typically signifi | ||
| > | es that a user has provided valid credentials or authenticat | > | es that a user has provided valid credentials or authenticat | ||
| > | ion tokens, and the system has initiated a session associate | > | ion tokens, and the system has initiated a session associate | ||
| > | d with that user account. This data is crucial for tracking | > | d with that user account. This data is crucial for tracking | ||
| > | authentication events and identifying potential unauthorized | > | authentication events and identifying potential unauthorized | ||
| > | access. Examples: - Windows Systems - Event ID: 4624 | > | access. Examples: - Windows Systems - Event ID: 4624 | ||
| > | - Logon Type: 2 (Interactive) or 10 (Remote Interact | > | - Logon Type: 2 (Interactive) or 10 (Remote Interact | ||
| > | ive via RDP). - Account Name: JohnDoe - Sour | > | ive via RDP). - Account Name: JohnDoe - Sour | ||
| > | ce Network Address: 192.168.1.100 - Authentication P | > | ce Network Address: 192.168.1.100 - Authentication P | ||
| > | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log | > | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log | ||
| > | /wtmp: - Log format: login user [tty] from [source_i | > | /wtmp: - Log format: login user [tty] from [source_i | ||
| > | p] - User: jane - IP: 10.0.0.5 - Tim | > | p] - User: jane - IP: 10.0.0.5 - Tim | ||
| > | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a | > | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a | ||
| > | sl.log or unified logging framework: - Log: com.appl | > | sl.log or unified logging framework: - Log: com.appl | ||
| > | e.securityd: Authentication succeeded for user 'admin' - Clo | > | e.securityd: Authentication succeeded for user 'admin' - Clo | ||
| > | ud Environments - Azure Sign-In Logs: - Activity | > | ud Environments - Azure Sign-In Logs: - Activity | ||
| > | : Sign-in successful - Client App: Browser - | > | : Sign-in successful - Client App: Browser - | ||
| > | Location: Unknown (Country: X) - Google Workspace - Act | > | Location: Unknown (Country: X) - Google Workspace - Act | ||
| > | ivity: Login - Event Type: successful_login | > | ivity: Login - Event Type: successful_login | ||
| > | - Source IP: 203.0.113.55 This data component can be collec | > | - Source IP: 203.0.113.55 | ||
| > | ted through the following measures: - Windows Systems - | ||||
| > | Event Logs: Monitor Security Event Logs using Event ID 4624 | ||||
| > | for successful logons. - PowerShell Example: `Get-Event | ||||
| > | Log -LogName Security -InstanceId 4624` - Linux Systems | ||||
| > | - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/ | ||||
| > | var/log/auth.log` for logon events. - Tools: Use `last` | ||||
| > | or `who` commands to parse login records. - macOS Systems | ||||
| > | - Log Sources: Monitor `/var/log/asl.log` or Apple Unified | ||||
| > | Logs using the `log show` command. - Command Example: ` | ||||
| > | log show --predicate 'eventMessage contains "Authentication | ||||
| > | succeeded"' --info` - Cloud Environments - Azure AD: Use | ||||
| > | Azure Monitor to analyze sign-in logs. Example CLI Query: ` | ||||
| > | az monitor log-analytics query -w <workspace_id> --analytics | ||||
| > | -query "AzureActivity | where ActivityStatus == 'Success' an | ||||
| > | d OperationName == 'Sign-in'"` - Google Workspace: Enabl | ||||
| > | e and monitor Login Audit logs from the Admin Console. - | ||||
| > | Office 365: Use Audit Log Search in Microsoft 365 Security | ||||
| > | & Compliance Center for login-related events. - Network Logs | ||||
| > | - Sources: Network authentication mechanisms (e.g., RAD | ||||
| > | IUS or TACACS logs). - Enable EDR Monitoring: - EDR too | ||||
| > | ls monitor logon session activity, including the creation of | ||||
| > | new sessions. - Configure alerts for: Suspicious logon | ||||
| > | types (e.g., Logon Type 10 for RDP or Type 5 for Service). L | ||||
| > | ogons from unusual locations, accounts, or devices. - Le | ||||
| > | verage EDR telemetry for session attributes like source IP, | ||||
| > | session duration, and originating process. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.022000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples:
+
+- Windows Systems
+ - Event ID: 4624
+ - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP).
+ - Account Name: JohnDoe
+ - Source Network Address: 192.168.1.100
+ - Authentication Package: NTLM
+- Linux Systems
+ - /var/log/utmp or /var/log/wtmp:
+ - Log format: login user [tty] from [source_ip]
+ - User: jane
+ - IP: 10.0.0.5
+ - Timestamp: 2024-12-28 08:30:00
+- macOS Systems
+ - /var/log/asl.log or unified logging framework:
+ - Log: com.apple.securityd: Authentication succeeded for user 'admin'
+- Cloud Environments
+ - Azure Sign-In Logs:
+ - Activity: Sign-in successful
+ - Client App: Browser
+ - Location: Unknown (Country: X)
+- Google Workspace
+ - Activity: Login
+ - Event Type: successful_login
+ - Source IP: 203.0.113.55
+
+This data component can be collected through the following measures:
+
+- Windows Systems
+ - Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons.
+ - PowerShell Example: `Get-EventLog -LogName Security -InstanceId 4624`
+- Linux Systems
+ - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/var/log/auth.log` for logon events.
+ - Tools: Use `last` or `who` commands to parse login records.
+- macOS Systems
+ - Log Sources: Monitor `/var/log/asl.log` or Apple Unified Logs using the `log show` command.
+ - Command Example: `log show --predicate 'eventMessage contains "Authentication succeeded"' --info`
+- Cloud Environments
+ - Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: `az monitor log-analytics query -w | The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: + +- Windows Systems + - Event ID: 4624 + - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP). + - Account Name: JohnDoe + - Source Network Address: 192.168.1.100 + - Authentication Package: NTLM +- Linux Systems + - /var/log/utmp or /var/log/wtmp: + - Log format: login user [tty] from [source_ip] + - User: jane + - IP: 10.0.0.5 + - Timestamp: 2024-12-28 08:30:00 +- macOS Systems + - /var/log/asl.log or unified logging framework: + - Log: com.apple.securityd: Authentication succeeded for user 'admin' +- Cloud Environments + - Azure Sign-In Logs: + - Activity: Sign-in successful + - Client App: Browser + - Location: Unknown (Country: X) +- Google Workspace + - Activity: Login + - Event Type: successful_login + - Source IP: 203.0.113.55 |
| x_mitre_log_sources[5]['name'] | m365:signin | m365:signinlogs |
| x_mitre_log_sources[31]['name'] | m365:signin | m365:signinlogs |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 with LogonType=9 or smartcard logon'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=10 or 3), EventCode=4648'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=3)'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=10), EventCode=4648'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672, 4648'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': '4624'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648, 4672'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648,4672,4769'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventID=4624'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4634'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.246000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[4]['name'] | azure:signinLogs | azure:signinlogs |
| x_mitre_log_sources[3]['channel'] | EventCode=4624, 4634, 4672, 4768, 4769 | EventCode=4776, 4771, 4770 |
| x_mitre_log_sources[32]['name'] | m365:signin | m365:signinlogs |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4672, 4634'} |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4634, 4672, 4769'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4776,4771,4770'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4672'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672, 4634, 4768, 4769'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | When a process or program dynamically attaches a shared libr | t | 1 | When a process or program dynamically attaches a shared libr |
| > | ary, module, or plugin into its memory space. This action is | > | ary, module, or plugin into its memory space. This action is | ||
| > | typically performed to extend the functionality of an appli | > | typically performed to extend the functionality of an appli | ||
| > | cation, access shared system resources, or interact with ker | > | cation, access shared system resources, or interact with ker | ||
| > | nel-mode components. *Data Collection Measures:* - Event L | > | nel-mode components. | ||
| > | ogging (Windows): - Sysmon Event ID 7: Logs when a DLL i | ||||
| > | s loaded into a process. - Windows Security Event ID 468 | ||||
| > | 8: Captures process creation events, often useful for correl | ||||
| > | ating module loads. - Windows Defender ATP: Can provide | ||||
| > | visibility into suspicious module loads. - Event Logging (Li | ||||
| > | nux/macOS): - AuditD (`execve` and `open` syscalls): Cap | ||||
| > | tures when shared libraries (`.so` files) are loaded. - | ||||
| > | Ltrace/Strace: Monitors process behavior, including library | ||||
| > | calls (`dlopen`, `execve`). - MacOS Endpoint Security Fr | ||||
| > | amework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY | ||||
| > | _DYLD_INSERT_LIBRARIES`). - Endpoint Detection & Response (E | ||||
| > | DR): - Provide real-time telemetry on module loads and | ||||
| > | process injections. - Sysinternals Process Monitor (`pro | ||||
| > | cmon`): Captures loaded modules and their execution context. | ||||
| > | - Memory Forensics: - Volatility Framework (`malfind`, | ||||
| > | `ldrmodules`): Detects injected DLLs and anomalous module lo | ||||
| > | ads. - Rekall Framework: Useful for kernel-mode module d | ||||
| > | etection. - SIEM and Log Analysis: - Centralized log agg | ||||
| > | regation to correlate suspicious module loads across the env | ||||
| > | ironment. - Detection rules using correlation searches a | ||||
| > | nd behavioral analytics. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.471000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components. + +*Data Collection Measures:* + +- Event Logging (Windows): + - Sysmon Event ID 7: Logs when a DLL is loaded into a process. + - Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads. + - Windows Defender ATP: Can provide visibility into suspicious module loads. +- Event Logging (Linux/macOS): + - AuditD (`execve` and `open` syscalls): Captures when shared libraries (`.so` files) are loaded. + - Ltrace/Strace: Monitors process behavior, including library calls (`dlopen`, `execve`). + - MacOS Endpoint Security Framework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES`). +- Endpoint Detection & Response (EDR): + - Provide real-time telemetry on module loads and process injections. + - Sysinternals Process Monitor (`procmon`): Captures loaded modules and their execution context. +- Memory Forensics: + - Volatility Framework (`malfind`, `ldrmodules`): Detects injected DLLs and anomalous module loads. + - Rekall Framework: Useful for kernel-mode module detection. +- SIEM and Log Analysis: + - Centralized log aggregation to correlate suspicious module loads across the environment. + - Detection rules using correlation searches and behavioral analytics. | When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.190000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[19]['channel'] | EventCode=22 | EventCode=3, 22 |
| x_mitre_log_sources[27]['channel'] | EventCode=5156 | EventCode=5156, 5157 |
| x_mitre_log_sources[90]['channel'] | 8001, 8002, 8003 | EventCode=8001, 8002, 8003 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'} | |
| x_mitre_log_sources | {'name': 'auditd:SYSCALL', 'channel': 'netconnect'} | |
| x_mitre_log_sources | {'name': 'auditd:SYSCALL', 'channel': 'open or connect'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=5156,5157'} | |
| x_mitre_log_sources | {'name': 'linux:Sysmon', 'channel': 'EventCode=3'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Opening a network share, which makes the contents available | t | 1 | Opening a network share, which makes the contents available |
| > | to the requestor (ex: Windows EID 5140 or 5145) *Data Colle | > | to the requestor (ex: Windows EID 5140 or 5145) | ||
| > | ction Measures:* - Windows: - Event ID 5140 – Network S | ||||
| > | hare Object Access Logs every access attempt to a network sh | ||||
| > | are. - Event ID 5145 – Detailed Network Share Object Acc | ||||
| > | ess Captures granular access control information, including | ||||
| > | the requesting user, source IP, and access permissions. | ||||
| > | - Sysmon Event ID 3 – Network Connection Initiated Helps tra | ||||
| > | ck SMB connections to suspicious or unauthorized network sha | ||||
| > | res. - Enable Audit Policy for Network Share Access: `au | ||||
| > | ditpol /set /subcategory:"File Share" /success:enable /failu | ||||
| > | re:enable` - Enable PowerShell Logging to Detect Unautho | ||||
| > | rized SMB Access: `Set-ExecutionPolicy RemoteSigned` - R | ||||
| > | estrict Network Share Access with Group Policy (GPO): `Compu | ||||
| > | ter Configuration → Windows Settings → Security Settings → L | ||||
| > | ocal Policies → User Rights Assignment` Set "Access this com | ||||
| > | puter from the network" to restrict unauthorized accounts. - | ||||
| > | Linux/macOS: - AuditD (`open`, `read`, `write`, `connec | ||||
| > | t` syscalls) Detects access to NFS, CIFS, and SMB network sh | ||||
| > | ares. - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Id | ||||
| > | entifies active network share connections. - Mount (`mou | ||||
| > | nt | grep nfs` or `mount | grep cifs`) Lists currently mount | ||||
| > | ed network shares. - Enable AuditD for SMB/NFS Access: ` | ||||
| > | auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/sha | ||||
| > | re -k network_share_access` - Monitor Active Network Sha | ||||
| > | res Using Netstat: `netstat -an | grep :445` - Endpoint Dete | ||||
| > | ction & Response (EDR): - Detects abnormal network share | ||||
| > | access behavior, such as unusual account usage, large file | ||||
| > | transfers, or encrypted file activity. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.412000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) + +*Data Collection Measures:* + +- Windows: + - Event ID 5140 – Network Share Object Access Logs every access attempt to a network share. + - Event ID 5145 – Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions. + - Sysmon Event ID 3 – Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares. + - Enable Audit Policy for Network Share Access: `auditpol /set /subcategory:"File Share" /success:enable /failure:enable` + - Enable PowerShell Logging to Detect Unauthorized SMB Access: `Set-ExecutionPolicy RemoteSigned` + - Restrict Network Share Access with Group Policy (GPO): `Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment` Set "Access this computer from the network" to restrict unauthorized accounts. +- Linux/macOS: + - AuditD (`open`, `read`, `write`, `connect` syscalls) Detects access to NFS, CIFS, and SMB network shares. + - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Identifies active network share connections. + - Mount (`mount | grep nfs` or `mount | grep cifs`) Lists currently mounted network shares. + - Enable AuditD for SMB/NFS Access: `auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access` + - Monitor Active Network Shares Using Netstat: `netstat -an | grep :445` +- Endpoint Detection & Response (EDR): + - Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity. | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) |
| x_mitre_log_sources[1]['channel'] | EventID=31001 | EventCode=31001 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Summarized network packet data that captures session-level d | t | 1 | Summarized network packet data that captures session-level d |
| > | etails such as source/destination IPs, ports, protocol types | > | etails such as source/destination IPs, ports, protocol types | ||
| > | , timestamps, and data volume, without storing full packet p | > | , timestamps, and data volume, without storing full packet p | ||
| > | ayloads. This is commonly used for traffic analysis, anomaly | > | ayloads. This is commonly used for traffic analysis, anomaly | ||
| > | detection, and network performance monitoring. *Data Colle | > | detection, and network performance monitoring. | ||
| > | ction Measures:* - Network Flow Logs (Metadata Collection) | ||||
| > | - NetFlow - Summarized metadata for network con | ||||
| > | versations (no packet payloads). - sFlow (Sampled Flow L | ||||
| > | ogging) - Captures sampled packets from switches and | ||||
| > | routers. - Used for real-time traffic monitoring an | ||||
| > | d anomaly detection. - Zeek (Bro) Flow Logs - Ze | ||||
| > | ek logs session-level details in logs like conn.log, http.lo | ||||
| > | g, dns.log, etc. - Host-Based Collection - Sysmon Event | ||||
| > | ID 3 – Network Connection Initiated - Logs process-l | ||||
| > | evel network activity, useful for detecting malicious outbou | ||||
| > | nd connections. - AuditD (Linux) – syscall=connect | ||||
| > | - Monitors system calls for network connections. `auditct | ||||
| > | l -a always,exit -F arch=b64 -S connect -k network_activity` | ||||
| > | - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs | ||||
| > | - Captures metadata for traffic between EC2 instances, s | ||||
| > | ecurity groups, and internet gateways. - Azure NSG Flow | ||||
| > | Logs / Google VPC Flow Logs - Logs ingress/egress tr | ||||
| > | affic for cloud-based resources. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.703000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. + +*Data Collection Measures:* + +- Network Flow Logs (Metadata Collection) + - NetFlow + - Summarized metadata for network conversations (no packet payloads). + - sFlow (Sampled Flow Logging) + - Captures sampled packets from switches and routers. + - Used for real-time traffic monitoring and anomaly detection. + - Zeek (Bro) Flow Logs + - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc. +- Host-Based Collection + - Sysmon Event ID 3 – Network Connection Initiated + - Logs process-level network activity, useful for detecting malicious outbound connections. + - AuditD (Linux) – syscall=connect + - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity` +- Cloud & SaaS Flow Monitoring + - AWS VPC Flow Logs + - Captures metadata for traffic between EC2 instances, security groups, and internet gateways. + - Azure NSG Flow Logs / Google VPC Flow Logs + - Logs ingress/egress traffic for cloud-based resources. | Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. |
| x_mitre_log_sources[72]['channel'] | EventCode=2004,2005,2006 | EventCode=2004, 2005, 2006 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Calls made by a process to operating system-provided Applica | t | 1 | Calls made by a process to operating system-provided Applica |
| > | tion Programming Interfaces (APIs). These calls are essentia | > | tion Programming Interfaces (APIs). These calls are essentia | ||
| > | l for interacting with system resources such as memory, file | > | l for interacting with system resources such as memory, file | ||
| > | s, and hardware, or for performing system-level tasks. Monit | > | s, and hardware, or for performing system-level tasks. Monit | ||
| > | oring these calls can provide insight into a process's inten | > | oring these calls can provide insight into a process's inten | ||
| > | t, especially if the process is malicious. *Data Collection | > | t, especially if the process is malicious. | ||
| > | Measures:* - Endpoint Detection and Response (EDR) Tools: | ||||
| > | - Leverage tools to monitor API execution behaviors at t | ||||
| > | he process level. - Example: Sysmon Event ID 10 captures | ||||
| > | API call traces for process access and memory allocation. - | ||||
| > | Process Monitor (ProcMon): - Use ProcMon to collect det | ||||
| > | ailed logs of process and API activity. ProcMon can provide | ||||
| > | granular details on API usage and identify malicious behavio | ||||
| > | r during analysis. - Windows Event Logs: - Use Event IDs | ||||
| > | from Windows logs for specific API-related activities: | ||||
| > | - Event ID 4688: A new process has been created (can ind | ||||
| > | irectly infer API use). - Event ID 4657: A registry | ||||
| > | value has been modified (to monitor registry-altering APIs). | ||||
| > | - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, | ||||
| > | Flare VM, or Hybrid Analysis monitor API execution during ma | ||||
| > | lware detonation. - Host-Based Logs: - On Linux/macOS sy | ||||
| > | stems, leverage audit frameworks (e.g., `auditd`, `strace`) | ||||
| > | to capture and analyze system call usage that APIs map to. - | ||||
| > | Runtime Monitors: - Runtime security tools like Falco c | ||||
| > | an monitor system-level calls for API execution. - Debugging | ||||
| > | and Tracing: - Use debugging tools like gdb (Linux) or | ||||
| > | WinDbg (Windows) for deep tracing of API executions in real | ||||
| > | time. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.999000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - Leverage tools to monitor API execution behaviors at the process level. + - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation. +- Process Monitor (ProcMon): + - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis. +- Windows Event Logs: + - Use Event IDs from Windows logs for specific API-related activities: + - Event ID 4688: A new process has been created (can indirectly infer API use). + - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs). +- Dynamic Analysis Tools: + - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation. +- Host-Based Logs: + - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to. +- Runtime Monitors: + - Runtime security tools like Falco can monitor system-level calls for API execution. +- Debugging and Tracing: + - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time. | Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. |
| x_mitre_log_sources[19]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to the event in which a new process (executable) is i | t | 1 | Refers to the event in which a new process (executable) is i |
| > | nitialized by an operating system. This can involve parent-c | > | nitialized by an operating system. This can involve parent-c | ||
| > | hild process relationships, process arguments, and environme | > | hild process relationships, process arguments, and environme | ||
| > | ntal variables. Monitoring process creation is crucial for d | > | ntal variables. Monitoring process creation is crucial for d | ||
| > | etecting malicious behaviors, such as execution of unauthori | > | etecting malicious behaviors, such as execution of unauthori | ||
| > | zed binaries, scripting abuse, or privilege escalation attem | > | zed binaries, scripting abuse, or privilege escalation attem | ||
| > | pts. *Data Collection Measures:* - Endpoint Detection and | > | pts.. | ||
| > | Response (EDR) Tools: - EDRs provide process telemetry, | ||||
| > | tracking execution flows and arguments. - Windows Event Logs | ||||
| > | : - Event ID 4688 (Audit Process Creation): Captures pro | ||||
| > | cess creation with associated parent process. - Sysmon (Wind | ||||
| > | ows): - Event ID 1 (Process Creation): Provides detailed | ||||
| > | logging - Linux/macOS Monitoring: - AuditD (execve sysc | ||||
| > | all): Logs process creation. - eBPF/XDP: Used for low-le | ||||
| > | vel monitoring of system calls related to process execution. | ||||
| > | - OSQuery: Allows SQL-like queries to track process eve | ||||
| > | nts (process_events table). - Apple Endpoint Security Fr | ||||
| > | amework (ESF): Monitors process creation on macOS. - Network | ||||
| > | -Based Monitoring: - Zeek (Bro) Logs: Captures network-b | ||||
| > | ased process execution related to remote shells. - Syslo | ||||
| > | g/OSSEC: Tracks execution of processes on distributed system | ||||
| > | s. - Behavioral SIEM Rules: - Monitor process creation f | ||||
| > | or uncommon binaries in user directories. - Detect proce | ||||
| > | sses with suspicious command-line arguments. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 19:28:39.339000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0032 | https://attack.mitre.org/datacomponents/DC0032 |
| description | Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - EDRs provide process telemetry, tracking execution flows and arguments. +- Windows Event Logs: + - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process. +- Sysmon (Windows): + - Event ID 1 (Process Creation): Provides detailed logging +- Linux/macOS Monitoring: + - AuditD (execve syscall): Logs process creation. + - eBPF/XDP: Used for low-level monitoring of system calls related to process execution. + - OSQuery: Allows SQL-like queries to track process events (process_events table). + - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS. +- Network-Based Monitoring: + - Zeek (Bro) Logs: Captures network-based process execution related to remote shells. + - Syslog/OSSEC: Tracks execution of processes on distributed systems. +- Behavioral SIEM Rules: + - Monitor process creation for uncommon binaries in user directories. + - Detect processes with suspicious command-line arguments. | Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.. |
| x_mitre_log_sources[293]['channel'] | EventCode=8003,8004 | EventCode=8003, 8004 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventlog:Security', 'channel': 'EventCode=4688'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Microsoft-Windows-Security-Auditing', 'channel': 'EventCode=4688'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:security', 'channel': 'EventCode=4688'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.331000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[36]['channel'] | EventCode=400,403 | EventCode=400, 403 |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The exit or termination of a running process on a system. Th | t | 1 | The exit or termination of a running process on a system. Th |
| > | is can occur due to normal operations, user-initiated comman | > | is can occur due to normal operations, user-initiated comman | ||
| > | ds, or malicious actions such as process termination by malw | > | ds, or malicious actions such as process termination by malw | ||
| > | are to disable security controls. *Data Collection Measures | > | are to disable security controls. | ||
| > | :* - Endpoint Detection and Response (EDR) Tools: - Mon | ||||
| > | itor process termination events. - Windows Event Logs: - | ||||
| > | Event ID 4689 (Process Termination) – Captures when a proce | ||||
| > | ss exits, including process ID and parent process. - Eve | ||||
| > | nt ID 7036 (Service Control Manager) – Monitors system servi | ||||
| > | ce stops. - Sysmon (Windows): - Event ID 5 (Process Term | ||||
| > | ination) – Detects when a process exits, including parent-ch | ||||
| > | ild relationships. - Linux/macOS Monitoring: - AuditD (` | ||||
| > | execve`, `exit_group`, `kill` syscalls) – Captures process t | ||||
| > | ermination via command-line interactions. - eBPF/XDP: Mo | ||||
| > | nitors low-level system calls related to process termination | ||||
| > | . - OSQuery: The processes table can be queried for abno | ||||
| > | rmal exits. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.181000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. + +*Data Collection Measures:* + +- Endpoint Detection and Response (EDR) Tools: + - Monitor process termination events. +- Windows Event Logs: + - Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process. + - Event ID 7036 (Service Control Manager) – Monitors system service stops. +- Sysmon (Windows): + - Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships. +- Linux/macOS Monitoring: + - AuditD (`execve`, `exit_group`, `kill` syscalls) – Captures process termination via command-line interactions. + - eBPF/XDP: Monitors low-level system calls related to process termination. + - OSQuery: The processes table can be queried for abnormal exits. | The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The establishment of a task or job that will execute at a pr | t | 1 | The establishment of a task or job that will execute at a pr |
| > | edefined time or based on specific triggers. *Data Collecti | > | edefined time or based on specific triggers. | ||
| > | on Measures: * - Windows Event Logs: - Event ID 4698 (S | ||||
| > | cheduled Task Created) – Detects the creation of new schedul | ||||
| > | ed tasks. - Event ID 4702 (Scheduled Task Updated) – Ide | ||||
| > | ntifies modifications to existing scheduled jobs. - Even | ||||
| > | t ID 106 (TaskScheduler Operational Log) – Provides details | ||||
| > | about scheduled task execution. - Sysmon (Windows): - Ev | ||||
| > | ent ID 1 (Process Creation) – Detects the execution of suspi | ||||
| > | cious tasks started by `schtasks.exe`, `at.exe`, or `taskeng | ||||
| > | .exe`. - Linux/macOS Monitoring: - AuditD: Monitor modif | ||||
| > | ications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` | ||||
| > | files. - Syslog: Capture cron job execution logs from `/ | ||||
| > | var/log/cron`. - OSQuery: Query the `crontab` and `launc | ||||
| > | hd` tables for scheduled job configurations. - Endpoint Dete | ||||
| > | ction and Response (EDR) Tools: - Track scheduled task c | ||||
| > | reation and modification events. - SIEM & XDR Detection Rule | ||||
| > | s: - Monitor for scheduled jobs created by unusual users | ||||
| > | . - Detect tasks executing scripts from non-standard dir | ||||
| > | ectories. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:35.814000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The establishment of a task or job that will execute at a predefined time or based on specific triggers. + +*Data Collection Measures: * + +- Windows Event Logs: + - Event ID 4698 (Scheduled Task Created) – Detects the creation of new scheduled tasks. + - Event ID 4702 (Scheduled Task Updated) – Identifies modifications to existing scheduled jobs. + - Event ID 106 (TaskScheduler Operational Log) – Provides details about scheduled task execution. +- Sysmon (Windows): + - Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by `schtasks.exe`, `at.exe`, or `taskeng.exe`. +- Linux/macOS Monitoring: + - AuditD: Monitor modifications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` files. + - Syslog: Capture cron job execution logs from `/var/log/cron`. + - OSQuery: Query the `crontab` and `launchd` tables for scheduled job configurations. +- Endpoint Detection and Response (EDR) Tools: + - Track scheduled task creation and modification events. +- SIEM & XDR Detection Rules: + - Monitor for scheduled jobs created by unusual users. + - Detect tasks executing scripts from non-standard directories. | The establishment of a task or job that will execute at a predefined time or based on specific triggers. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 19:03:38.549000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0005 | https://attack.mitre.org/datacomponents/DC0005 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'linux:cron', 'channel': '/var/log/syslog or journalctl'} | |
| x_mitre_log_sources | {'name': 'linux::cron', 'channel': 'crontab or at job created within TimeWindow post time discovery'} |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The execution of a text file that contains code via the inte | t | 1 | The execution of a text file that contains code via the inte |
| > | rpreter. *Data Collection Measures:* - Windows Event Logs: | > | rpreter. | ||
| > | - Event ID 4104 (PowerShell Script Block Logging) – Cap | ||||
| > | tures full command-line execution of PowerShell scripts. | ||||
| > | - Event ID 4688 (Process Creation) – Detects script executi | ||||
| > | on by tracking process launches (`powershell.exe`, `wscript. | ||||
| > | exe`, `cscript.exe`). - Event ID 5861 (Script Execution) | ||||
| > | – Captures script execution via Windows Defender AMSI loggi | ||||
| > | ng. - Sysmon (Windows): - Event ID 1 (Process Creation) | ||||
| > | – Monitors script execution initiated by scripting engines. | ||||
| > | - Event ID 11 (File Creation) – Detects new script files | ||||
| > | written to disk before execution. - Endpoint Detection and | ||||
| > | Response (EDR) Tools: - Track script execution behavior, | ||||
| > | detect obfuscated commands, and prevent malicious scripts. | ||||
| > | - PowerShell Logging: - Enable Module Logging: Logs all | ||||
| > | loaded modules and cmdlets. - Enable Script Block Loggin | ||||
| > | g: Captures complete PowerShell script execution history. - | ||||
| > | SIEM Detection Rules: - Detect script execution with obf | ||||
| > | uscated, encoded, or remote URLs. - Alert on script exec | ||||
| > | utions using `-EncodedCommand` or `iex(iwr)`. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.018000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | The execution of a text file that contains code via the interpreter. + +*Data Collection Measures:* + +- Windows Event Logs: + - Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts. + - Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (`powershell.exe`, `wscript.exe`, `cscript.exe`). + - Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging. +- Sysmon (Windows): + - Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines. + - Event ID 11 (File Creation) – Detects new script files written to disk before execution. +- Endpoint Detection and Response (EDR) Tools: + - Track script execution behavior, detect obfuscated commands, and prevent malicious scripts. +- PowerShell Logging: + - Enable Module Logging: Logs all loaded modules and cmdlets. + - Enable Script Block Logging: Captures complete PowerShell script execution history. +- SIEM Detection Rules: + - Detect script execution with obfuscated, encoded, or remote URLs. + - Alert on script executions using `-EncodedCommand` or `iex(iwr)`. | The execution of a text file that contains code via the interpreter. |
| x_mitre_log_sources[11]['channel'] | EventCode=4103, 4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_sources[22]['channel'] | EventCode=4016,5312 | EventCode=4016, 5312 |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.315000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=7045'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:36.382000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_sources[1]['name'] | WinEventLog:sysmon | WinEventLog:Sysmon |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to an existing service or daemon, such as modif | t | 1 | Changes made to an existing service or daemon, such as modif |
| > | ying the service name, start type, execution parameters, or | > | ying the service name, start type, execution parameters, or | ||
| > | security configurations. *Data Collection Measures: * - Wi | > | security configurations. | ||
| > | ndows Event Logs - Event ID 7040 - Detects modifications | ||||
| > | to the startup behavior of a service. - Event ID 7045 - | ||||
| > | Can capture changes made to existing services. - Event | ||||
| > | ID 7036 - Tracks when services start or stop, potentially in | ||||
| > | dicating malicious tampering. - Event ID 4697 - Can dete | ||||
| > | ct when an adversary reinstalls a service with different par | ||||
| > | ameters. - Sysmon Logs - Sysmon Event ID 13 - Detects ch | ||||
| > | anges to service configurations in the Windows Registry (e.g | ||||
| > | ., `HKLM\SYSTEM\CurrentControlSet\Services\`). - Sysmon | ||||
| > | Event ID 1 - Can track execution of `sc.exe` or `PowerShell | ||||
| > | Set-Service`. - PowerShell Logging - Event ID 4104 (Scri | ||||
| > | pt Block Logging) - Captures execution of commands like `Set | ||||
| > | -Service`, `New-Service`, or `sc config`. - Command-Line | ||||
| > | Logging (Event ID 4688) - Tracks usage of service modificat | ||||
| > | ion commands: - `sc config <service_name> start= aut | ||||
| > | o` - `sc qc <service_name>` - Linux/macOS Collec | ||||
| > | tion Methods - Systemd Journals (`journalctl -u <service | ||||
| > | _name>`) Tracks modifications to systemd service configurati | ||||
| > | ons. - Daemon Logs (`/var/log/syslog`, `/var/log/message | ||||
| > | s`, `/var/log/daemon.log`) Captures changes to service state | ||||
| > | and execution parameters. - AuditD Rules for Service Mo | ||||
| > | dification - Monitor modifications to `/etc/systemd | ||||
| > | /system/` for new or altered service unit files: `auditctl - | ||||
| > | w /etc/systemd/system/ -p wa -k service_modification` | ||||
| > | - Track execution of `systemctl` or `service` commands: `a | ||||
| > | uditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl | ||||
| > | -F key=service_mod` - OSQuery for Linux/macOS Monitorin | ||||
| > | g - Query modified services using OSQuery’s `process | ||||
| > | es` or `system_info` tables: `SELECT * FROM systemd_units WH | ||||
| > | ERE state != 'running';` - macOS Launch Daemon/Agent Mod | ||||
| > | ification - Monitor for changes in: - `/ | ||||
| > | Library/LaunchDaemons/` - `/Library/LaunchAgents | ||||
| > | /` - Track modifications to `.plist` files indicatin | ||||
| > | g persistence attempts. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:37.211000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.
+
+*Data Collection Measures: *
+
+- Windows Event Logs
+ - Event ID 7040 - Detects modifications to the startup behavior of a service.
+ - Event ID 7045 - Can capture changes made to existing services.
+ - Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering.
+ - Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters.
+- Sysmon Logs
+ - Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., `HKLM\SYSTEM\CurrentControlSet\Services\`).
+ - Sysmon Event ID 1 - Can track execution of `sc.exe` or `PowerShell Set-Service`.
+- PowerShell Logging
+ - Event ID 4104 (Script Block Logging) - Captures execution of commands like `Set-Service`, `New-Service`, or `sc config`.
+ - Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands:
+ - `sc config | Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations. |
Current version: 2.0
+| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An attempt (successful and failed login attempts) by a user, | t | 1 | An attempt (successful and failed login attempts) by a user, |
| > | service, or application to gain access to a network, system | > | service, or application to gain access to a network, system | ||
| > | , or cloud-based resource. This typically involves credentia | > | , or cloud-based resource. This typically involves credentia | ||
| > | ls such as passwords, tokens, multi-factor authentication (M | > | ls such as passwords, tokens, multi-factor authentication (M | ||
| > | FA), or biometric validation. *Data Collection Measures:* | > | FA), or biometric validation. | ||
| > | - Host-Based Authentication Logs - Windows Event Logs | ||||
| > | - Event ID 4776 – NTLM authentication attempt. | ||||
| > | - Event ID 4624 – Successful user logon. - Event ID | ||||
| > | 4625 – Failed authentication attempt. - Event ID 46 | ||||
| > | 48 – Explicit logon with alternate credentials. - Linux/ | ||||
| > | macOS Authentication Logs - `/var/log/auth.log`, `/v | ||||
| > | ar/log/secure` – Logs SSH, sudo, and other authentication at | ||||
| > | tempts. - AuditD – Tracks authentication events via | ||||
| > | PAM modules. - macOS Unified Logs – `/var/db/diagnos | ||||
| > | tics` captures authentication failures. - Cloud Authenticati | ||||
| > | on Logs - Azure AD Logs - Sign-in Logs – Tracks | ||||
| > | authentication attempts, MFA challenges, and conditional acc | ||||
| > | ess failures. - Audit Logs – Captures authentication | ||||
| > | -related configuration changes. - Microsoft Graph AP | ||||
| > | I – Provides real-time sign-in analytics. - Google Works | ||||
| > | pace & Office 365 - Google Admin Console – `User Log | ||||
| > | in Report` tracks login attempts and failures. - Off | ||||
| > | ice 365 Unified Audit Logs – Captures logins across Exchange | ||||
| > | , SharePoint, and Teams. - AWS CloudTrail & IAM | ||||
| > | - Tracks authentication via `AWS IAM AuthenticateUser` and ` | ||||
| > | sts:GetSessionToken`. - Logs failed authentications | ||||
| > | to AWS Management Console and API requests. - Container Auth | ||||
| > | entication Monitoring - Kubernetes Authentication Logs | ||||
| > | - kubectl audit logs – Captures authentication attemp | ||||
| > | ts for service accounts and admin users. - Azure Kub | ||||
| > | ernetes Service (AKS) and Google Kubernetes Engine (GKE) – L | ||||
| > | ogs IAM authentication events. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:14:34.948000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| description | An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation. + +*Data Collection Measures:* + +- Host-Based Authentication Logs + - Windows Event Logs + - Event ID 4776 – NTLM authentication attempt. + - Event ID 4624 – Successful user logon. + - Event ID 4625 – Failed authentication attempt. + - Event ID 4648 – Explicit logon with alternate credentials. + - Linux/macOS Authentication Logs + - `/var/log/auth.log`, `/var/log/secure` – Logs SSH, sudo, and other authentication attempts. + - AuditD – Tracks authentication events via PAM modules. + - macOS Unified Logs – `/var/db/diagnostics` captures authentication failures. +- Cloud Authentication Logs + - Azure AD Logs + - Sign-in Logs – Tracks authentication attempts, MFA challenges, and conditional access failures. + - Audit Logs – Captures authentication-related configuration changes. + - Microsoft Graph API – Provides real-time sign-in analytics. + - Google Workspace & Office 365 + - Google Admin Console – `User Login Report` tracks login attempts and failures. + - Office 365 Unified Audit Logs – Captures logins across Exchange, SharePoint, and Teams. + - AWS CloudTrail & IAM + - Tracks authentication via `AWS IAM AuthenticateUser` and `sts:GetSessionToken`. + - Logs failed authentications to AWS Management Console and API requests. +- Container Authentication Monitoring + - Kubernetes Authentication Logs + - kubectl audit logs – Captures authentication attempts for service accounts and admin users. + - Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) – Logs IAM authentication events. | An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation. |
| x_mitre_log_sources[12]['name'] | m365:signin | m365:signinlogs |
| x_mitre_log_sources[15]['channel'] | EventCode=4769,1200,1202 | EventCode=4776, 4625 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4769, 1200, 1202'} |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4625'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4625, 4624'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': '4624, 4625'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventID=4625'} |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 18:34:46.572000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/data-components/DC0063 | https://attack.mitre.org/datacomponents/DC0063 |
| x_mitre_log_sources[3]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=13'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=14'} | |
| x_mitre_log_sources | {'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-23 20:53:44.184000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/detection-strategies/DET0897 | https://attack.mitre.org/detectionstrategies/DET0897 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-23 19:55:18.990000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| external_references[0]['url'] | https://attack.mitre.org/detection-strategies/DET0898 | https://attack.mitre.org/detectionstrategies/DET0898 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | CloudTrail:GetInstanceIdentityDocument | AWS:CloudTrail |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 18:36:42.025000+00:00 | 2025-11-12 17:36:06.423000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EvenCode=4657 | EventCode=4657 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | /var/log/syslog or journalctl | cron activity |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | PutObject, CopyObject | GetObject, CopyObject |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['name'] | WinEventLog:sysmon | WinEventLog:Sysmon |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | Modification of .asar in /opt or ~/.config directories | EventCode=11 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[1]['channel'] | Event ID 1 | EventCode=1 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4656, 4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0] | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'} |
| x_mitre_log_source_references[1] | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': 'EventCode=1'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=1'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-22 18:38:17.503000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=22 | EventCode=3, 22 |
| x_mitre_log_source_references[3]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['name'] | WinEventLog:Powershell | WinEventLog:PowerShell |
| x_mitre_log_source_references[2]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | netconnect | connect |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=4656,4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=13,14 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[5]['channel'] | EventCode=22 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventID=31001 | EventCode=31001 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | PutObject, CopyObject | GetObject, CopyObject |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4670, 4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_source_references | {'x_mitre_data_component_ref': 'x-mitre-data-component--d27b0089-2c39-4b6c-84ff-303e48657e77', 'name': 'WinEventLog:DirectoryService', 'channel': 'EventID 5136'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | open or connect | connect |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4670, 4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | WinEventLog:Microsoft-Windows-WMI-Activity/Operational | WinEventLog:WMI |
| x_mitre_log_source_references[0]['channel'] | EventCode=5861 | EventCode=5857, 5858, 5860, 5861 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=22 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[3]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-27 15:59:01.140000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | WinEventLog:Microsoft-Windows-Partition/Diagnostic | WinEventLog:System |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4103,4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | path | PATH |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-27 15:59:35.823000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=5145, 4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | azure:signinLogs | azure:signinlogs |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | /var/log/syslog or journalctl | cron activity |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=7031,7034,1000,1001 | EventCode=1000 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4723, 4724, 4726, 4740 | EventCode=4723, 4724, 4740 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | m365:signin | m365:signinlogs |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[3]['channel'] | EventCode=1006,10001 | EventCode=1006, 10001 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4103, 4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | WinEventLog:Security | WinEventLog:System |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | PutObject, GetObject, CopyObject, DeleteObject | GetObject, CopyObject |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624, 4634, 4672, 4768, 4769 | EventCode=4672, 4634 |
| x_mitre_log_source_references[1]['name'] | WinEventLog:Kerberos | WinEventLog:Security |
| x_mitre_log_source_references[1]['channel'] | EventCode=4769, 4768 | EventCode=4769 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0] | {'x_mitre_data_component_ref': 'x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b', 'name': 'azure:signinLogs', 'channel': 'SAML-based login with anomalous issuer or NotOnOrAfter lifetime'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b', 'name': 'azure:signinlogs', 'channel': 'SAML-based login with anomalous issuer or NotOnOrAfter lifetime'} |
| x_mitre_log_source_references[1] | {'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4769,1200,1202'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4769, 1200, 1202'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 17:35:05.178000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_source_references | {'x_mitre_data_component_ref': 'x-mitre-data-component--0f72bf50-35b3-419d-ab95-70f9b6a818dd', 'name': 'WinEventLog:Security', 'channel': '4673, 4674'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[4]['channel'] | EventCode=4103 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['name'] | linux::cron | linux:cron |
| x_mitre_log_source_references[3]['channel'] | crontab or at job created within TimeWindow post time discovery | cron activity |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational | WinEventLog:System |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[3]['channel'] | EventCode=4103 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=1000-1026 | EventCode=1000 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=4656,4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[4]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-27 16:01:17.493000+00:00 | 2025-11-12 17:13:52.357000+00:00 |
| x_mitre_log_source_references[2]['channel'] | 13 | EventCode=13 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EvenCode=2 | EventCode=2 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['name'] | WinEventlog:Security | WinEventLog:Security |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[4]['channel'] | EventCode=13 | EventCode=13, 14 |
| x_mitre_log_source_references[6]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[7]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | WinEventLog:System | WinEventLog:Sysmon |
| x_mitre_log_source_references[5]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=5156 | EventCode=5156, 5157 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | macos:unified | macos:unifiedlog |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | GetObject | GetObject, CopyObject |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 18:12:53.100000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4886, 4887, 4899, 4900, 4768, 4624 | EventCode=4768 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | azure:SigninLogs | azure:signinlogs |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624, 4634, 4672, 4769 | EventCode=4672, 4634 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2] | {'x_mitre_data_component_ref': 'x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=13'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=13, 14'} |
| x_mitre_log_source_references[0] | {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=10, 7'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=10'} |
| x_mitre_log_source_references[1] | {'x_mitre_data_component_ref': 'x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 with LogonType=9 or smartcard logon'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4648'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | CloudTrail:RunInstances | AWS:CloudTrail |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | CloudTrail:RunInstances | AWS:CloudTrail |
| x_mitre_log_source_references[0]['channel'] | RunInstances: AMI not in allowlist OR AMI owner != enterprise owner/account | RunInstances |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | azure:signinLogs | azure:signinlogs |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | m365:signin | m365:signinlogs |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0] | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'} |
| x_mitre_log_source_references[1] | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': 'EventCode=1'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=1'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | CloudWatch:Metrics | AWS:CloudWatch |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 (LogonType=10 or 3), EventCode=4648 | EventCode=4624, 4648 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=5136,5137,5138,5139,5141 | EventCode=5136 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4670 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624, 4672 | EventCode=4672, 4634 |
| x_mitre_log_source_references[4]['name'] | WinEventLog:DirectoryService | WinEventLog:Security |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 (LogonType=3) | EventCode=4624, 4648 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 17:10:37.357000+00:00 |
| x_mitre_log_source_references[1]['name'] | WinEventLog:Directory Service | WinEventLog:Security |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | CloudTrail:UpdatePolicy | AWS:CloudTrail |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0] | {'x_mitre_data_component_ref': 'x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4663, 4670, 4656'} |
| x_mitre_log_source_references[1] | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4670 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[4]['channel'] | EventCode=4103,4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | WinEventLog:Microsoft-Windows-Partition/Diagnostic | WinEventLog:System |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=2004,2005,2006 | EventCode=2004, 2005, 2006 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | path | PATH |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=1000, 1001, 1002 | EventCode=1000 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=5136,5137,5138,5139,5141 | EventCode=5136 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4670 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 18:16:01.708000+00:00 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[4]['channel'] | EventCode=13 | EventCode=13, 14 |
| x_mitre_log_source_references[5]['channel'] | EventCode=22 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | WinEventLog:Microsoft-Windows-Security-Auditing | WinEventLog:Security |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4103, 4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 (LogonType=10), EventCode=4648 | EventCode=4624, 4648 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[5]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 18:17:38.273000+00:00 |
| x_mitre_log_source_references[1]['channel'] | PutBackupVaultAccessPolicy | DeleteBucket, DeleteDBCluster, DeleteSnapshot, TerminateInstances |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624, 4672, 4648 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | azure:signinLogs | azure:signinlogs |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | CloudWatch:InstanceMetrics | AWS:CloudWatch |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | azure:signinLogs | azure:signinlogs |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[3]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624, 4625 | EventCode=4776, 4625 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[2]['channel'] | EventCode=5156 | EventCode=5156, 5157 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=13 | EventCode=13, 14 |
| x_mitre_log_source_references[5]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[6]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[4]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=5857, 5858 | EventCode=5857, 5858, 5860, 5861 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4016,5312 | EventCode=4016, 5312 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | WinEventLog:Security | WinEventLog:System |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-10-29 17:10:15.891000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_log_source_references | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=1'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4720, EventCode=4781 | EventCode=4720 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0] | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:security', 'channel': 'EventCode=4688'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4688'} |
| x_mitre_log_source_references[1] | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=22 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | 4624 | EventCode=4624, 4648 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=5156 | EventCode=5156, 5157 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | CloudTrail:GetSecretValue | AWS:CloudTrail |
| x_mitre_log_source_references[1]['channel'] | API call to retrieve secret or access key | GetSecretValue |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | CloudTrail:InvokeFunction | AWS:CloudTrail |
| x_mitre_log_source_references[2]['name'] | CloudMetrics:InstanceHealth | AWS:CloudMetrics |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4670 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[4]['channel'] | EventCode=4103,4104,4105, 4106 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[5]['name'] | WinEventLog:Microsoft-Windows-WMI-Activity/Operational | WinEventLog:WMI |
| x_mitre_log_source_references[5]['channel'] | EventCode=5857, 5860, 5861 | EventCode=5857, 5858, 5860, 5861 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=22 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[4]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[5]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[4]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['name'] | WinEventLog:Application | WinEventLog:CodeIntegrity |
| x_mitre_log_source_references[2]['channel'] | 81,3033 | EventCode=3033 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_mutable_elements[2]['field'] | path | PATH |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | CloudTrail:EC2 | AWS:CloudTrail |
| x_mitre_log_source_references[1]['name'] | CloudTrail:EC2 | AWS:CloudTrail |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[2]['channel'] | EventCode=400,403 | EventCode=400, 403 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=4624, 4672 | EventCode=4672, 4634 |
| x_mitre_log_source_references[4]['name'] | WinEventLog:DirectoryService | WinEventLog:Security |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 18:15:01.136000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=5136,5137,5141 | EventCode=5136 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | azure:signinLogs | azure:signinlogs |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4625, 4624 | EventCode=4776, 4625 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4103 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=1341,1342,1020,1063 | EventCode=1341, 1342, 1020, 1063 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624,4648, 4672 | EventCode=4624, 4648 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[5]['channel'] | EventCode=5857, 5860, 5861 | EventCode=5857, 5858, 5860, 5861 |
| x_mitre_log_source_references[6]['channel'] | EventCode=4103 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=1000,1001 | EventCode=1000 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | GetObject | GetObject, CopyObject |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=22 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2] | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'} |
| x_mitre_log_source_references[0] | {'x_mitre_data_component_ref': 'x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648,4672,4769'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4648'} |
| x_mitre_log_source_references[1] | {'x_mitre_data_component_ref': 'x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4776,4771,4770'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4776, 4771, 4770'} |
| x_mitre_log_source_references[3] | {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4663'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4663, 4670, 4656'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[3]['channel'] | EventCode=13 | EventCode=13, 14 |
| x_mitre_log_source_references[5]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | WinEventLog:Security | WinEventLog:System |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-10-28 19:57:23.683000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4624,4672 | EventCode=4672 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4656 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
| x_mitre_log_source_references[6]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[1]['channel'] | EventCode=20001/20003 | EventCode=2003 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624, 4672, 4634, 4768, 4769 | EventCode=4672, 4634 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[2]['channel'] | EventCode=2004,2005,2006 | EventCode=2004, 2005, 2006 |
| x_mitre_log_source_references[3]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624 (LogonType=3) | EventCode=4624, 4648 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0] | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Microsoft-Windows-WLAN-AutoConfig', 'channel': '8001, 8002, 8003'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Microsoft-Windows-WLAN-AutoConfig', 'channel': 'EventCode=8001, 8002, 8003'} |
| x_mitre_log_source_references[1] | {'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'WinEventLog:Security', 'channel': '4624, 4625'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4776, 4625'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['name'] | m365:signin | m365:signinlogs |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-27 15:56:07.094000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventID=4624 | EventCode=4624 |
| x_mitre_log_source_references[1]['channel'] | EventID=4625 | EventCode=4776, 4625 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4624 | EventCode=4624, 4648 |
| x_mitre_log_source_references[3]['channel'] | EventCode=3 | EventCode=3, 22 |
| x_mitre_log_source_references[7]['channel'] | EventCode=13 | EventCode=13, 14 |
| x_mitre_log_source_references[8]['channel'] | EventCode=5857, 5860, 5861 | EventCode=5857, 5858, 5860, 5861 |
| x_mitre_log_source_references[9]['channel'] | EventCode=4103, 4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4103 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2] | {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4104'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103, 4104, 4105, 4106'} |
| x_mitre_log_source_references[0] | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f', 'name': 'WinEventLog:System', 'channel': '20001-20003'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f', 'name': 'WinEventLog:System', 'channel': 'EventCode=2003'} |
| x_mitre_log_source_references[1] | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': '4688, 4104'} | {'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4688'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | GetObject | GetObject, CopyObject |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=13 | EventCode=13, 14 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4624, 4634 | EventCode=4624, 4648 |
| x_mitre_log_source_references[2]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[2]['channel'] | GetObject | GetObject, CopyObject |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=15 | EventCode=15 |
| x_mitre_log_source_references[1]['channel'] | EventCode=4663 | EventCode=4663, 4670, 4656 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-21 15:10:28.402000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['name'] | WinEventLog:DirectoryService | WinEventLog:Security |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-24 15:00:29.811000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[1]['channel'] | EventCode=3 | EventCode=3, 22 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2025-10-23 20:07:29.933000+00:00 | 2025-11-12 22:03:39.105000+00:00 |
| x_mitre_log_source_references[0]['channel'] | EventCode=4104 | EventCode=4103, 4104, 4105, 4106 |
| x_mitre_log_source_references[2]['channel'] | EventCode=4670 | EventCode=4663, 4670, 4656 |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may carry out malicious operations using a virtu | t | 1 | Adversaries may carry out malicious operations using a virtu |
| > | al instance to avoid detection. A wide variety of virtualiza | > | al instance to avoid detection. A wide variety of virtualiza | ||
| > | tion technologies exist that allow for the emulation of a co | > | tion technologies exist that allow for the emulation of a co | ||
| > | mputer or computing environment. By running malicious code i | > | mputer or computing environment. By running malicious code i | ||
| > | nside of a virtual instance, adversaries can hide artifacts | > | nside of a virtual instance, adversaries can hide artifacts | ||
| > | associated with their behavior from security tools that are | > | associated with their behavior from security tools that are | ||
| > | unable to monitor activity inside the virtual instance.(Cita | > | unable to monitor activity inside the virtual instance.(Cita | ||
| > | tion: CyberCX Akira Ransomware) Additionally, depending on t | > | tion: CyberCX Akira Ransomware) Additionally, depending on t | ||
| > | he virtual networking implementation (ex: bridged adapter), | > | he virtual networking implementation (ex: bridged adapter), | ||
| > | network traffic generated by the virtual instance can be dif | > | network traffic generated by the virtual instance can be dif | ||
| > | ficult to trace back to the compromised host as the IP addre | > | ficult to trace back to the compromised host as the IP addre | ||
| > | ss and hostname might not match known values.(Citation: Sing | > | ss and hostname might not match known values.(Citation: Sing | ||
| > | Health Breach Jan 2019) Adversaries may utilize native supp | > | Health Breach Jan 2019) Adversaries may utilize native supp | ||
| > | ort for virtualization (ex: Hyper-V), deploy lightweight emu | > | ort for virtualization (ex: Hyper-V), deploy lightweight emu | ||
| > | lators (ex: QEMU), or drop the necessary files to run a virt | > | lators (ex: QEMU), or drop the necessary files to run a virt | ||
| > | ual instance (ex: VirtualBox binaries).(Citation: Securonix | > | ual instance (ex: VirtualBox binaries).(Citation: Securonix | ||
| > | CronTrap 2024) After running a virtual instance, adversaries | > | CronTrap 2024) After running a virtual instance, adversaries | ||
| > | may create a shared folder between the guest and host with | > | may create a shared folder between the guest and host with | ||
| > | permissions that enable the virtual instance to interact wit | > | permissions that enable the virtual instance to interact wit | ||
| > | h the host file system.(Citation: Sophos Ragnar May 2020) T | > | h the host file system.(Citation: Sophos Ragnar May 2020) T | ||
| > | hreat actors may also leverage temporary virtualized environ | > | hreat actors may also leverage temporary virtualized environ | ||
| > | ments such as the Windows Sandbox, which supports the use of | > | ments such as the Windows Sandbox, which supports the use of | ||
| > | `.wsb` configuration files for defining execution parameter | > | `.wsb` configuration files for defining execution parameter | ||
| > | s. For example, the `<MappedFolder>` property supports the c | > | s. For example, the `<MappedFolder>` property supports the c | ||
| > | reation of a shared folder, while the `<LogonCommand>` prope | > | reation of a shared folder, while the `<LogonCommand>` prope | ||
| > | rty allows the specification of a payload.(Citation: ESET Mi | > | rty allows the specification of a payload.(Citation: ESET Mi | ||
| > | rrorFace 2025) In VMWare environments, adversaries may leve | > | rrorFace 2025)(Citation: ITOCHU Hack the Sandbox)(Citation: | ||
| > | rage the vCenter console to create new virtual machines. How | > | ITOCHU Sandbox PPT) In VMWare environments, adversaries may | ||
| > | ever, they may also create virtual machines directly on ESXi | > | leverage the vCenter console to create new virtual machines | ||
| > | servers by running a valid `.vmx` file with the `/bin/vmx` | > | . However, they may also create virtual machines directly on | ||
| > | utility. Adding this command to `/etc/rc.local.d/local.sh` ( | > | ESXi servers by running a valid `.vmx` file with the `/bin/ | ||
| > | i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037 | > | vmx` utility. Adding this command to `/etc/rc.local.d/local. | ||
| > | /004)) will cause the VM to persistently restart.(Citation: | > | sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/ | ||
| > | vNinja Rogue VMs 2024) Creating a VM this way prevents it fr | > | T1037/004)) will cause the VM to persistently restart.(Citat | ||
| > | om appearing in the vCenter console or in the output to the | > | ion: vNinja Rogue VMs 2024) Creating a VM this way prevents | ||
| > | `vim-cmd vmsvc/getallvms` command on the ESXi server, thereb | > | it from appearing in the vCenter console or in the output to | ||
| > | y hiding it from typical administrative activities.(Citation | > | the `vim-cmd vmsvc/getallvms` command on the ESXi server, t | ||
| > | : MITRE VMware Abuse 2024) | > | hereby hiding it from typical administrative activities.(Cit | ||
| > | ation: MITRE VMware Abuse 2024) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The [SharePoint ToolShell Exploitation](https://attack.mitre | t | 1 | The [SharePoint ToolShell Exploitation](https://attack.mitre |
| > | .org/campaigns/C0058) campaign was conducted in July 2025 an | > | .org/campaigns/C0058) campaign was conducted in July 2025 an | ||
| > | d encompassed the first waves of exploitation against incomp | > | d encompassed the first waves of exploitation against incomp | ||
| > | etely patched spoofing (CVE-2025-49706) and remote code exec | > | letely patched spoofing (CVE-2025-49706) and remote code exe | ||
| > | ution (CVE-2025-49704) vulnerabilities affecting on-premises | > | cution (CVE-2025-49704) vulnerabilities affecting on-premise | ||
| > | Microsoft SharePoint servers. Later patched and updated as | > | s Microsoft SharePoint servers. Later patched and updated as | ||
| > | CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabili | > | CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabil | ||
| > | ties were widely exploited including by China-based ransomwa | > | ities were widely exploited including by China-based ransomw | ||
| > | re actor Storm-2603 and espionage actors [Threat Group-3390] | > | are actor Storm-2603 and espionage actors [Threat Group-3390 | ||
| > | (https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](http | > | ](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](htt | ||
| > | s://attack.mitre.org/groups/G0128). [SharePoint ToolShell Ex | > | ps://attack.mitre.org/groups/G0128). [SharePoint ToolShell E | ||
| > | ploitation](https://attack.mitre.org/campaigns/C0058) target | > | xploitation](https://attack.mitre.org/campaigns/C0058) targe | ||
| > | ed multiple regions and industries including finance, educat | > | ted multiple regions and industries including finance, educa | ||
| > | ion, energy, and healthcare across Asia, Europe, and the Uni | > | tion, energy, and healthcare across Asia, Europe, and the Un | ||
| > | ted States.(Citation: Microsoft SharePoint Exploit JUL 2025) | > | ited States.(Citation: Microsoft SharePoint Exploit JUL 2025 | ||
| > | (Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Ci | > | )(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(C | ||
| > | tation: Eye Research ToolShell JUL 2025)(Citation: ESET Tool | > | itation: Eye Research ToolShell JUL 2025)(Citation: ESET Too | ||
| > | Shell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL | > | lShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JU | ||
| > | 2025) | > | L 2025) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Requests for authentication credentials via Kerberos or othe | t | 1 | Requests for authentication credentials via Kerberos or othe |
| > | r methods like NTLM and LDAP queries. Examples: - Kerberos | > | r methods like NTLM and LDAP queries. Examples: - Kerberos | ||
| > | TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authen | > | TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authen | ||
| > | tication Events - LDAP Bind Requests *Data Collection Measu | > | tication Events - LDAP Bind Requests. | ||
| > | res:* - Security Event Logging: - Enable \"`Audit Kerber | ||||
| > | os Authentication Service`\" or \"`Audit Kerberos Service Tick | ||||
| > | et Operations`.\" - Captured Events: IDs 4768, 4769, 4624 | ||||
| > | . - Windows Event Forwarding (WEF): Forward domain controlle | ||||
| > | r logs to SIEM. - SIEM Integration: Use tools like Splunk or | ||||
| > | Azure Sentinel for log analysis. - Kerberos Debug Logging: | ||||
| > | - Registry Key: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Ls | ||||
| > | a\\Kerberos\\Parameters. - Set DWORD LogLevel to 1. - Azur | ||||
| > | e AD Logs: Monitor Sign-In Logs for authentication and polic | ||||
| > | y issues. - Enable EDR Monitoring: - Use EDR to detect s | ||||
| > | uspicious processes querying authentication mechanisms (e.g. | ||||
| > | , lsass.exe memory access). |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Creating new objects in AD, such as user accounts, groups, o | t | 1 | Creating new objects in AD, such as user accounts, groups, o |
| > | rganizational units (OUs), or trust relationships. Logged as | > | rganizational units (OUs), or trust relationships. Logged as | ||
| > | Event ID 5137. Examples: - User Account Creation: New user | > | Event ID 5137. Examples: - User Account Creation: New user | ||
| > | account. - Group Creation: New security/distribution group. | > | account. - Group Creation: New security/distribution group. | ||
| > | - OU Creation: New organizational unit. - Service Account C | > | - OU Creation: New organizational unit. - Service Account C | ||
| > | reation: New service account for automation or malicious tas | > | reation: New service account for automation or malicious tas | ||
| > | ks. - Trust Object Creation: Trust relationship with another | > | ks. - Trust Object Creation: Trust relationship with another | ||
| > | domain. *Data Collection Measures:* - Audit Policy: - | > | domain. | ||
| > | Enable \"Audit Directory Service Changes\" (Success and Failu | ||||
| > | re). - Path: `Computer Configuration > Policies > Window | ||||
| > | s Settings > Security Settings > Advanced Audit Policy Confi | ||||
| > | guration > Audit Policies > Directory Service Changes`. | ||||
| > | - Key Event: Event ID 5137 (object creation). - Log Forwardi | ||||
| > | ng: Use WEF to centralize logs for SIEM tools (e.g., Splunk) | ||||
| > | . - Enable EDR Monitoring: - Track processes that create | ||||
| > | new accounts or modify AD objects. - Correlate object c | ||||
| > | reation with suspicious commands (e.g., net user /add). |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes to AD objects (e.g., users, groups, OUs) are logged | t | 1 | Changes to AD objects (e.g., users, groups, OUs) are logged |
| > | as Event ID 5136 (Object Modification) or 5163 (Attribute Ch | > | as Event ID 5136 (Object Modification) or 5163 (Attribute Ch | ||
| > | anges). Examples: - User Account: Modifying attributes (e.g | > | anges). Examples: - User Account: Modifying attributes (e.g | ||
| > | ., group membership, enabling/disabling accounts). - Group M | > | ., group membership, enabling/disabling accounts). - Group M | ||
| > | embership: Adding/removing members. - OU: Changing propertie | > | embership: Adding/removing members. - OU: Changing propertie | ||
| > | s/permissions (e.g., delegation). - Service Account: Modifyi | > | s/permissions (e.g., delegation). - Service Account: Modifyi | ||
| > | ng SPNs or other attributes. - Object Attributes: Changes to | > | ng SPNs or other attributes. - Object Attributes: Changes to | ||
| > | passwords, logon hours, or control flags. *Data Collection | > | passwords, logon hours, or control flags. | ||
| > | Measures:* - Audit Policy: - Enable \"Audit Directory S | ||||
| > | ervice Changes\" (Success and Failure). - Path: `Computer | ||||
| > | Configuration > Policies > Windows Settings > Security Sett | ||||
| > | ings > Advanced Audit Policy Configuration > Audit Policies | ||||
| > | > Directory Service Changes`. - Key Events: 5136 (modifi | ||||
| > | cations), 5163 (attribute changes). - Log Forwarding: - | ||||
| > | Use WEF to centralize logs for SIEM. - Parse logs to ext | ||||
| > | ract: Object Name, Attribute Changed, Initiator Account Name | ||||
| > | . - Enable EDR Monitoring: - Detect changes to critical | ||||
| > | attributes (e.g., memberOf, logonHours). - Track process | ||||
| > | es modifying directory service objects (e.g., Set-ADUser or | ||||
| > | dsmod). - Enable EDR Monitoring: - Detect changes to cri | ||||
| > | tical attributes (e.g., memberOf, logonHours). - Track p | ||||
| > | rocesses modifying directory service objects (e.g., Set-ADUs | ||||
| > | er or dsmod). |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Application Log Content refers to logs generated by applicat | t | 1 | Application Log Content refers to logs generated by applicat |
| > | ions or services, providing a record of their activity. Thes | > | ions or services, providing a record of their activity. Thes | ||
| > | e logs may include metrics, errors, performance data, and op | > | e logs may include metrics, errors, performance data, and op | ||
| > | erational alerts from web, mail, or other applications. Thes | > | erational alerts from web, mail, or other applications. Thes | ||
| > | e logs are vital for monitoring application behavior and det | > | e logs are vital for monitoring application behavior and det | ||
| > | ecting malicious activities or anomalies. Examples: - Web | > | ecting malicious activities or anomalies. Examples: - Web | ||
| > | Application Logs: These logs include information about reque | > | Application Logs: These logs include information about reque | ||
| > | sts, responses, errors, and security events (e.g., unauthori | > | sts, responses, errors, and security events (e.g., unauthori | ||
| > | zed access attempts). - Email Application Logs: Logs contain | > | zed access attempts). - Email Application Logs: Logs contain | ||
| > | metadata about emails sent, received, or blocked (e.g., sen | > | metadata about emails sent, received, or blocked (e.g., sen | ||
| > | der/receiver addresses, message IDs). - SaaS Application Log | > | der/receiver addresses, message IDs). - SaaS Application Log | ||
| > | s: Activity logs include user logins, configuration changes, | > | s: Activity logs include user logins, configuration changes, | ||
| > | and access to sensitive resources. - Cloud Application Logs | > | and access to sensitive resources. - Cloud Application Logs | ||
| > | : Logs detail control plane activities, including API calls, | > | : Logs detail control plane activities, including API calls, | ||
| > | instance modifications, and network changes. - System/Appli | > | instance modifications, and network changes. - System/Appli | ||
| > | cation Monitoring Logs: Logs provide insights into applicati | > | cation Monitoring Logs: Logs provide insights into applicati | ||
| > | on performance, errors, and anomalies. This data component | > | on performance, errors, and anomalies. | ||
| > | can be collected through the following measures: Configure | ||||
| > | Application Logging - Enable logging within the application | ||||
| > | or service. - Examples: - Web Servers: Enable access an | ||||
| > | d error logs in NGINX or Apache. - Email Systems: Enable | ||||
| > | audit logging in Microsoft Exchange or Gmail. Centralized | ||||
| > | Log Management - Use log management solutions like Splunk, | ||||
| > | or a cloud-native logging solution. - Configure the applicat | ||||
| > | ion to send logs to a centralized system for analysis. Clou | ||||
| > | d-Specific Collection - Use services like AWS CloudWatch, A | ||||
| > | zure Monitor, or Google Cloud Operations Suite for cloud-bas | ||||
| > | ed applications. - Ensure logging is enabled for all critica | ||||
| > | l resources (e.g., API calls, IAM changes). SIEM Integratio | ||||
| > | n - Integrate application logs with a SIEM platform (e.g., | ||||
| > | Splunk, QRadar) for real-time correlation and analysis. - Us | ||||
| > | e parsers to standardize log formats and extract key fields | ||||
| > | like timestamps, user IDs, and error codes. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | This data component refers to monitoring actions that deacti | t | 1 | This data component refers to monitoring actions that deacti |
| > | vate or stop a cloud service in a cloud control plane. Examp | > | vate or stop a cloud service in a cloud control plane. Examp | ||
| > | les include disabling essential logging services like AWS Cl | > | les include disabling essential logging services like AWS Cl | ||
| > | oudTrail (`StopLogging` API call), Microsoft Azure Monitor L | > | oudTrail (`StopLogging` API call), Microsoft Azure Monitor L | ||
| > | ogs, or Google Cloud's Operations Suite (formerly Stackdrive | > | ogs, or Google Cloud's Operations Suite (formerly Stackdrive | ||
| > | r). Disabling such services can hinder visibility into adver | > | r). Disabling such services can hinder visibility into adver | ||
| > | sary activities within the cloud environment. Examples: - | > | sary activities within the cloud environment. Examples: - | ||
| > | AWS CloudTrail StopLogging: This action stops logging of API | > | AWS CloudTrail StopLogging: This action stops logging of API | ||
| > | activity for a particular trail, effectively reducing the m | > | activity for a particular trail, effectively reducing the m | ||
| > | onitoring and visibility of AWS resources and activities. - | > | onitoring and visibility of AWS resources and activities. - | ||
| > | Microsoft Azure Monitor Logs: Disabling these logs hinders t | > | Microsoft Azure Monitor Logs: Disabling these logs hinders t | ||
| > | he organization\u2019s ability to detect anomalous activities and | > | he organization\u2019s ability to detect anomalous activities and | ||
| > | trace malicious actions. - Google Cloud Logging: Disabling | > | trace malicious actions. - Google Cloud Logging: Disabling | ||
| > | cloud logging removes visibility into resource activity, pre | > | cloud logging removes visibility into resource activity, pre | ||
| > | venting monitoring of service access or configuration change | > | venting monitoring of service access or configuration change | ||
| > | s. - SaaS Applications: Stopping logging removes visibility | > | s. - SaaS Applications: Stopping logging removes visibility | ||
| > | into user activities, such as email access or file downloads | > | into user activities, such as email access or file downloads | ||
| > | , enabling undetected malicious behavior. This data compone | > | , enabling undetected malicious behavior. | ||
| > | nt can be collected through the following measures: Enable | ||||
| > | and Monitor Cloud Service Logging - Ensure logging is enabl | ||||
| > | ed for all cloud services, including administrative actions | ||||
| > | like StopLogging. - Example: Use AWS Config to verify that C | ||||
| > | loudTrail is enabled and enforce logging as a compliance rul | ||||
| > | e. API Monitoring - Use API monitoring tools to detect cal | ||||
| > | ls like StopLogging or equivalent service-stopping actions i | ||||
| > | n other platforms. - Example: Monitor AWS CloudWatch for spe | ||||
| > | cific API events such as StopLogging and flag unauthorized u | ||||
| > | sers. SIEM Integration - Collect logs and events from the | ||||
| > | cloud control plane into a centralized SIEM for real-time an | ||||
| > | alysis and correlation. - Example: Ingest AWS CloudTrail log | ||||
| > | s into Splunk or Azure Monitor logs into Sentinel. Cloud Se | ||||
| > | curity Posture Management (CSPM) Tools - Leverage CSPM tool | ||||
| > | s like Prisma Cloud, Dome9, or AWS Security Hub to detect mi | ||||
| > | sconfigurations or suspicious activity, such as disabled log | ||||
| > | ging. - Example: Set alerts for changes to logging configura | ||||
| > | tions in CSPM dashboards. Configure Alerts in Cloud Platfor | ||||
| > | ms - Create native alerts in cloud platforms to detect serv | ||||
| > | ice stoppages. - Example: Configure an AWS CloudWatch alarm | ||||
| > | to trigger when StopLogging is invoked. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud service enumeration involves listing or querying avail | t | 1 | Cloud service enumeration involves listing or querying avail |
| > | able cloud services in a cloud control plane. This activity | > | able cloud services in a cloud control plane. This activity | ||
| > | is often performed to identify resources such as virtual mac | > | is often performed to identify resources such as virtual mac | ||
| > | hines, storage buckets, compute clusters, or other services | > | hines, storage buckets, compute clusters, or other services | ||
| > | within a cloud environment. Examples include API calls like | > | within a cloud environment. Examples include API calls like | ||
| > | `AWS ECS ListServices`, `Azure ListAllResources`, or `Google | > | `AWS ECS ListServices`, `Azure ListAllResources`, or `Google | ||
| > | Cloud ListInstances`. Examples: AWS Cloud Service Enumera | > | Cloud ListInstances`. Examples: AWS Cloud Service Enumera | ||
| > | tion: The adversary gathers details about existing ECS servi | > | tion: The adversary gathers details about existing ECS servi | ||
| > | ces to identify opportunities for privilege escalation or ex | > | ces to identify opportunities for privilege escalation or ex | ||
| > | filtration. - Azure Resource Enumeration: The adversary coll | > | filtration. - Azure Resource Enumeration: The adversary coll | ||
| > | ects information about virtual machines, resource groups, an | > | ects information about virtual machines, resource groups, an | ||
| > | d other Azure assets for reconnaissance purposes. - Google C | > | d other Azure assets for reconnaissance purposes. - Google C | ||
| > | loud Resource Enumeration: The attacker seeks to map the env | > | loud Resource Enumeration: The attacker seeks to map the env | ||
| > | ironment and find misconfigured or underutilized resources f | > | ironment and find misconfigured or underutilized resources f | ||
| > | or exploitation. - Office 365 Service Enumeration: The attac | > | or exploitation. - Office 365 Service Enumeration: The attac | ||
| > | ker may look for data repositories or collaboration tools to | > | ker may look for data repositories or collaboration tools to | ||
| > | exfiltrate sensitive information. This data component can | > | exfiltrate sensitive information. | ||
| > | be collected through the following measures: Enable Cloud | ||||
| > | Activity Logging - Ensure cloud service logs are enabled fo | ||||
| > | r API calls and resource usage. - Example: Enable AWS CloudT | ||||
| > | rail, Azure Monitor, or Google Cloud Logging to track resour | ||||
| > | ce queries. Centralize Logs in a SIEM - Aggregate logs fro | ||||
| > | m cloud control planes into a centralized SIEM (e.g., Splunk | ||||
| > | , Azure Sentinel). - Example: Collect AWS CloudTrail logs an | ||||
| > | d set up alerts for API calls related to service enumeration | ||||
| > | . Use Native Cloud Security Tools - Leverage cloud-native | ||||
| > | security solutions like AWS GuardDuty, Azure Defender, or Go | ||||
| > | ogle Security Command Center. - Example: Use GuardDuty to de | ||||
| > | tect anomalous API activity, such as ListServices being exec | ||||
| > | uted by an unknown user. Implement Network Flow Logging - | ||||
| > | Monitor and analyze VPC flow logs to identify lateral moveme | ||||
| > | nt or enumeration activity. - Example: Inspect flow logs for | ||||
| > | unexpected traffic between compute instances and the cloud | ||||
| > | control plane. API Access Monitoring - Monitor API keys an | ||||
| > | d tokens used for enumeration to identify misuse or compromi | ||||
| > | se. - Example: Use AWS Secrets Manager or Azure Key Vault to | ||||
| > | manage and rotate keys securely. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud service metadata refers to the contextual and descript | t | 1 | Cloud service metadata refers to the contextual and descript |
| > | ive information about cloud services, including their name, | > | ive information about cloud services, including their name, | ||
| > | type, purpose, configuration, and activity around them. This | > | type, purpose, configuration, and activity around them. This | ||
| > | metadata is essential for understanding the roles and funct | > | metadata is essential for understanding the roles and funct | ||
| > | ions of cloud services, their operational status, and their | > | ions of cloud services, their operational status, and their | ||
| > | potential misuse. Examples: - Azure Service Metadata: Meta | > | potential misuse. Examples: - Azure Service Metadata: Meta | ||
| > | data describing a resource in Azure, such as an Azure Storag | > | data describing a resource in Azure, such as an Azure Storag | ||
| > | e Account or a Virtual Machine. - AWS Cloud Service Metadata | > | e Account or a Virtual Machine. - AWS Cloud Service Metadata | ||
| > | : Metadata for an AWS EC2 instance collected using the `Desc | > | : Metadata for an AWS EC2 instance collected using the `Desc | ||
| > | ribeInstances` API call. - Google Cloud Service Metadata: Me | > | ribeInstances` API call. - Google Cloud Service Metadata: Me | ||
| > | tadata for a Google Compute Engine instance collected using | > | tadata for a Google Compute Engine instance collected using | ||
| > | `gcloud compute instances describe`. - Office 365 Metadata: | > | `gcloud compute instances describe`. - Office 365 Metadata: | ||
| > | Metadata about an Office 365 SharePoint site. This data com | > | Metadata about an Office 365 SharePoint site. | ||
| > | ponent can be collected through the following measures: Ena | ||||
| > | ble Cloud Metadata APIs - Leverage APIs provided by cloud p | ||||
| > | roviders to query metadata about services. - AWS: Use AW | ||||
| > | S CLI or SDKs for `DescribeInstances`, `DescribeBuckets`, et | ||||
| > | c. - Azure: Use `az resource list` or SDKs. - Google | ||||
| > | Cloud: Use `gcloud compute instances describe` or related c | ||||
| > | ommands. - Office 365: Use Microsoft Graph API. Central | ||||
| > | ize Metadata in a Security Platform - Aggregate metadata fr | ||||
| > | om multiple clouds into a SIEM or CSPM (Cloud Security Postu | ||||
| > | re Management) tool. - Example: Integrate AWS CloudTrail wit | ||||
| > | h Splunk or Azure Monitor with Sentinel. Enable Continuous | ||||
| > | Monitoring - Set up automated jobs or workflows to regularl | ||||
| > | y query and update metadata. - Example: Use AWS Config to tr | ||||
| > | ack resource configurations and changes over time. Configur | ||||
| > | e Access and Logging - Enable logging for API queries to en | ||||
| > | sure access and usage of metadata are monitored. - Example: | ||||
| > | Use AWS CloudTrail to log API activity for metadata queries. | ||||
| > | Use Cloud Security Tools - Employ CSPM tools like Prisma | ||||
| > | Cloud, Wiz, or Dome9 to gather metadata and identify misconf | ||||
| > | igurations. - Example: Prisma Cloud provides consolidated vi | ||||
| > | ews of metadata for resources across AWS, Azure, and GCP. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud service modification refers to changes made to the con | t | 1 | Cloud service modification refers to changes made to the con |
| > | figuration, settings, or data of a cloud service. These modi | > | figuration, settings, or data of a cloud service. These modi | ||
| > | fications can include administrative changes such as enablin | > | fications can include administrative changes such as enablin | ||
| > | g or disabling features, altering permissions, or deleting c | > | g or disabling features, altering permissions, or deleting c | ||
| > | ritical components. Monitoring these changes is critical to | > | ritical components. Monitoring these changes is critical to | ||
| > | detect potential misconfigurations or malicious activity. Ex | > | detect potential misconfigurations or malicious activity. Ex | ||
| > | amples: - AWS Cloud Service Modifications: A user disables | > | amples: - AWS Cloud Service Modifications: A user disables | ||
| > | AWS CloudTrail logging (StopLogging) or deletes a CloudWatc | > | AWS CloudTrail logging (StopLogging) or deletes a CloudWatc | ||
| > | h configuration rule (DeleteConfigRule). - Azure Cloud Servi | > | h configuration rule (DeleteConfigRule). - Azure Cloud Servi | ||
| > | ce Modifications: Changes to Azure Role-Based Access Control | > | ce Modifications: Changes to Azure Role-Based Access Control | ||
| > | (RBAC) roles, such as adding a new Contributor role to a se | > | (RBAC) roles, such as adding a new Contributor role to a se | ||
| > | nsitive resource. - Google Cloud Service Modifications: Dele | > | nsitive resource. - Google Cloud Service Modifications: Dele | ||
| > | tion of a Google Cloud Storage bucket or disabling a Google | > | tion of a Google Cloud Storage bucket or disabling a Google | ||
| > | Cloud Function. - Office 365 Cloud Service Modifications: Al | > | Cloud Function. - Office 365 Cloud Service Modifications: Al | ||
| > | tering mailbox permissions or disabling auditing in Microsof | > | tering mailbox permissions or disabling auditing in Microsof | ||
| > | t 365. This data component can be collected through the fol | > | t 365. | ||
| > | lowing measures: Enable Cloud Audit Logging - AWS: Enable | ||||
| > | AWS CloudTrail for logging management events such as StopLog | ||||
| > | ging or DeleteTrail. - Azure: Use Azure Activity Logs to mon | ||||
| > | itor resource changes and access actions. - Google Cloud: En | ||||
| > | able Google Cloud Audit Logs to track API calls, resource mo | ||||
| > | difications, and policy changes. - Office 365: Use Unified A | ||||
| > | udit Logs in Microsoft Purview to track administrative actio | ||||
| > | ns. Centralize Log Storage - Consolidate logs from all clo | ||||
| > | ud providers into a SIEM or CSPM (Cloud Security Posture Man | ||||
| > | agement) tool. - Example: Use Splunk or Elastic Stack to ing | ||||
| > | est and analyze logs from AWS, Azure, and Google Cloud. Aut | ||||
| > | omate Alerts for Sensitive Changes - Configure alerts for h | ||||
| > | igh-risk actions, such as disabling logging or modifying IAM | ||||
| > | roles. - AWS Example: Use AWS Config rules to detect and no | ||||
| > | tify changes to critical services. - Azure Example: Set up A | ||||
| > | zure Monitor alerts for write actions on sensitive resources | ||||
| > | . Enable Continuous Monitoring - Use tools like AWS Securi | ||||
| > | ty Hub, Azure Defender, or Google Chronicle to continuously | ||||
| > | monitor cloud service modifications for anomalies. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud storage access refers to the retrieval or interaction | t | 1 | Cloud storage access refers to the retrieval or interaction |
| > | with data stored in cloud infrastructure. This data componen | > | with data stored in cloud infrastructure. This data componen | ||
| > | t includes activities such as reading, downloading, or acces | > | t includes activities such as reading, downloading, or acces | ||
| > | sing files and objects within cloud storage systems. Common | > | sing files and objects within cloud storage systems. Common | ||
| > | examples include API calls like GetObject in AWS S3, which r | > | examples include API calls like GetObject in AWS S3, which r | ||
| > | etrieves objects from cloud buckets. Examples: - AWS S3 Ac | > | etrieves objects from cloud buckets. Examples: - AWS S3 Ac | ||
| > | cess: An adversary uses the `GetObject` API to retrieve sens | > | cess: An adversary uses the `GetObject` API to retrieve sens | ||
| > | itive data from an AWS S3 bucket. - Azure Blob Storage Acces | > | itive data from an AWS S3 bucket. - Azure Blob Storage Acces | ||
| > | s: A user accesses a blob in Azure Storage using `Get Blob` | > | s: A user accesses a blob in Azure Storage using `Get Blob` | ||
| > | or `Get Blob Properties`. - Google Cloud Storage Access: An | > | or `Get Blob Properties`. - Google Cloud Storage Access: An | ||
| > | adversary uses `storage.objects.get` to download objects fro | > | adversary uses `storage.objects.get` to download objects fro | ||
| > | m - OpenStack Swift Storage Access: A user retrieves an obje | > | m - OpenStack Swift Storage Access: A user retrieves an obje | ||
| > | ct from OpenStack Swift using the `GET` method. This data c | > | ct from OpenStack Swift using the `GET` method. | ||
| > | omponent can be collected through the following measures: E | ||||
| > | nable Logging for Cloud Storage Services - AWS S3: Enable S | ||||
| > | erver Access Logging to capture API calls like `GetObject` a | ||||
| > | nd store them in a designated S3 bucket. - Azure Storage: En | ||||
| > | able Azure Storage Logging to capture operations like `GetBl | ||||
| > | ob` and log metadata. - Google Cloud Storage: Enable Data Ac | ||||
| > | cess audit logs for `storage.objects.get` API calls. - OpenS | ||||
| > | tack Swift: Configure middleware for object logging to captu | ||||
| > | re GET requests. Centralize and Aggregate Logs - Use a cen | ||||
| > | tralized logging solution (e.g., Splunk, ELK, or a cloud-nat | ||||
| > | ive SIEM) to ingest and analyze logs from different cloud pr | ||||
| > | oviders. - AWS Example: Use AWS CloudTrail to collect AP | ||||
| > | I activity logs and forward them to your SIEM. - Azure E | ||||
| > | xample: Use Azure Monitor and Log Analytics to analyze stora | ||||
| > | ge access logs. Correlate with IAM Logs - Combine storage | ||||
| > | access logs with IAM activity logs to correlate user actions | ||||
| > | with specific permissions and identities. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud Storage Creation refers to the initial creation of a n | t | 1 | Cloud Storage Creation refers to the initial creation of a n |
| > | ew cloud storage resource, such as buckets, containers, or d | > | ew cloud storage resource, such as buckets, containers, or d | ||
| > | irectories, within a cloud environment. This action is criti | > | irectories, within a cloud environment. This action is criti | ||
| > | cal to track as it might indicate the legitimate provisionin | > | cal to track as it might indicate the legitimate provisionin | ||
| > | g of resources or unauthorized actions taken by adversaries | > | g of resources or unauthorized actions taken by adversaries | ||
| > | to stage, store, or exfiltrate data. Examples: - AWS S3 Bu | > | to stage, store, or exfiltrate data. Examples: - AWS S3 Bu | ||
| > | cket Creation: An AWS user creates a new S3 bucket using the | > | cket Creation: An AWS user creates a new S3 bucket using the | ||
| > | `CreateBucket` API call. - Azure Blob Storage Container Cre | > | `CreateBucket` API call. - Azure Blob Storage Container Cre | ||
| > | ation: A user creates a new container in Azure Blob Storage | > | ation: A user creates a new container in Azure Blob Storage | ||
| > | using the `Create Container` operation. - Google Cloud Stora | > | using the `Create Container` operation. - Google Cloud Stora | ||
| > | ge Bucket Creation: A Google Cloud user creates a new bucket | > | ge Bucket Creation: A Google Cloud user creates a new bucket | ||
| > | using `storage.buckets.create`. - OpenStack Swift Container | > | using `storage.buckets.create`. - OpenStack Swift Container | ||
| > | Creation: A user creates a new container in OpenStack Swift | > | Creation: A user creates a new container in OpenStack Swift | ||
| > | using the `PUT` method. This data component can be collect | > | using the `PUT` method. | ||
| > | ed through the following measures: Enable Logging for Cloud | ||||
| > | Storage Services - AWS S3: Enable AWS CloudTrail to log Cr | ||||
| > | eateBucket API actions. - Azure Blob Storage: Enable Azure M | ||||
| > | onitor and Diagnostic Logs for storage account activity. Use | ||||
| > | Azure Event Grid to capture Create Container operations. - | ||||
| > | Google Cloud Storage: Enable Data Access logs in Cloud Audit | ||||
| > | Logs to monitor storage.buckets.create API calls. - OpenSta | ||||
| > | ck Swift: Configure Swift logging to capture PUT requests to | ||||
| > | new containers. Centralized Logging and Analysis - Forwar | ||||
| > | d logs to centralized platforms like Splunk or cloud-native | ||||
| > | SIEM solutions for correlation and analysis. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud Storage Enumeration involves retrieving a list of avai | t | 1 | Cloud Storage Enumeration involves retrieving a list of avai |
| > | lable cloud storage infrastructure, such as buckets, contain | > | lable cloud storage infrastructure, such as buckets, contain | ||
| > | ers, or objects, within a cloud environment. This activity m | > | ers, or objects, within a cloud environment. This activity m | ||
| > | ay be performed for legitimate administrative purposes or ma | > | ay be performed for legitimate administrative purposes or ma | ||
| > | licious reconnaissance by adversaries seeking to identify ac | > | licious reconnaissance by adversaries seeking to identify ac | ||
| > | cessible storage resources.Examples: - AWS S3 Bucket Enumer | > | cessible storage resources.Examples: - AWS S3 Bucket Enumer | ||
| > | ation: An AWS user lists all buckets using the `ListBuckets` | > | ation: An AWS user lists all buckets using the `ListBuckets` | ||
| > | API call. - Azure Blob Storage Container Enumeration: A use | > | API call. - Azure Blob Storage Container Enumeration: A use | ||
| > | r retrieves a list of all containers within a storage accoun | > | r retrieves a list of all containers within a storage accoun | ||
| > | t using the Azure Storage SDK or API. - Google Cloud Storage | > | t using the Azure Storage SDK or API. - Google Cloud Storage | ||
| > | Bucket Enumeration: A Google Cloud user lists all buckets w | > | Bucket Enumeration: A Google Cloud user lists all buckets w | ||
| > | ithin a project using the `storage.buckets.list` API. - Open | > | ithin a project using the `storage.buckets.list` API. - Open | ||
| > | Stack Swift Container Enumeration: A user retrieves a list o | > | Stack Swift Container Enumeration: A user retrieves a list o | ||
| > | f containers in OpenStack Swift using the `GET` method on th | > | f containers in OpenStack Swift using the `GET` method on th | ||
| > | e storage endpoint. This data component can be collected th | > | e storage endpoint. | ||
| > | rough the following measures: Enable Logging for Cloud Stor | ||||
| > | age Enumeration - AWS S3: Enable AWS CloudTrail to capture | ||||
| > | ListBuckets and ListObjects API calls. - Azure Blob Storage: | ||||
| > | Enable Azure Monitor and Diagnostic Logs to capture enumera | ||||
| > | tion operations like List Containers. Use Azure Event Grid t | ||||
| > | o trigger alerts for container enumeration. - Google Cloud S | ||||
| > | torage: Enable Audit Logs in Google Cloud to track storage.b | ||||
| > | uckets.list API activity. - OpenStack Swift: Configure Swift | ||||
| > | logging to capture GET requests for container enumeration. | ||||
| > | Centralized Log Aggregation - Use platforms like Splunk or | ||||
| > | native SIEM solutions to collect and analyze enumeration lo | ||||
| > | gs. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud Storage Metadata provides contextual information about | t | 1 | Cloud Storage Metadata provides contextual information about |
| > | cloud storage infrastructure and its associated activity. T | > | cloud storage infrastructure and its associated activity. T | ||
| > | his data may include attributes such as storage name, size, | > | his data may include attributes such as storage name, size, | ||
| > | owner, permissions, creation date, region, and activity meta | > | owner, permissions, creation date, region, and activity meta | ||
| > | data. It is essential for monitoring, auditing, and identify | > | data. It is essential for monitoring, auditing, and identify | ||
| > | ing anomalies in cloud storage environments. Examples: - A | > | ing anomalies in cloud storage environments. Examples: - A | ||
| > | WS S3 Bucket Metadata: Metadata about an S3 bucket includes | > | WS S3 Bucket Metadata: Metadata about an S3 bucket includes | ||
| > | the bucket name, region, creation date, owner, storage class | > | the bucket name, region, creation date, owner, storage class | ||
| > | , and permissions. - Azure Blob Storage Metadata: Metadata f | > | , and permissions. - Azure Blob Storage Metadata: Metadata f | ||
| > | or an Azure Blob container includes container name, access l | > | or an Azure Blob container includes container name, access l | ||
| > | evel (e.g., private or public), size, and tags. - Google Clo | > | evel (e.g., private or public), size, and tags. - Google Clo | ||
| > | ud Storage Metadata: Metadata includes bucket name, storage | > | ud Storage Metadata: Metadata includes bucket name, storage | ||
| > | class, location, labels, lifecycle policies, and versioning | > | class, location, labels, lifecycle policies, and versioning | ||
| > | status. - OpenStack Swift Metadata: Metadata for a Swift con | > | status. - OpenStack Swift Metadata: Metadata for a Swift con | ||
| > | tainer includes name, access level, quota, and custom attrib | > | tainer includes name, access level, quota, and custom attrib | ||
| > | utes. This data component can be collected through the foll | > | utes. | ||
| > | owing measures: Enable Logging for Metadata Collection - A | ||||
| > | WS S3: Use AWS CloudTrail to log `GetBucketAcl`, `GetBucketP | ||||
| > | olicy`, and `HeadBucket` API calls. - Azure Blob Storage: Us | ||||
| > | e Azure Monitor to log container metadata retrieval and upda | ||||
| > | tes. - Google Cloud Storage: Enable Google Cloud Audit Logs | ||||
| > | to capture `storage.buckets.get` and `storage.buckets.update | ||||
| > | `. - OpenStack Swift: Enable logging of `HEAD` or `GET` requ | ||||
| > | ests to containers. Centralized Log Aggregation - Use a SI | ||||
| > | EM solution (e.g., Splunk) to aggregate and analyze metadata | ||||
| > | retrieval and modification logs. - Correlate metadata acces | ||||
| > | s with user actions, IP addresses, and other contextual data | ||||
| > | . API Polling - Use cloud SDKs or APIs to periodically que | ||||
| > | ry metadata for analysis: - AWS CLI Example: `aws s3api | ||||
| > | get-bucket-acl --bucket company-sensitive-data` - Azure | ||||
| > | CLI Example: `az storage container show --name customer-reco | ||||
| > | rds` - Google Cloud CLI Example: `gcloud storage buckets | ||||
| > | describe user-uploads` |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Cloud Storage Modification involves tracking changes made to | t | 1 | Cloud Storage Modification involves tracking changes made to |
| > | cloud storage infrastructure, including updates to settings | > | cloud storage infrastructure, including updates to settings | ||
| > | , permissions, or stored data. Examples include modifying ob | > | , permissions, or stored data. Examples include modifying ob | ||
| > | ject access control lists (ACLs), uploading new objects, or | > | ject access control lists (ACLs), uploading new objects, or | ||
| > | updating bucket policies. Examples: AWS S3: An object is u | > | updating bucket policies. Examples: AWS S3: An object is u | ||
| > | ploaded or its ACL is modified. - Azure Blob Storage: A blob | > | ploaded or its ACL is modified. - Azure Blob Storage: A blob | ||
| > | 's metadata or permissions are updated. - Google Cloud Stora | > | 's metadata or permissions are updated. - Google Cloud Stora | ||
| > | ge: An object's lifecycle policy is updated, or a bucket pol | > | ge: An object's lifecycle policy is updated, or a bucket pol | ||
| > | icy is changed. - OpenStack Swift: Modifications to containe | > | icy is changed. - OpenStack Swift: Modifications to containe | ||
| > | r settings or uploading of new objects. This data component | > | r settings or uploading of new objects. | ||
| > | can be collected through the following measures: Enable Lo | ||||
| > | gging - AWS S3: Enable AWS CloudTrail to log API events lik | ||||
| > | e PutObject, PutObjectAcl, and PutBucketPolicy. - Azure Blob | ||||
| > | Storage: Use Azure Monitor to log write and update operatio | ||||
| > | ns. - Google Cloud Storage: Enable Google Cloud Audit Logs t | ||||
| > | o track storage.objects.update and storage.buckets.update. - | ||||
| > | OpenStack Swift: Enable logging for PUT and POST requests t | ||||
| > | o track object uploads and container metadata updates. Use | ||||
| > | Cloud Monitoring Tools - Integrate with tools like AWS Conf | ||||
| > | ig, Azure Security Center, or Google Cloud Monitoring to det | ||||
| > | ect configuration drift or unauthorized changes. Centralize | ||||
| > | d Log Aggregation - Use a SIEM (e.g., Splunk) to aggregate | ||||
| > | logs across multiple cloud providers for unified monitoring | ||||
| > | and analysis. Periodic API Queries - AWS CLI Example: Quer | ||||
| > | y recent modifications to bucket policies: `aws s3api get-bu | ||||
| > | cket-policy --bucket sensitive-data` - Azure CLI Example: Li | ||||
| > | st changes to a blob container: `az storage blob show --cont | ||||
| > | ainer-name private-docs` - Google Cloud CLI Example: Check m | ||||
| > | etadata updates: `gcloud storage objects describe gs://user- | ||||
| > | uploads/document.txt` |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Command Execution involves monitoring and capturing the exec | t | 1 | Command Execution involves monitoring and capturing the exec |
| > | ution of textual commands (including shell commands, cmdlets | > | ution of textual commands (including shell commands, cmdlets | ||
| > | , and scripts) within an operating system or application. Th | > | , and scripts) within an operating system or application. Th | ||
| > | ese commands may include arguments or parameters and are typ | > | ese commands may include arguments or parameters and are typ | ||
| > | ically executed through interpreters such as `cmd.exe`, `bas | > | ically executed through interpreters such as `cmd.exe`, `bas | ||
| > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | ||
| > | : - Windows Command Prompt - dir \u2013 Lists directory con | > | : - Windows Command Prompt - dir \u2013 Lists directory con | ||
| > | tents. - net user \u2013 Queries or manipulates user accounts | > | tents. - net user \u2013 Queries or manipulates user accounts | ||
| > | . - tasklist \u2013 Lists running processes. - PowerShell | > | . - tasklist \u2013 Lists running processes. - PowerShell | ||
| > | - Get-Process \u2013 Retrieves processes running on a system. | > | - Get-Process \u2013 Retrieves processes running on a system. | ||
| > | - Set-ExecutionPolicy \u2013 Changes PowerShell script executio | > | - Set-ExecutionPolicy \u2013 Changes PowerShell script executio | ||
| > | n policies. - Invoke-WebRequest \u2013 Downloads remote resou | > | n policies. - Invoke-WebRequest \u2013 Downloads remote resou | ||
| > | rces. - Linux Shell - ls \u2013 Lists files in a directory. | > | rces. - Linux Shell - ls \u2013 Lists files in a directory. | ||
| > | - cat /etc/passwd \u2013 Reads the user accounts file. - c | > | - cat /etc/passwd \u2013 Reads the user accounts file. - c | ||
| > | url http://malicious-site.com \u2013 Retrieves content from a mal | > | url http://malicious-site.com \u2013 Retrieves content from a mal | ||
| > | icious URL. - Container Environments - docker exec \u2013 Exe | > | icious URL. - Container Environments - docker exec \u2013 Exe | ||
| > | cutes a command inside a running container. - kubectl ex | > | cutes a command inside a running container. - kubectl ex | ||
| > | ec \u2013 Runs commands in Kubernetes pods. - macOS Terminal | > | ec \u2013 Runs commands in Kubernetes pods. - macOS Terminal | ||
| > | - open \u2013 Opens files or URLs. - dscl . -list /Users \u2013 Li | > | - open \u2013 Opens files or URLs. - dscl . -list /Users \u2013 Li | ||
| > | sts all users on the system. - osascript -e \u2013 Executes A | > | sts all users on the system. - osascript -e \u2013 Executes A | ||
| > | ppleScript commands. This data component can be collected t | > | ppleScript commands. | ||
| > | hrough the following measures: Enable Command Logging - Wi | ||||
| > | ndows: - Enable PowerShell logging: `Set-ExecutionPolicy | ||||
| > | Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\M | ||||
| > | icrosoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name Enable | ||||
| > | ScriptBlockLogging -Value 1` - Enable Windows Event Logg | ||||
| > | ing: - Event ID 4688: Tracks process creation, inclu | ||||
| > | ding command-line arguments. - Event ID 4104: Logs P | ||||
| > | owerShell script block execution. - Linux/macOS: - Enabl | ||||
| > | e shell history logging in `.bashrc` or `.zshrc`: `export HI | ||||
| > | STTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='histor | ||||
| > | y -a; history -w'` - Use audit frameworks (e.g., `auditd | ||||
| > | `) to log command executions. Example rule to log all `execv | ||||
| > | e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex | ||||
| > | ec` - Containers: - Use runtime-specific tools like Dock | ||||
| > | er\u2019s --log-driver or Kubernetes Audit Logs to capture exec c | ||||
| > | ommands. Integrate with Centralized Logging - Collect logs | ||||
| > | using a SIEM (e.g., Splunk) or cloud-based log aggregation | ||||
| > | tools like AWS CloudWatch or Azure Monitor. Example Splunk S | ||||
| > | earch for Windows Event 4688: `index=windows EventID=4688 Co | ||||
| > | mmandLine=*` Use Endpoint Detection and Response (EDR) Tool | ||||
| > | s - Monitor command executions via EDR solutions Deploy S | ||||
| > | ysmon for Advanced Logging (Windows) - Use Sysmon's Event I | ||||
| > | D 1 to log process creation with command-line arguments |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | \"Container Creation\" data component captures details about t | t | 1 | \"Container Creation\" data component captures details about t |
| > | he initial construction of a container in a containerized en | > | he initial construction of a container in a containerized en | ||
| > | vironment. This includes events where a new container is ins | > | vironment. This includes events where a new container is ins | ||
| > | tantiated, such as through Docker, Kubernetes, or other cont | > | tantiated, such as through Docker, Kubernetes, or other cont | ||
| > | ainer orchestration platforms. Monitoring these events helps | > | ainer orchestration platforms. Monitoring these events helps | ||
| > | detect unauthorized or potentially malicious container crea | > | detect unauthorized or potentially malicious container crea | ||
| > | tion. Examples: - Docker Example: `docker create my-contain | > | tion. Examples: - Docker Example: `docker create my-contain | ||
| > | er`, `docker run --name=my-container nginx:latest` - Kuberne | > | er`, `docker run --name=my-container nginx:latest` - Kuberne | ||
| > | tes Example: `kubectl run my-pod --image=nginx`, `kubectl cr | > | tes Example: `kubectl run my-pod --image=nginx`, `kubectl cr | ||
| > | eate deployment my-deployment --image=nginx` - Cloud Contain | > | eate deployment my-deployment --image=nginx` - Cloud Contain | ||
| > | er Services Example - AWS ECS: Task or service creation | > | er Services Example - AWS ECS: Task or service creation | ||
| > | (`RunTask` or `CreateService`). - Azure Container Instan | > | (`RunTask` or `CreateService`). - Azure Container Instan | ||
| > | ces: Deployment of a container group. - Google Kubernete | > | ces: Deployment of a container group. - Google Kubernete | ||
| > | s Engine (GKE): Creation of new pods via GCP APIs. This dat | > | s Engine (GKE): Creation of new pods via GCP APIs. | ||
| > | a component can be collected through the following measures: | ||||
| > | - Docker Audit Logging: Enable Docker daemon logging to ca | ||||
| > | pture `create` commands. Configure the Docker daemon to use | ||||
| > | a log driver such as `syslog` or `json-file`. - Kubernetes A | ||||
| > | udit Logs: Enable Kubernetes API server audit logging: - Clo | ||||
| > | ud Provider Logs - AWS CloudTrail: Enable logging for EC | ||||
| > | S `RunTask` or `CreateService` events. - Azure Monitor: | ||||
| > | Enable activity logging for container group creation. - | ||||
| > | GCP Cloud Logging: Monitor API calls such as `container.proj | ||||
| > | ects.zones.clusters.create`. - SIEM Integration: Use a SIEM | ||||
| > | to collect logs from Docker, Kubernetes, or cloud platforms. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | \"Container Enumeration\" data component captures events and a | t | 1 | \"Container Enumeration\" data component captures events and a |
| > | ctions related to listing and identifying active or availabl | > | ctions related to listing and identifying active or availabl | ||
| > | e containers within a containerized environment. This includ | > | e containers within a containerized environment. This includ | ||
| > | es information about running, stopped, or configured contain | > | es information about running, stopped, or configured contain | ||
| > | ers, such as their names, IDs, statuses, or associated image | > | ers, such as their names, IDs, statuses, or associated image | ||
| > | s. Monitoring this activity is crucial for detecting unautho | > | s. Monitoring this activity is crucial for detecting unautho | ||
| > | rized discovery or reconnaissance efforts. Examples: - Doc | > | rized discovery or reconnaissance efforts. Examples: - Doc | ||
| > | ker Example: `docker ps`, `docker ps -a` - Kubernetes Exampl | > | ker Example: `docker ps`, `docker ps -a` - Kubernetes Exampl | ||
| > | e: `kubectl get pods`, `kubectl get deployments` - Cloud Con | > | e: `kubectl get pods`, `kubectl get deployments` - Cloud Con | ||
| > | tainer Services Example - AWS ECS: API Call: ListTasks o | > | tainer Services Example - AWS ECS: API Call: ListTasks o | ||
| > | r ListContainers - Azure Kubernetes Service: API Call: L | > | r ListContainers - Azure Kubernetes Service: API Call: L | ||
| > | ist pod or container instances. - Google Kubernetes Engi | > | ist pod or container instances. - Google Kubernetes Engi | ||
| > | ne (GKE): API Call: Retrieve deployments and their associate | > | ne (GKE): API Call: Retrieve deployments and their associate | ||
| > | d containers. This data component can be collected through | > | d containers. | ||
| > | the following measures: - Docker Audit Logging: Enable Dock | ||||
| > | er daemon logging to capture enumeration commands. Use tools | ||||
| > | like auditd to monitor terminal activity involving docker p | ||||
| > | s or similar commands. - Kubernetes Audit Logs: Enable Kuber | ||||
| > | netes API server audit logging. Capture events where users q | ||||
| > | uery resources such as pods, deployments, or services. - Clo | ||||
| > | ud Provider Logs - AWS CloudTrail: Enable logging for AP | ||||
| > | I calls like ListTasks or DescribeTasks. - Azure Monitor | ||||
| > | : Enable activity logging to track container-related queries | ||||
| > | . - GCP Cloud Logging: Track API events involving contai | ||||
| > | ner enumerations or deployments. - SIEM Integration: Collect | ||||
| > | logs from Docker, Kubernetes, and cloud services for centra | ||||
| > | lized analysis. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to the act of accessing a data storage device, such a | t | 1 | Refers to the act of accessing a data storage device, such a |
| > | s a hard drive, SSD, USB, or network-mounted drive. This dat | > | s a hard drive, SSD, USB, or network-mounted drive. This dat | ||
| > | a component logs the opening or mounting of drives, capturin | > | a component logs the opening or mounting of drives, capturin | ||
| > | g activities such as reading, writing, or executing files wi | > | g activities such as reading, writing, or executing files wi | ||
| > | thin an assigned drive letter (e.g., `C:\\`, `/mnt/drive`) or | > | thin an assigned drive letter (e.g., `C:\\`, `/mnt/drive`) or | ||
| > | mount point. Examples: - Removable Drive Insertion: A USB | > | mount point. Examples: - Removable Drive Insertion: A USB | ||
| > | drive is inserted, assigned the letter `F:\\`, and files are | > | drive is inserted, assigned the letter `F:\\`, and files are | ||
| > | accessed. - Network Drive Mounting: A network share `\\\\serv | > | accessed. - Network Drive Mounting: A network share `\\\\serv | ||
| > | er\\share` is mapped to the drive `Z:\\`. - External Hard Driv | > | er\\share` is mapped to the drive `Z:\\`. - External Hard Driv | ||
| > | e Access: An external drive is connected, mounted at `/mnt/b | > | e Access: An external drive is connected, mounted at `/mnt/b | ||
| > | ackup`, and accessed for copying files. - System Volume Acce | > | ackup`, and accessed for copying files. - System Volume Acce | ||
| > | ss: The system volume `C:\\` is accessed for modifications to | > | ss: The system volume `C:\\` is accessed for modifications to | ||
| > | critical files. - Cloud-Synced Drives: Cloud storage drives | > | critical files. - Cloud-Synced Drives: Cloud storage drives | ||
| > | like OneDrive or Google Drive are accessed via local mounts | > | like OneDrive or Google Drive are accessed via local mounts | ||
| > | . This data component can be collected through the followin | > | . | ||
| > | g measures: Windows Event Logs - Relevant Events: - Eve | ||||
| > | nt ID 4663: Logs access to file or folder objects. - Eve | ||||
| > | nt ID 4656: Tracks a handle to an object like a drive or fil | ||||
| > | e. - Configuration: - Enable auditing for \"Object Access | ||||
| > | \" in Local Security Policy. - Use Group Policy for broad | ||||
| > | er deployment: `Computer Configuration > Windows Settings > | ||||
| > | Security Settings > Advanced Audit Policy Configuration > Ob | ||||
| > | ject Access` Linux System Logs - Command-Line Monitoring: | ||||
| > | Use the `dmesg` or `journalctl` command to monitor drive mou | ||||
| > | nt/unmount events. - Auditd Configuration: Add an audit rule | ||||
| > | for drive access: `auditctl -w /mnt/drive -p rwxa -k drive_ | ||||
| > | access` - Review logs via `/var/log/audit/audit.log`. macOS | ||||
| > | System Logs - Command-Line Monitoring: Use `diskutil list` | ||||
| > | or `fs_usage` to monitor drive access and mount points. - U | ||||
| > | nified Logs: Query unified logs using log show for drive-rel | ||||
| > | ated activities: `log show --info | grep \"mount\"` Endpoint | ||||
| > | Detection and Response (EDR) Tools - Use EDR solutions to m | ||||
| > | onitor drive activities and collect detailed forensic data. | ||||
| > | SIEM Tools - Ingest logs from endpoints to detect drive ac | ||||
| > | cess patterns. Configure rules to alert on unusual or unauth | ||||
| > | orized drive access. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The activity of assigning a new drive letter or creating a m | t | 1 | The activity of assigning a new drive letter or creating a m |
| > | ount point for a data storage device, such as a USB, network | > | ount point for a data storage device, such as a USB, network | ||
| > | share, or external hard drive, enabling access to its conte | > | share, or external hard drive, enabling access to its conte | ||
| > | nt on a host system. Examples: - USB Drive Insertion: A US | > | nt on a host system. Examples: - USB Drive Insertion: A US | ||
| > | B drive is plugged in and automatically assigned the letter | > | B drive is plugged in and automatically assigned the letter | ||
| > | `E:\\` on a Windows machine. - Network Drive Mapping: A netwo | > | `E:\\` on a Windows machine. - Network Drive Mapping: A netwo | ||
| > | rk share `\\\\server\\share` is mapped to the drive `Z:\\`. - Vi | > | rk share `\\\\server\\share` is mapped to the drive `Z:\\`. - Vi | ||
| > | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir | > | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir | ||
| > | tualdrive` using an ISO image or a virtual hard disk (VHD). | > | tualdrive` using an ISO image or a virtual hard disk (VHD). | ||
| > | - Cloud Storage Mounting: Google Drive is mounted as `G:\\` o | > | - Cloud Storage Mounting: Google Drive is mounted as `G:\\` o | ||
| > | n a Windows machine using a cloud sync tool. - External Stor | > | n a Windows machine using a cloud sync tool. - External Stor | ||
| > | age Integration: An external HDD or SSD is connected and ass | > | age Integration: An external HDD or SSD is connected and ass | ||
| > | igned `/mnt/external` on a Linux system. This data componen | > | igned `/mnt/external` on a Linux system.. | ||
| > | t can be collected through the following measures: Windows | ||||
| > | Event Logs - Relevant Events: - Event ID 98: Logs the c | ||||
| > | reation of a volume (mount or new drive letter assignment). | ||||
| > | - Event ID 1006: Logs removable storage device insertion | ||||
| > | s. - Configuration: Enable \"Removable Storage Events\" in the | ||||
| > | Group Policy settings: `Computer Configuration > Administra | ||||
| > | tive Templates > System > Removable Storage Access` Linux S | ||||
| > | ystem Logs - Command-Line Monitoring: Use `dmesg` or `journ | ||||
| > | alctl` to monitor mount events. - Auditd Configuration: Add | ||||
| > | audit rules to track mount points. - Logs can be reviewed i | ||||
| > | n /var/log/audit/audit.log. macOS System Logs - Unified Lo | ||||
| > | gs: Monitor system logs for mount activity: - Command-Line T | ||||
| > | ools: Use `diskutil list` to verify newly created or mounted | ||||
| > | drives. Endpoint Detection and Response (EDR) Tools - EDR | ||||
| > | solutions can log removable drive usage and network-mounted | ||||
| > | drives. Configure EDR policies to alert on suspicious drive | ||||
| > | creation events. SIEM Tools - Centralize logs from multip | ||||
| > | le platforms into a SIEM (e.g., Splunk) to correlate and ale | ||||
| > | rt on suspicious drive creation activities. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The process of attaching a driver, which is a software compo | t | 1 | The process of attaching a driver, which is a software compo |
| > | nent that allows the operating system and applications to in | > | nent that allows the operating system and applications to in | ||
| > | teract with hardware devices, to either user-mode or kernel- | > | teract with hardware devices, to either user-mode or kernel- | ||
| > | mode of a system. This can include benign actions (e.g., har | > | mode of a system. This can include benign actions (e.g., har | ||
| > | dware drivers) or malicious behavior (e.g., rootkits or unsi | > | dware drivers) or malicious behavior (e.g., rootkits or unsi | ||
| > | gned drivers). Examples: - Legitimate Driver Loading: A ne | > | gned drivers). Examples: - Legitimate Driver Loading: A ne | ||
| > | w graphics driver from a vendor like NVIDIA or AMD is loaded | > | w graphics driver from a vendor like NVIDIA or AMD is loaded | ||
| > | into the system. - Unsigned Driver Loading: A driver withou | > | into the system. - Unsigned Driver Loading: A driver withou | ||
| > | t a valid digital signature is loaded into the kernel. - Roo | > | t a valid digital signature is loaded into the kernel. - Roo | ||
| > | tkit Installation: A malicious rootkit driver is loaded to m | > | tkit Installation: A malicious rootkit driver is loaded to m | ||
| > | anipulate kernel-mode processes. - Anti-Virus or EDR Driver | > | anipulate kernel-mode processes. - Anti-Virus or EDR Driver | ||
| > | Loading: An Endpoint Detection and Response (EDR) solution l | > | Loading: An Endpoint Detection and Response (EDR) solution l | ||
| > | oads its driver to monitor system activities. - Driver Misus | > | oads its driver to monitor system activities. - Driver Misus | ||
| > | e: A legitimate driver is loaded and exploited to execute ma | > | e: A legitimate driver is loaded and exploited to execute ma | ||
| > | licious actions, such as using vulnerable drivers for bypass | > | licious actions, such as using vulnerable drivers for bypass | ||
| > | ing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) | > | ing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) | ||
| > | attacks). This data component can be collected through the | > | attacks). | ||
| > | following measures: Windows - Sysmon Logs: - Event I | ||||
| > | D 6: Captures driver loading activity, including file path, | ||||
| > | hashes, and signature information. - Configuration: Ensu | ||||
| > | re Sysmon is configured with a ruleset that monitors driver | ||||
| > | loading events - Windows Event Logs: Enable \"Audit Kernel Ob | ||||
| > | ject\" to capture kernel-related driver loading events. Linu | ||||
| > | x - Auditd: Configure audit rules to capture driver loading | ||||
| > | events: `auditctl -w /lib/modules/ -p rwxa -k driver_load` | ||||
| > | - Kernel Logs (dmesg): Use dmesg to monitor driver-related a | ||||
| > | ctivities: `dmesg | grep \"module\"` - Syslog or journald: Rev | ||||
| > | iew logs for module insertion or removal activities. macOS | ||||
| > | - Unified Logs: Use the macOS unified logging system to mon | ||||
| > | itor kext (kernel extension) loads: `log show --predicate 'e | ||||
| > | ventMessage contains \"kext load\"'` - Endpoint Security Frame | ||||
| > | work: Monitor driver loading via third-party security tools | ||||
| > | that leverage Apple\u2019s Endpoint Security Framework. SIEM Too | ||||
| > | ls - Ingest driver load logs from Sysmon, Auditd, or macOS | ||||
| > | unified logs into a centralized SIEM (e.g., Splunk). - Creat | ||||
| > | e rules to detect unsigned drivers, rootkit activity, or kno | ||||
| > | wn vulnerable drivers. EDR Solutions - Use EDR tools to de | ||||
| > | tect and alert on anomalous driver loading activity. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | To events where a file is opened or accessed, making its con | t | 1 | To events where a file is opened or accessed, making its con |
| > | tents available to the requester. This includes reading, exe | > | tents available to the requester. This includes reading, exe | ||
| > | cuting, or interacting with files by authorized or unauthori | > | cuting, or interacting with files by authorized or unauthori | ||
| > | zed entities. Examples include logging file access events (e | > | zed entities. Examples include logging file access events (e | ||
| > | .g., Windows Event ID 4663), monitoring file reads, and dete | > | .g., Windows Event ID 4663), monitoring file reads, and dete | ||
| > | cting unusual file access patterns. Examples: - File Read | > | cting unusual file access patterns. Examples: - File Read | ||
| > | Operations: A user opens a sensitive document (e.g., financi | > | Operations: A user opens a sensitive document (e.g., financi | ||
| > | al_report.xlsx) on a shared drive. - File Execution: A scrip | > | al_report.xlsx) on a shared drive. - File Execution: A scrip | ||
| > | t or executable file is accessed and executed (e.g., malware | > | t or executable file is accessed and executed (e.g., malware | ||
| > | .exe is run from a temporary directory). - Unauthorized File | > | .exe is run from a temporary directory). - Unauthorized File | ||
| > | Access: An unauthorized user attempts to access a protected | > | Access: An unauthorized user attempts to access a protected | ||
| > | configuration file (e.g., `/etc/passwd` on Linux or `System | > | configuration file (e.g., `/etc/passwd` on Linux or `System | ||
| > | 32` files on Windows). - File Access Patterns: Bulk access t | > | 32` files on Windows). - File Access Patterns: Bulk access t | ||
| > | o multiple files in a short time (e.g., mass access to docum | > | o multiple files in a short time (e.g., mass access to docum | ||
| > | ents on a file server). - File Access via Network: Files on | > | ents on a file server). - File Access via Network: Files on | ||
| > | a network share are accessed remotely (e.g., logs of SMB fil | > | a network share are accessed remotely (e.g., logs of SMB fil | ||
| > | e access). This data component can be collected through the | > | e access). | ||
| > | following measures: Windows - Windows Event Logs: Event I | ||||
| > | D 4663: Captures file system auditing details, including who | ||||
| > | accessed the file, access type, and file name. - Sysmon: | ||||
| > | - Event ID 11: Logs file creation time changes. - Even | ||||
| > | t ID 1 (process creation): Can provide insight into files ex | ||||
| > | ecuted. - PowerShell: Commands to monitor file access in rea | ||||
| > | l-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; | ||||
| > | ID=4663}` Linux - Auditd: Monitor file access events usin | ||||
| > | g audit rules: `auditctl -w /path/to/file -p rwxa -k file_ac | ||||
| > | cess` - View logs: `ausearch -k file_access` - Inotify: Use | ||||
| > | inotify to track file access on Linux: `inotifywait -m /path | ||||
| > | /to/watch -e access` macOS - Unified Logs: Monitor file ac | ||||
| > | cess using the macOS Unified Logging System. - FSEvents: Fil | ||||
| > | e System Events can track file accesses: `fs_usage | grep op | ||||
| > | en` Network Devices - SMB/CIFS Logs: Monitor file access o | ||||
| > | ver network shares using logs from SMB or CIFS protocol. - N | ||||
| > | AS Logs: Collect logs from network-attached storage systems | ||||
| > | for file access events. SIEM Integration - Collect file ac | ||||
| > | cess logs from all platforms (Windows, Linux, macOS) and cen | ||||
| > | tralize in a SIEM for correlation and analysis. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | A new file is created on a system or network storage. This a | t | 1 | A new file is created on a system or network storage. This a |
| > | ction often signifies an operation such as saving a document | > | ction often signifies an operation such as saving a document | ||
| > | , writing data, or deploying a file. Logging these events he | > | , writing data, or deploying a file. Logging these events he | ||
| > | lps identify legitimate or potentially malicious file creati | > | lps identify legitimate or potentially malicious file creati | ||
| > | on activities. Examples include logging file creation events | > | on activities. Examples include logging file creation events | ||
| > | (e.g., Sysmon Event ID 11 or Linux auditd logs). This dat | > | (e.g., Sysmon Event ID 11 or Linux auditd logs). | ||
| > | a component can be collected through the following measures: | ||||
| > | Windows - Sysmon: Event ID 11: Logs file creation events, | ||||
| > | capturing details like the file path, hash, and creation ti | ||||
| > | me. - Windows Event Log: Enable \"Object Access\" auditing in | ||||
| > | Group Policy to track file creation under Event ID 4663. - P | ||||
| > | owerShell: Real-time monitoring of file creation:`Get-WinEve | ||||
| > | nt -FilterHashtable @{LogName='Security'; ID=4663}` Linux | ||||
| > | - Auditd: Use audit rules to monitor file creation: `auditct | ||||
| > | l -w /path/to/directory -p w -k file_creation` - View logs: | ||||
| > | `ausearch -k file_creation` - Inotify: Monitor file creation | ||||
| > | with inotifywait: `inotifywait -m /path/to/watch -e create` | ||||
| > | macOS - Unified Logs: Use the macOS Unified Logging Syste | ||||
| > | m to capture file creation events. - FSEvents: Use File Syst | ||||
| > | em Events to monitor file creation: `fs_usage | grep create` | ||||
| > | Network Devices - NAS Logs: Monitor file creation events | ||||
| > | on network-attached storage devices. - SMB Logs: Collect log | ||||
| > | s of file creation activities over SMB/CIFS protocols. SIEM | ||||
| > | Integration - Forward logs from all platforms (Windows, Li | ||||
| > | nux, macOS) to a SIEM for central analysis and alerting. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to events where files are removed from a system or st | t | 1 | Refers to events where files are removed from a system or st |
| > | orage device. These events can indicate legitimate housekeep | > | orage device. These events can indicate legitimate housekeep | ||
| > | ing activities or malicious actions such as attackers attemp | > | ing activities or malicious actions such as attackers attemp | ||
| > | ting to cover their tracks. Monitoring file deletions helps | > | ting to cover their tracks. Monitoring file deletions helps | ||
| > | organizations identify unauthorized or suspicious activities | > | organizations identify unauthorized or suspicious activities | ||
| > | . This data component can be collected through the followin | > | . | ||
| > | g measures: Windows - Sysmon: Event ID 23: Logs file delet | ||||
| > | ion events, including details such as file paths and respons | ||||
| > | ible processes. - Windows Event Log: Enable \"Object Access\" | ||||
| > | auditing to monitor file deletions. - PowerShell: `Get-WinEv | ||||
| > | ent -FilterHashtable @{LogName='Security'; ID=4663} | Where- | ||||
| > | Object {$_.Message -like '*DELETE*'}` Linux - Auditd: Use | ||||
| > | audit rules to capture file deletion events: `auditctl -a al | ||||
| > | ways,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_d | ||||
| > | eletion` - Query logs: `ausearch -k file_deletion` - Inotify | ||||
| > | : Use inotifywait to monitor file deletions: `inotifywait -m | ||||
| > | /path/to/watch -e delete` macOS - Endpoint Security Frame | ||||
| > | work (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to | ||||
| > | capture file deletion activities. - FSEvents: Track file de | ||||
| > | letion activities in real-time: `fs_usage | grep unlink` SI | ||||
| > | EM Integration - Forward file deletion logs to a SIEM for c | ||||
| > | entralized monitoring and correlation with other events. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | contextual information about a file, including attributes su | t | 1 | contextual information about a file, including attributes su |
| > | ch as the file's name, size, type, content (e.g., signatures | > | ch as the file's name, size, type, content (e.g., signatures | ||
| > | , headers, media), user/owner, permissions, timestamps, and | > | , headers, media), user/owner, permissions, timestamps, and | ||
| > | other related properties. File metadata provides insights in | > | other related properties. File metadata provides insights in | ||
| > | to a file's characteristics and can be used to detect malici | > | to a file's characteristics and can be used to detect malici | ||
| > | ous activity, unauthorized modifications, or other anomalies | > | ous activity, unauthorized modifications, or other anomalies | ||
| > | . Examples: - File Ownership and Permissions: Checking the | > | . Examples: - File Ownership and Permissions: Checking the | ||
| > | owner and permissions of a critical configuration file like | > | owner and permissions of a critical configuration file like | ||
| > | /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on W | > | /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on W | ||
| > | indows. - Timestamps: Analyzing the creation, modification, | > | indows. - Timestamps: Analyzing the creation, modification, | ||
| > | and access timestamps of a file. - File Content and Signatur | > | and access timestamps of a file. - File Content and Signatur | ||
| > | es: Extracting the headers of an executable file to verify i | > | es: Extracting the headers of an executable file to verify i | ||
| > | ts signature or detect packing/obfuscation. - File Attribute | > | ts signature or detect packing/obfuscation. - File Attribute | ||
| > | s: Analyzing attributes like hidden, system, or read-only fl | > | s: Analyzing attributes like hidden, system, or read-only fl | ||
| > | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA | > | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA | ||
| > | -256 hashes of files to compare against threat intelligence | > | -256 hashes of files to compare against threat intelligence | ||
| > | feeds. - File Location: Monitoring files located in unusual | > | feeds. - File Location: Monitoring files located in unusual | ||
| > | directories or paths, such as temporary or user folders. Th | > | directories or paths, such as temporary or user folders. | ||
| > | is data component can be collected through the following mea | ||||
| > | sures: Windows - Sysinternals Tools: Use `AccessEnum` or ` | ||||
| > | PSFile` to retrieve metadata about file access and permissio | ||||
| > | ns. - Windows Event Logs: Enable object access auditing and | ||||
| > | monitor events like 4663 (Object Access) and 5140 (A network | ||||
| > | share object was accessed). - PowerShell: Use Get-Item or G | ||||
| > | et-ChildItem cmdlets: `Get-ChildItem -Path \"C:\\Path\\To\\Direc | ||||
| > | tory\" -Recurse | Select-Object Name, Length, LastWriteTime, | ||||
| > | Attributes` Linux - File System Commands: Use `ls -l` or s | ||||
| > | tat to retrieve file metadata: `stat /path/to/file` - Auditd | ||||
| > | : Configure audit rules to log metadata access: `auditctl -w | ||||
| > | /path/to/file -p wa -k file_metadata` - Filesystem Integrit | ||||
| > | y Tools: Tools like tripwire or AIDE (Advanced Intrusion Det | ||||
| > | ection Environment) can monitor file metadata changes. macO | ||||
| > | S - FSEvents: Use FSEvents to track file metadata changes. | ||||
| > | - Endpoint Security Framework (ESF): Capture metadata-relate | ||||
| > | d events via ESF APIs. - Command-Line Tools: Use ls -l or xa | ||||
| > | ttr for file attributes: `ls -l@ /path/to/file` SIEM Integr | ||||
| > | ation - Forward file metadata logs from endpoint or network | ||||
| > | devices to a SIEM for centralized analysis. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to a file, including updates to its contents, m | t | 1 | Changes made to a file, including updates to its contents, m |
| > | etadata, access permissions, or attributes. These modificati | > | etadata, access permissions, or attributes. These modificati | ||
| > | ons may indicate legitimate activity (e.g., software updates | > | ons may indicate legitimate activity (e.g., software updates | ||
| > | ) or unauthorized changes (e.g., tampering, ransomware, or a | > | ) or unauthorized changes (e.g., tampering, ransomware, or a | ||
| > | dversarial modifications). Examples: - Content Modificatio | > | dversarial modifications). Examples: - Content Modificatio | ||
| > | ns: Changes to the content of a configuration file, such as | > | ns: Changes to the content of a configuration file, such as | ||
| > | modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\Sys | > | modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\Sys | ||
| > | tem32\\drivers\\etc\\hosts` on Windows. - Permission Changes: A | > | tem32\\drivers\\etc\\hosts` on Windows. - Permission Changes: A | ||
| > | ltering file permissions to allow broader access, such as ch | > | ltering file permissions to allow broader access, such as ch | ||
| > | anging a file from `644` to `777` on Linux or modifying NTFS | > | anging a file from `644` to `777` on Linux or modifying NTFS | ||
| > | permissions on Windows. - Attribute Modifications: Changing | > | permissions on Windows. - Attribute Modifications: Changing | ||
| > | a file's attributes to hidden, read-only, or system on Wind | > | a file's attributes to hidden, read-only, or system on Wind | ||
| > | ows. - Timestamp Manipulation: Adjusting a file's creation o | > | ows. - Timestamp Manipulation: Adjusting a file's creation o | ||
| > | r modification timestamp using tools like `touch` in Linux o | > | r modification timestamp using tools like `touch` in Linux o | ||
| > | r timestomping tools on Windows. - Software or System File C | > | r timestomping tools on Windows. - Software or System File C | ||
| > | hanges: Modifying system files such as `boot.ini`, kernel mo | > | hanges: Modifying system files such as `boot.ini`, kernel mo | ||
| > | dules, or application binaries. This data component can be | > | dules, or application binaries. | ||
| > | collected through the following measures: Windows - Event | ||||
| > | Logs: Enable file system auditing to monitor file modificati | ||||
| > | ons using Security Event ID 4670 (File System Audit) or Sysm | ||||
| > | on Event ID 2 (File creation time changed). - PowerShell: Us | ||||
| > | e Get-ItemProperty or Get-Acl cmdlets to monitor file proper | ||||
| > | ties: `Get-Item -Path \"C:\\path\\to\\file\" | Select-Object Name | ||||
| > | , Attributes, LastWriteTime` Linux - File System Monitorin | ||||
| > | g: Use tools like auditd with rules to monitor file modifica | ||||
| > | tions: `auditctl -w /path/to/file -p wa -k file_modification | ||||
| > | ` - Inotify: Use inotifywait to watch for real-time changes | ||||
| > | to files or directories: `inotifywait -m /path/to/file` mac | ||||
| > | OS - Endpoint Security Framework (ESF): Monitor file modifi | ||||
| > | cation events using ESF APIs. - Audit Framework: Configure a | ||||
| > | udit rules to track file changes. - Command-Line Tools: Use | ||||
| > | fs_usage to monitor file activities: `fs_usage -w /path/to/f | ||||
| > | ile` SIEM Tools - Collect logs from endpoint agents (e.g., | ||||
| > | Sysmon, Auditd) and file servers to centralize file modific | ||||
| > | ation event data. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Querying and extracting a list of available firewalls or the | t | 1 | Querying and extracting a list of available firewalls or the |
| > | ir associated configurations and rules. This activity can oc | > | ir associated configurations and rules. This activity can oc | ||
| > | cur across host systems and cloud control planes, providing | > | cur across host systems and cloud control planes, providing | ||
| > | insight into the state and configuration of firewalls that p | > | insight into the state and configuration of firewalls that p | ||
| > | rotect the environment. Examples: - Querying Host-Based Fi | > | rotect the environment. Examples: - Querying Host-Based Fi | ||
| > | rewalls: Using Windows PowerShell commands like `Get-NetFire | > | rewalls: Using Windows PowerShell commands like `Get-NetFire | ||
| > | wallRule` or Linux commands such as `iptables -L` or `firewa | > | wallRule` or Linux commands such as `iptables -L` or `firewa | ||
| > | lld --list-all`. - Cloud Firewall Rule Listing: Running comm | > | lld --list-all`. - Cloud Firewall Rule Listing: Running comm | ||
| > | ands like `az network firewall list` for Azure or `aws ec2 d | > | ands like `az network firewall list` for Azure or `aws ec2 d | ||
| > | escribe-security-groups` for AWS. - Using Management APIs: L | > | escribe-security-groups` for AWS. - Using Management APIs: L | ||
| > | everaging APIs like Google Cloud Firewall's `list` API metho | > | everaging APIs like Google Cloud Firewall's `list` API metho | ||
| > | d or AWS's DescribeSecurityGroups API. Identifying Misconfig | > | d or AWS's DescribeSecurityGroups API. Identifying Misconfig | ||
| > | urations: Extracting firewall rules to identify \u201callow all\u201d | > | urations: Extracting firewall rules to identify \u201callow all\u201d | ||
| > | policies or rules that lack logging. - Enumerating with CLI | > | policies or rules that lack logging. - Enumerating with CLI | ||
| > | Tools: Using CLI commands like `gcloud compute firewall-rule | > | Tools: Using CLI commands like `gcloud compute firewall-rule | ||
| > | s list` to extract firewall settings in Google Cloud. This | > | s list` to extract firewall settings in Google Cloud. | ||
| > | data component can be collected through the following measur | ||||
| > | es: Cloud Control Plane - Azure Activity Logs:Collect logs | ||||
| > | from Azure Firewall to monitor rule listing commands. Enabl | ||||
| > | e logging for `az network firewall` commands. - AWS CloudTra | ||||
| > | il: Monitor calls to `DescribeSecurityGroups` or `DescribeNe | ||||
| > | tworkAcls` APIs. Google Cloud Operations Suite: Collect logs | ||||
| > | for `gcloud compute firewall-rules list` or API calls to `f | ||||
| > | irewalls.list`. Host-Based Firewalls - Windows Event Logs: | ||||
| > | Use PowerShell transcription logs to capture commands like | ||||
| > | `Get-NetFirewallRule`. - Linux Auditd: Track executions of c | ||||
| > | ommands like `iptables -L` or `ufw status` using auditd: `au | ||||
| > | ditctl -a always,exit -F arch=b64 -S execve -k firewall_enum | ||||
| > | ` - macOS: Monitor logs for firewall-related queries via the | ||||
| > | Console app or log monitoring tools. SIEM Integration - C | ||||
| > | ollect logs from endpoints and cloud platforms to centralize | ||||
| > | data and detect enumeration activity. Endpoint Detection a | ||||
| > | nd Response (EDR) - Use EDR tools to track enumeration comm | ||||
| > | ands or API calls performed on managed devices. CSPM Tools | ||||
| > | - Deploy Cloud Security Posture Management tools to monitor | ||||
| > | for unauthorized enumeration of firewall rules or configura | ||||
| > | tions. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Initial construction of a virtual machine image within a clo | t | 1 | Initial construction of a virtual machine image within a clo |
| > | ud environment. Virtual machine images are templates contain | > | ud environment. Virtual machine images are templates contain | ||
| > | ing an operating system and installed applications, which ca | > | ing an operating system and installed applications, which ca | ||
| > | n be deployed to create new virtual machines. Monitoring the | > | n be deployed to create new virtual machines. Monitoring the | ||
| > | creation of these images is important because adversaries m | > | creation of these images is important because adversaries m | ||
| > | ay create custom images to include malicious software or mis | > | ay create custom images to include malicious software or mis | ||
| > | configurations for later exploitation. Examples: - Azure C | > | configurations for later exploitation. Examples: - Azure C | ||
| > | ompute Service Image Creation - Example: Creating a virt | > | ompute Service Image Creation - Example: Creating a virt | ||
| > | ual machine image in Azure using Azure CLI: `az image create | > | ual machine image in Azure using Azure CLI: `az image create | ||
| > | --resource-group MyResourceGroup --name MyImage --source My | > | --resource-group MyResourceGroup --name MyImage --source My | ||
| > | VM` - AWS EC2 AMI (Amazon Machine Image) Creation - Exam | > | VM` - AWS EC2 AMI (Amazon Machine Image) Creation - Exam | ||
| > | ple: Creating an AMI from an EC2 instance: `aws ec2 create-i | > | ple: Creating an AMI from an EC2 instance: `aws ec2 create-i | ||
| > | mage --instance-id i-1234567890abcdef0 --name \"MyAMI\" --desc | > | mage --instance-id i-1234567890abcdef0 --name \"MyAMI\" --desc | ||
| > | ription \"An AMI for my app\"` - Google Cloud Compute Engine I | > | ription \"An AMI for my app\"` - Google Cloud Compute Engine I | ||
| > | mage Creation - Example: Creating a custom image using g | > | mage Creation - Example: Creating a custom image using g | ||
| > | cloud: `gcloud compute images create my-custom-image --sourc | > | cloud: `gcloud compute images create my-custom-image --sourc | ||
| > | e-disk my-disk --source-disk-zone us-central1-a` - VMware vS | > | e-disk my-disk --source-disk-zone us-central1-a` - VMware vS | ||
| > | phere - Example: Exporting a VM to create an OVF (Open V | > | phere - Example: Exporting a VM to create an OVF (Open V | ||
| > | irtualization Format) template: This could later be imported | > | irtualization Format) template: This could later be imported | ||
| > | into other environments with potential tampering. This dat | > | into other environments with potential tampering. | ||
| > | a component can be collected through the following measures: | ||||
| > | Enable Cloud Platform Logging - Azure: Enable \"Activity L | ||||
| > | ogs\" to capture image-related events such as PUT requests to | ||||
| > | `Microsoft.Compute/images`. - AWS: Use AWS CloudTrail to mo | ||||
| > | nitor `CreateImage` API calls. - Google Cloud: Enable \"Cloud | ||||
| > | Audit Logs\" to track custom image creation events under `co | ||||
| > | mpute.googleapis.com/images`. API Monitoring - Monitor API | ||||
| > | activity to track the creation of new images using: - A | ||||
| > | WS SDK/CLI `CreateImage`. - Azure REST API for image cre | ||||
| > | ation. - Google Cloud Compute Engine APIs. Cloud SIEM I | ||||
| > | ntegration - Ingest cloud platform logs into a centralized | ||||
| > | SIEM for real-time monitoring and alerting. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | contextual information associated with a virtual machine ima | t | 1 | contextual information associated with a virtual machine ima |
| > | ge, such as its name, resource group, status (active or inac | > | ge, such as its name, resource group, status (active or inac | ||
| > | tive), type (custom or prebuilt), size, creation date, and p | > | tive), type (custom or prebuilt), size, creation date, and p | ||
| > | ermissions. This metadata is critical for understanding the | > | ermissions. This metadata is critical for understanding the | ||
| > | state and configuration of virtual machine images in cloud e | > | state and configuration of virtual machine images in cloud e | ||
| > | nvironments. Examples: - Azure Compute Service Image Metad | > | nvironments. Examples: - Azure Compute Service Image Metad | ||
| > | ata Example: - Name: MyCustomImage - Resource Group: | > | ata Example: - Name: MyCustomImage - Resource Group: | ||
| > | MyResourceGroup - State: Available - Type: Managed | > | MyResourceGroup - State: Available - Type: Managed | ||
| > | Image - AWS EC2 AMI Metadata Example: - Image ID: ami-12 | > | Image - AWS EC2 AMI Metadata Example: - Image ID: ami-12 | ||
| > | 34567890abcdef0 - Name: ProdImage - State: Available | > | 34567890abcdef0 - Name: ProdImage - State: Available | ||
| > | - Platform: Windows - Google Cloud Compute Engine Image | > | - Platform: Windows - Google Cloud Compute Engine Image | ||
| > | Metadata Example: - Image Name: webserver-image - P | > | Metadata Example: - Image Name: webserver-image - P | ||
| > | roject: my-project-id - Family: webserver - Source D | > | roject: my-project-id - Family: webserver - Source D | ||
| > | isk: my-disk-id - VMware vSphere Template Metadata Example: | > | isk: my-disk-id - VMware vSphere Template Metadata Example: | ||
| > | - Name: LinuxTemplate - Disk Size: 40GB - Networ | > | - Name: LinuxTemplate - Disk Size: 40GB - Networ | ||
| > | k Adapter: VM Network This data component can be collected | > | k Adapter: VM Network | ||
| > | through the following measures: Cloud Platform-Specific Too | ||||
| > | ls - Azure: - Use Azure CLI to query metadata: `az imag | ||||
| > | e show --name MyCustomImage --resource-group MyResourceGroup | ||||
| > | ` - AWS: - Use AWS CLI to describe AMI metadata: `aws ec | ||||
| > | 2 describe-images --image-ids ami-1234567890abcdef0` - Googl | ||||
| > | e Cloud: - Use Google Cloud SDK to retrieve image metada | ||||
| > | ta: `gcloud compute images describe webserver-image` APIs | ||||
| > | - Azure: `GET /subscriptions/{subscriptionId}/resourceGroup | ||||
| > | s/{resourceGroupName}/providers/Microsoft.Compute/images/{im | ||||
| > | ageName}` - AWS: `DescribeImages` API. - Google Cloud: `GET | ||||
| > | https://compute.googleapis.com/compute/v1/projects/{project} | ||||
| > | /global/images/{image}.` Cloud Management Portals - View m | ||||
| > | etadata directly from the cloud provider's management consol | ||||
| > | e or dashboard. SIEM Integration - Aggregate metadata into | ||||
| > | SIEM platforms for centralized monitoring: |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The initial provisioning and construction of a virtual machi | t | 1 | The initial provisioning and construction of a virtual machi |
| > | ne (VM) or compute instance within a cloud infrastructure en | > | ne (VM) or compute instance within a cloud infrastructure en | ||
| > | vironment. This activity involves defining and allocating re | > | vironment. This activity involves defining and allocating re | ||
| > | sources such as CPU, memory, storage, and networking to spin | > | sources such as CPU, memory, storage, and networking to spin | ||
| > | up a new compute instance. Examples: - AWS: creating an EC | > | up a new compute instance. Examples: - AWS: creating an EC | ||
| > | 2 instance using RunInstances API calls. - Azure, creating a | > | 2 instance using RunInstances API calls. - Azure, creating a | ||
| > | VM through the Azure Resource Manager (ARM). - GCP, an `ins | > | VM through the Azure Resource Manager (ARM). - GCP, an `ins | ||
| > | tance.insert` action recorded. *Data Collection Measures:* | > | tance.insert` action recorded. | ||
| > | - AWS CloudTrail: CloudTrail logs stored in S3 or accessibl | ||||
| > | e via CloudWatch. - Azure Activity Logs: Accessible in Azure | ||||
| > | Monitor or exported to a storage account. - GCP Audit Logs: | ||||
| > | Logs Explorer or BigQuery. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Removal of a virtual machine (VM) or compute instance within | t | 1 | Removal of a virtual machine (VM) or compute instance within |
| > | a cloud infrastructure. This activity results in the termin | > | a cloud infrastructure. This activity results in the termin | ||
| > | ation and deletion of the allocated resources (e.g., CPU, me | > | ation and deletion of the allocated resources (e.g., CPU, me | ||
| > | mory, storage), making the instance unavailable for future u | > | mory, storage), making the instance unavailable for future u | ||
| > | se. Examples: - AWS: instance deletion involves the `Termin | > | se. Examples: - AWS: instance deletion involves the `Termin | ||
| > | ateInstances` API call, which is recorded in CloudTrail logs | > | ateInstances` API call, which is recorded in CloudTrail logs | ||
| > | . - Azure: VM deletion can be monitored via Azure Activity L | > | . - Azure: VM deletion can be monitored via Azure Activity L | ||
| > | ogs, showing the `Microsoft.Compute/virtualMachines/delete` | > | ogs, showing the `Microsoft.Compute/virtualMachines/delete` | ||
| > | operation. - GCP: instance deletion is logged as an instance | > | operation. - GCP: instance deletion is logged as an instance | ||
| > | .delete operation within GCP Audit Logs. *Data Collection M | > | .delete operation within GCP Audit Logs. | ||
| > | easures: - AWS CloudTrail: CloudTrail logs stored in S3 or | ||||
| > | forwarded to CloudWatch. - Azure Activity Logs: Accessible | ||||
| > | via Azure Monitor or exported to a storage account. - GCP Au | ||||
| > | dit Logs: Logs Explorer or BigQuery. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The initiation or activation of a virtual machine instance w | t | 1 | The initiation or activation of a virtual machine instance w |
| > | ithin a cloud infrastructure. This action typically involves | > | ithin a cloud infrastructure. This action typically involves | ||
| > | starting an existing instance that had been stopped or paus | > | starting an existing instance that had been stopped or paus | ||
| > | ed, allowing it to resume operation. Examples: - Google Cl | > | ed, allowing it to resume operation. Examples: - Google Cl | ||
| > | oud Platform (GCP): Starting an instance through `instance.s | > | oud Platform (GCP): Starting an instance through `instance.s | ||
| > | tart` API activity. - AWS: Logging of `StartInstances` in AW | > | tart` API activity. - AWS: Logging of `StartInstances` in AW | ||
| > | S CloudTrail for EC2 instances. - Azure: `Microsoft.Compute/ | > | S CloudTrail for EC2 instances. - Azure: `Microsoft.Compute/ | ||
| > | virtualMachines/start` entries indicate a VM instance being | > | virtualMachines/start` entries indicate a VM instance being | ||
| > | started. *Data Collection Measures:* - Google Cloud Platfo | > | started. | ||
| > | rm: Enable GCP Audit Logs for Compute Engine. - Log Even | ||||
| > | t: Look for instance.start entries in Cloud Logging. - Amazo | ||||
| > | n Web Services (AWS): AWS CloudTrail. - Log Event: Searc | ||||
| > | h for StartInstances events associated with EC2. - Microsoft | ||||
| > | Azure: Azure Activity Logs. - Log Event: Filter for Mic | ||||
| > | rosoft.Compute/virtualMachines/start operations. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The successful establishment of a new user session following | t | 1 | The successful establishment of a new user session following |
| > | a successful authentication attempt. This typically signifi | > | a successful authentication attempt. This typically signifi | ||
| > | es that a user has provided valid credentials or authenticat | > | es that a user has provided valid credentials or authenticat | ||
| > | ion tokens, and the system has initiated a session associate | > | ion tokens, and the system has initiated a session associate | ||
| > | d with that user account. This data is crucial for tracking | > | d with that user account. This data is crucial for tracking | ||
| > | authentication events and identifying potential unauthorized | > | authentication events and identifying potential unauthorized | ||
| > | access. Examples: - Windows Systems - Event ID: 4624 | > | access. Examples: - Windows Systems - Event ID: 4624 | ||
| > | - Logon Type: 2 (Interactive) or 10 (Remote Interact | > | - Logon Type: 2 (Interactive) or 10 (Remote Interact | ||
| > | ive via RDP). - Account Name: JohnDoe - Sour | > | ive via RDP). - Account Name: JohnDoe - Sour | ||
| > | ce Network Address: 192.168.1.100 - Authentication P | > | ce Network Address: 192.168.1.100 - Authentication P | ||
| > | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log | > | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log | ||
| > | /wtmp: - Log format: login user [tty] from [source_i | > | /wtmp: - Log format: login user [tty] from [source_i | ||
| > | p] - User: jane - IP: 10.0.0.5 - Tim | > | p] - User: jane - IP: 10.0.0.5 - Tim | ||
| > | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a | > | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a | ||
| > | sl.log or unified logging framework: - Log: com.appl | > | sl.log or unified logging framework: - Log: com.appl | ||
| > | e.securityd: Authentication succeeded for user 'admin' - Clo | > | e.securityd: Authentication succeeded for user 'admin' - Clo | ||
| > | ud Environments - Azure Sign-In Logs: - Activity | > | ud Environments - Azure Sign-In Logs: - Activity | ||
| > | : Sign-in successful - Client App: Browser - | > | : Sign-in successful - Client App: Browser - | ||
| > | Location: Unknown (Country: X) - Google Workspace - Act | > | Location: Unknown (Country: X) - Google Workspace - Act | ||
| > | ivity: Login - Event Type: successful_login | > | ivity: Login - Event Type: successful_login | ||
| > | - Source IP: 203.0.113.55 This data component can be collec | > | - Source IP: 203.0.113.55 | ||
| > | ted through the following measures: - Windows Systems - | ||||
| > | Event Logs: Monitor Security Event Logs using Event ID 4624 | ||||
| > | for successful logons. - PowerShell Example: `Get-Event | ||||
| > | Log -LogName Security -InstanceId 4624` - Linux Systems | ||||
| > | - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/ | ||||
| > | var/log/auth.log` for logon events. - Tools: Use `last` | ||||
| > | or `who` commands to parse login records. - macOS Systems | ||||
| > | - Log Sources: Monitor `/var/log/asl.log` or Apple Unified | ||||
| > | Logs using the `log show` command. - Command Example: ` | ||||
| > | log show --predicate 'eventMessage contains \"Authentication | ||||
| > | succeeded\"' --info` - Cloud Environments - Azure AD: Use | ||||
| > | Azure Monitor to analyze sign-in logs. Example CLI Query: ` | ||||
| > | az monitor log-analytics query -w <workspace_id> --analytics | ||||
| > | -query \"AzureActivity | where ActivityStatus == 'Success' an | ||||
| > | d OperationName == 'Sign-in'\"` - Google Workspace: Enabl | ||||
| > | e and monitor Login Audit logs from the Admin Console. - | ||||
| > | Office 365: Use Audit Log Search in Microsoft 365 Security | ||||
| > | & Compliance Center for login-related events. - Network Logs | ||||
| > | - Sources: Network authentication mechanisms (e.g., RAD | ||||
| > | IUS or TACACS logs). - Enable EDR Monitoring: - EDR too | ||||
| > | ls monitor logon session activity, including the creation of | ||||
| > | new sessions. - Configure alerts for: Suspicious logon | ||||
| > | types (e.g., Logon Type 10 for RDP or Type 5 for Service). L | ||||
| > | ogons from unusual locations, accounts, or devices. - Le | ||||
| > | verage EDR telemetry for session attributes like source IP, | ||||
| > | session duration, and originating process. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | When a process or program dynamically attaches a shared libr | t | 1 | When a process or program dynamically attaches a shared libr |
| > | ary, module, or plugin into its memory space. This action is | > | ary, module, or plugin into its memory space. This action is | ||
| > | typically performed to extend the functionality of an appli | > | typically performed to extend the functionality of an appli | ||
| > | cation, access shared system resources, or interact with ker | > | cation, access shared system resources, or interact with ker | ||
| > | nel-mode components. *Data Collection Measures:* - Event L | > | nel-mode components. | ||
| > | ogging (Windows): - Sysmon Event ID 7: Logs when a DLL i | ||||
| > | s loaded into a process. - Windows Security Event ID 468 | ||||
| > | 8: Captures process creation events, often useful for correl | ||||
| > | ating module loads. - Windows Defender ATP: Can provide | ||||
| > | visibility into suspicious module loads. - Event Logging (Li | ||||
| > | nux/macOS): - AuditD (`execve` and `open` syscalls): Cap | ||||
| > | tures when shared libraries (`.so` files) are loaded. - | ||||
| > | Ltrace/Strace: Monitors process behavior, including library | ||||
| > | calls (`dlopen`, `execve`). - MacOS Endpoint Security Fr | ||||
| > | amework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY | ||||
| > | _DYLD_INSERT_LIBRARIES`). - Endpoint Detection & Response (E | ||||
| > | DR): - Provide real-time telemetry on module loads and | ||||
| > | process injections. - Sysinternals Process Monitor (`pro | ||||
| > | cmon`): Captures loaded modules and their execution context. | ||||
| > | - Memory Forensics: - Volatility Framework (`malfind`, | ||||
| > | `ldrmodules`): Detects injected DLLs and anomalous module lo | ||||
| > | ads. - Rekall Framework: Useful for kernel-mode module d | ||||
| > | etection. - SIEM and Log Analysis: - Centralized log agg | ||||
| > | regation to correlate suspicious module loads across the env | ||||
| > | ironment. - Detection rules using correlation searches a | ||||
| > | nd behavioral analytics. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Opening a network share, which makes the contents available | t | 1 | Opening a network share, which makes the contents available |
| > | to the requestor (ex: Windows EID 5140 or 5145) *Data Colle | > | to the requestor (ex: Windows EID 5140 or 5145) | ||
| > | ction Measures:* - Windows: - Event ID 5140 \u2013 Network S | ||||
| > | hare Object Access Logs every access attempt to a network sh | ||||
| > | are. - Event ID 5145 \u2013 Detailed Network Share Object Acc | ||||
| > | ess Captures granular access control information, including | ||||
| > | the requesting user, source IP, and access permissions. | ||||
| > | - Sysmon Event ID 3 \u2013 Network Connection Initiated Helps tra | ||||
| > | ck SMB connections to suspicious or unauthorized network sha | ||||
| > | res. - Enable Audit Policy for Network Share Access: `au | ||||
| > | ditpol /set /subcategory:\"File Share\" /success:enable /failu | ||||
| > | re:enable` - Enable PowerShell Logging to Detect Unautho | ||||
| > | rized SMB Access: `Set-ExecutionPolicy RemoteSigned` - R | ||||
| > | estrict Network Share Access with Group Policy (GPO): `Compu | ||||
| > | ter Configuration \u2192 Windows Settings \u2192 Security Settings \u2192 L | ||||
| > | ocal Policies \u2192 User Rights Assignment` Set \"Access this com | ||||
| > | puter from the network\" to restrict unauthorized accounts. - | ||||
| > | Linux/macOS: - AuditD (`open`, `read`, `write`, `connec | ||||
| > | t` syscalls) Detects access to NFS, CIFS, and SMB network sh | ||||
| > | ares. - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Id | ||||
| > | entifies active network share connections. - Mount (`mou | ||||
| > | nt | grep nfs` or `mount | grep cifs`) Lists currently mount | ||||
| > | ed network shares. - Enable AuditD for SMB/NFS Access: ` | ||||
| > | auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/sha | ||||
| > | re -k network_share_access` - Monitor Active Network Sha | ||||
| > | res Using Netstat: `netstat -an | grep :445` - Endpoint Dete | ||||
| > | ction & Response (EDR): - Detects abnormal network share | ||||
| > | access behavior, such as unusual account usage, large file | ||||
| > | transfers, or encrypted file activity. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Summarized network packet data that captures session-level d | t | 1 | Summarized network packet data that captures session-level d |
| > | etails such as source/destination IPs, ports, protocol types | > | etails such as source/destination IPs, ports, protocol types | ||
| > | , timestamps, and data volume, without storing full packet p | > | , timestamps, and data volume, without storing full packet p | ||
| > | ayloads. This is commonly used for traffic analysis, anomaly | > | ayloads. This is commonly used for traffic analysis, anomaly | ||
| > | detection, and network performance monitoring. *Data Colle | > | detection, and network performance monitoring. | ||
| > | ction Measures:* - Network Flow Logs (Metadata Collection) | ||||
| > | - NetFlow - Summarized metadata for network con | ||||
| > | versations (no packet payloads). - sFlow (Sampled Flow L | ||||
| > | ogging) - Captures sampled packets from switches and | ||||
| > | routers. - Used for real-time traffic monitoring an | ||||
| > | d anomaly detection. - Zeek (Bro) Flow Logs - Ze | ||||
| > | ek logs session-level details in logs like conn.log, http.lo | ||||
| > | g, dns.log, etc. - Host-Based Collection - Sysmon Event | ||||
| > | ID 3 \u2013 Network Connection Initiated - Logs process-l | ||||
| > | evel network activity, useful for detecting malicious outbou | ||||
| > | nd connections. - AuditD (Linux) \u2013 syscall=connect | ||||
| > | - Monitors system calls for network connections. `auditct | ||||
| > | l -a always,exit -F arch=b64 -S connect -k network_activity` | ||||
| > | - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs | ||||
| > | - Captures metadata for traffic between EC2 instances, s | ||||
| > | ecurity groups, and internet gateways. - Azure NSG Flow | ||||
| > | Logs / Google VPC Flow Logs - Logs ingress/egress tr | ||||
| > | affic for cloud-based resources. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Calls made by a process to operating system-provided Applica | t | 1 | Calls made by a process to operating system-provided Applica |
| > | tion Programming Interfaces (APIs). These calls are essentia | > | tion Programming Interfaces (APIs). These calls are essentia | ||
| > | l for interacting with system resources such as memory, file | > | l for interacting with system resources such as memory, file | ||
| > | s, and hardware, or for performing system-level tasks. Monit | > | s, and hardware, or for performing system-level tasks. Monit | ||
| > | oring these calls can provide insight into a process's inten | > | oring these calls can provide insight into a process's inten | ||
| > | t, especially if the process is malicious. *Data Collection | > | t, especially if the process is malicious. | ||
| > | Measures:* - Endpoint Detection and Response (EDR) Tools: | ||||
| > | - Leverage tools to monitor API execution behaviors at t | ||||
| > | he process level. - Example: Sysmon Event ID 10 captures | ||||
| > | API call traces for process access and memory allocation. - | ||||
| > | Process Monitor (ProcMon): - Use ProcMon to collect det | ||||
| > | ailed logs of process and API activity. ProcMon can provide | ||||
| > | granular details on API usage and identify malicious behavio | ||||
| > | r during analysis. - Windows Event Logs: - Use Event IDs | ||||
| > | from Windows logs for specific API-related activities: | ||||
| > | - Event ID 4688: A new process has been created (can ind | ||||
| > | irectly infer API use). - Event ID 4657: A registry | ||||
| > | value has been modified (to monitor registry-altering APIs). | ||||
| > | - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, | ||||
| > | Flare VM, or Hybrid Analysis monitor API execution during ma | ||||
| > | lware detonation. - Host-Based Logs: - On Linux/macOS sy | ||||
| > | stems, leverage audit frameworks (e.g., `auditd`, `strace`) | ||||
| > | to capture and analyze system call usage that APIs map to. - | ||||
| > | Runtime Monitors: - Runtime security tools like Falco c | ||||
| > | an monitor system-level calls for API execution. - Debugging | ||||
| > | and Tracing: - Use debugging tools like gdb (Linux) or | ||||
| > | WinDbg (Windows) for deep tracing of API executions in real | ||||
| > | time. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to the event in which a new process (executable) is i | t | 1 | Refers to the event in which a new process (executable) is i |
| > | nitialized by an operating system. This can involve parent-c | > | nitialized by an operating system. This can involve parent-c | ||
| > | hild process relationships, process arguments, and environme | > | hild process relationships, process arguments, and environme | ||
| > | ntal variables. Monitoring process creation is crucial for d | > | ntal variables. Monitoring process creation is crucial for d | ||
| > | etecting malicious behaviors, such as execution of unauthori | > | etecting malicious behaviors, such as execution of unauthori | ||
| > | zed binaries, scripting abuse, or privilege escalation attem | > | zed binaries, scripting abuse, or privilege escalation attem | ||
| > | pts. *Data Collection Measures:* - Endpoint Detection and | > | pts.. | ||
| > | Response (EDR) Tools: - EDRs provide process telemetry, | ||||
| > | tracking execution flows and arguments. - Windows Event Logs | ||||
| > | : - Event ID 4688 (Audit Process Creation): Captures pro | ||||
| > | cess creation with associated parent process. - Sysmon (Wind | ||||
| > | ows): - Event ID 1 (Process Creation): Provides detailed | ||||
| > | logging - Linux/macOS Monitoring: - AuditD (execve sysc | ||||
| > | all): Logs process creation. - eBPF/XDP: Used for low-le | ||||
| > | vel monitoring of system calls related to process execution. | ||||
| > | - OSQuery: Allows SQL-like queries to track process eve | ||||
| > | nts (process_events table). - Apple Endpoint Security Fr | ||||
| > | amework (ESF): Monitors process creation on macOS. - Network | ||||
| > | -Based Monitoring: - Zeek (Bro) Logs: Captures network-b | ||||
| > | ased process execution related to remote shells. - Syslo | ||||
| > | g/OSSEC: Tracks execution of processes on distributed system | ||||
| > | s. - Behavioral SIEM Rules: - Monitor process creation f | ||||
| > | or uncommon binaries in user directories. - Detect proce | ||||
| > | sses with suspicious command-line arguments. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to a running process, such as writing data into | t | 1 | Changes made to a running process, such as writing data into |
| > | memory, modifying execution behavior, or injecting code int | > | memory, modifying execution behavior, or injecting code int | ||
| > | o an existing process. Adversaries frequently modify process | > | o an existing process. Adversaries frequently modify process | ||
| > | es to execute malicious payloads, evade detection, or gain e | > | es to execute malicious payloads, evade detection, or gain e | ||
| > | scalated privileges. *Data Collection Measures:* - Endpoi | > | scalated privileges. | ||
| > | nt Detection and Response (EDR) Tools: - EDRs can monito | ||||
| > | r memory modifications and API-level calls. - Sysmon (Window | ||||
| > | s): - Event ID 8 (CreateRemoteThread) \u2013 Detects cross-pr | ||||
| > | ocess thread injection, commonly used in process hollowing. | ||||
| > | - Event ID 10 (Process Access) \u2013 Detects access attempts | ||||
| > | to another process, often preceding injection attempts. - L | ||||
| > | inux/macOS Monitoring: - AuditD (ptrace, mmap, mprotect | ||||
| > | syscalls): Detects memory modifications and debugging attemp | ||||
| > | ts. - eBPF/XDP: Monitors low-level system calls related | ||||
| > | to process modifications. - OSQuery: The processes table | ||||
| > | can be queried for unusual modifications. - Network-Based M | ||||
| > | onitoring: - Zeek (Bro) Logs: Captures lateral movement | ||||
| > | attempts where adversaries remotely modify a process. - | ||||
| > | Syslog/OSSEC: Monitors logs for suspicious modifications. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The exit or termination of a running process on a system. Th | t | 1 | The exit or termination of a running process on a system. Th |
| > | is can occur due to normal operations, user-initiated comman | > | is can occur due to normal operations, user-initiated comman | ||
| > | ds, or malicious actions such as process termination by malw | > | ds, or malicious actions such as process termination by malw | ||
| > | are to disable security controls. *Data Collection Measures | > | are to disable security controls. | ||
| > | :* - Endpoint Detection and Response (EDR) Tools: - Mon | ||||
| > | itor process termination events. - Windows Event Logs: - | ||||
| > | Event ID 4689 (Process Termination) \u2013 Captures when a proce | ||||
| > | ss exits, including process ID and parent process. - Eve | ||||
| > | nt ID 7036 (Service Control Manager) \u2013 Monitors system servi | ||||
| > | ce stops. - Sysmon (Windows): - Event ID 5 (Process Term | ||||
| > | ination) \u2013 Detects when a process exits, including parent-ch | ||||
| > | ild relationships. - Linux/macOS Monitoring: - AuditD (` | ||||
| > | execve`, `exit_group`, `kill` syscalls) \u2013 Captures process t | ||||
| > | ermination via command-line interactions. - eBPF/XDP: Mo | ||||
| > | nitors low-level system calls related to process termination | ||||
| > | . - OSQuery: The processes table can be queried for abno | ||||
| > | rmal exits. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Captured network traffic that provides details about respons | t | 1 | Captured network traffic that provides details about respons |
| > | es received during an internet scan. This data includes both | > | es received during an internet scan. This data includes both | ||
| > | protocol header values (e.g., HTTP status codes, IP headers | > | protocol header values (e.g., HTTP status codes, IP headers | ||
| > | , or DNS response codes) and response body content (e.g., HT | > | , or DNS response codes) and response body content (e.g., HT | ||
| > | ML, JSON, or raw data). Examples: - HTTP Scan: A web server | > | ML, JSON, or raw data). Examples: - HTTP Scan: A web server | ||
| > | responds to a probe with an HTTP 200 status code and an HTM | > | responds to a probe with an HTTP 200 status code and an HTM | ||
| > | L body indicating the default page is accessible. - DNS Scan | > | L body indicating the default page is accessible. - DNS Scan | ||
| > | : A DNS server replies to a query with a resolved IP address | > | : A DNS server replies to a query with a resolved IP address | ||
| > | for a domain, along with details like Time-To-Live (TTL) an | > | for a domain, along with details like Time-To-Live (TTL) an | ||
| > | d authoritative information. - TCP Banner Grab: A service li | > | d authoritative information. - TCP Banner Grab: A service li | ||
| > | stening on a port (e.g., SSH or FTP) responds with a banner | > | stening on a port (e.g., SSH or FTP) responds with a banner | ||
| > | containing service name, version, or other metadata. *Data | > | containing service name, version, or other metadata. | ||
| > | Collection Measures:* - Network Traffic Monitoring: - D | ||||
| > | eploy packet capture tools like Wireshark, tcpdump, or Suric | ||||
| > | ata to log both headers and body content of response traffic | ||||
| > | . - Use network appliances like firewalls, intrusion det | ||||
| > | ection systems (IDS), or intrusion prevention systems (IPS) | ||||
| > | with logging enabled to capture scan responses. - Cloud Logg | ||||
| > | ing Services: - AWS VPC Flow Logs: Capture metadata abou | ||||
| > | t network flows, including source and destination, protocol, | ||||
| > | and response codes. - GCP Packet Mirroring: Use mirrore | ||||
| > | d packets to analyze responses. - Azure NSG Flow Logs: R | ||||
| > | ecord network traffic flow information for analysis. - Speci | ||||
| > | fic Tools: - Zmap or Masscan: Can perform internet-wide | ||||
| > | scans and collect response content for analysis. - Nmap: | ||||
| > | Use custom scripts to capture and log detailed response dat | ||||
| > | a during scans. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The establishment of a task or job that will execute at a pr | t | 1 | The establishment of a task or job that will execute at a pr |
| > | edefined time or based on specific triggers. *Data Collecti | > | edefined time or based on specific triggers. | ||
| > | on Measures: * - Windows Event Logs: - Event ID 4698 (S | ||||
| > | cheduled Task Created) \u2013 Detects the creation of new schedul | ||||
| > | ed tasks. - Event ID 4702 (Scheduled Task Updated) \u2013 Ide | ||||
| > | ntifies modifications to existing scheduled jobs. - Even | ||||
| > | t ID 106 (TaskScheduler Operational Log) \u2013 Provides details | ||||
| > | about scheduled task execution. - Sysmon (Windows): - Ev | ||||
| > | ent ID 1 (Process Creation) \u2013 Detects the execution of suspi | ||||
| > | cious tasks started by `schtasks.exe`, `at.exe`, or `taskeng | ||||
| > | .exe`. - Linux/macOS Monitoring: - AuditD: Monitor modif | ||||
| > | ications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` | ||||
| > | files. - Syslog: Capture cron job execution logs from `/ | ||||
| > | var/log/cron`. - OSQuery: Query the `crontab` and `launc | ||||
| > | hd` tables for scheduled job configurations. - Endpoint Dete | ||||
| > | ction and Response (EDR) Tools: - Track scheduled task c | ||||
| > | reation and modification events. - SIEM & XDR Detection Rule | ||||
| > | s: - Monitor for scheduled jobs created by unusual users | ||||
| > | . - Detect tasks executing scripts from non-standard dir | ||||
| > | ectories. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The execution of a text file that contains code via the inte | t | 1 | The execution of a text file that contains code via the inte |
| > | rpreter. *Data Collection Measures:* - Windows Event Logs: | > | rpreter. | ||
| > | - Event ID 4104 (PowerShell Script Block Logging) \u2013 Cap | ||||
| > | tures full command-line execution of PowerShell scripts. | ||||
| > | - Event ID 4688 (Process Creation) \u2013 Detects script executi | ||||
| > | on by tracking process launches (`powershell.exe`, `wscript. | ||||
| > | exe`, `cscript.exe`). - Event ID 5861 (Script Execution) | ||||
| > | \u2013 Captures script execution via Windows Defender AMSI loggi | ||||
| > | ng. - Sysmon (Windows): - Event ID 1 (Process Creation) | ||||
| > | \u2013 Monitors script execution initiated by scripting engines. | ||||
| > | - Event ID 11 (File Creation) \u2013 Detects new script files | ||||
| > | written to disk before execution. - Endpoint Detection and | ||||
| > | Response (EDR) Tools: - Track script execution behavior, | ||||
| > | detect obfuscated commands, and prevent malicious scripts. | ||||
| > | - PowerShell Logging: - Enable Module Logging: Logs all | ||||
| > | loaded modules and cmdlets. - Enable Script Block Loggin | ||||
| > | g: Captures complete PowerShell script execution history. - | ||||
| > | SIEM Detection Rules: - Detect script execution with obf | ||||
| > | uscated, encoded, or remote URLs. - Alert on script exec | ||||
| > | utions using `-EncodedCommand` or `iex(iwr)`. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to an existing service or daemon, such as modif | t | 1 | Changes made to an existing service or daemon, such as modif |
| > | ying the service name, start type, execution parameters, or | > | ying the service name, start type, execution parameters, or | ||
| > | security configurations. *Data Collection Measures: * - Wi | > | security configurations. | ||
| > | ndows Event Logs - Event ID 7040 - Detects modifications | ||||
| > | to the startup behavior of a service. - Event ID 7045 - | ||||
| > | Can capture changes made to existing services. - Event | ||||
| > | ID 7036 - Tracks when services start or stop, potentially in | ||||
| > | dicating malicious tampering. - Event ID 4697 - Can dete | ||||
| > | ct when an adversary reinstalls a service with different par | ||||
| > | ameters. - Sysmon Logs - Sysmon Event ID 13 - Detects ch | ||||
| > | anges to service configurations in the Windows Registry (e.g | ||||
| > | ., `HKLM\\SYSTEM\\CurrentControlSet\\Services\\`). - Sysmon | ||||
| > | Event ID 1 - Can track execution of `sc.exe` or `PowerShell | ||||
| > | Set-Service`. - PowerShell Logging - Event ID 4104 (Scri | ||||
| > | pt Block Logging) - Captures execution of commands like `Set | ||||
| > | -Service`, `New-Service`, or `sc config`. - Command-Line | ||||
| > | Logging (Event ID 4688) - Tracks usage of service modificat | ||||
| > | ion commands: - `sc config <service_name> start= aut | ||||
| > | o` - `sc qc <service_name>` - Linux/macOS Collec | ||||
| > | tion Methods - Systemd Journals (`journalctl -u <service | ||||
| > | _name>`) Tracks modifications to systemd service configurati | ||||
| > | ons. - Daemon Logs (`/var/log/syslog`, `/var/log/message | ||||
| > | s`, `/var/log/daemon.log`) Captures changes to service state | ||||
| > | and execution parameters. - AuditD Rules for Service Mo | ||||
| > | dification - Monitor modifications to `/etc/systemd | ||||
| > | /system/` for new or altered service unit files: `auditctl - | ||||
| > | w /etc/systemd/system/ -p wa -k service_modification` | ||||
| > | - Track execution of `systemctl` or `service` commands: `a | ||||
| > | uditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl | ||||
| > | -F key=service_mod` - OSQuery for Linux/macOS Monitorin | ||||
| > | g - Query modified services using OSQuery\u2019s `process | ||||
| > | es` or `system_info` tables: `SELECT * FROM systemd_units WH | ||||
| > | ERE state != 'running';` - macOS Launch Daemon/Agent Mod | ||||
| > | ification - Monitor for changes in: - `/ | ||||
| > | Library/LaunchDaemons/` - `/Library/LaunchAgents | ||||
| > | /` - Track modifications to `.plist` files indicatin | ||||
| > | g persistence attempts. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The process of taking a point-in-time copy of a cloud storag | t | 1 | The process of taking a point-in-time copy of a cloud storag |
| > | e volume (files, settings, configurations, etc.), virtual ma | > | e volume (files, settings, configurations, etc.), virtual ma | ||
| > | chine (VM), or database that can be created and deployed in | > | chine (VM), or database that can be created and deployed in | ||
| > | cloud environments. *Data Collection Measures:* - Cloud Pl | > | cloud environments. | ||
| > | atform Logs (IaaS) - AWS CloudTrail Logs: Monitor API ca | ||||
| > | lls related to snapshot creation (`CreateSnapshot`). - A | ||||
| > | zure Monitor Logs: Track snapshot creation (`Microsoft.Compu | ||||
| > | te/snapshots/write`). - Google Cloud Logging: Detect `co | ||||
| > | mpute.disks.createSnapshot`. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An attempt (successful and failed login attempts) by a user, | t | 1 | An attempt (successful and failed login attempts) by a user, |
| > | service, or application to gain access to a network, system | > | service, or application to gain access to a network, system | ||
| > | , or cloud-based resource. This typically involves credentia | > | , or cloud-based resource. This typically involves credentia | ||
| > | ls such as passwords, tokens, multi-factor authentication (M | > | ls such as passwords, tokens, multi-factor authentication (M | ||
| > | FA), or biometric validation. *Data Collection Measures:* | > | FA), or biometric validation. | ||
| > | - Host-Based Authentication Logs - Windows Event Logs | ||||
| > | - Event ID 4776 \u2013 NTLM authentication attempt. | ||||
| > | - Event ID 4624 \u2013 Successful user logon. - Event ID | ||||
| > | 4625 \u2013 Failed authentication attempt. - Event ID 46 | ||||
| > | 48 \u2013 Explicit logon with alternate credentials. - Linux/ | ||||
| > | macOS Authentication Logs - `/var/log/auth.log`, `/v | ||||
| > | ar/log/secure` \u2013 Logs SSH, sudo, and other authentication at | ||||
| > | tempts. - AuditD \u2013 Tracks authentication events via | ||||
| > | PAM modules. - macOS Unified Logs \u2013 `/var/db/diagnos | ||||
| > | tics` captures authentication failures. - Cloud Authenticati | ||||
| > | on Logs - Azure AD Logs - Sign-in Logs \u2013 Tracks | ||||
| > | authentication attempts, MFA challenges, and conditional acc | ||||
| > | ess failures. - Audit Logs \u2013 Captures authentication | ||||
| > | -related configuration changes. - Microsoft Graph AP | ||||
| > | I \u2013 Provides real-time sign-in analytics. - Google Works | ||||
| > | pace & Office 365 - Google Admin Console \u2013 `User Log | ||||
| > | in Report` tracks login attempts and failures. - Off | ||||
| > | ice 365 Unified Audit Logs \u2013 Captures logins across Exchange | ||||
| > | , SharePoint, and Teams. - AWS CloudTrail & IAM | ||||
| > | - Tracks authentication via `AWS IAM AuthenticateUser` and ` | ||||
| > | sts:GetSessionToken`. - Logs failed authentications | ||||
| > | to AWS Management Console and API requests. - Container Auth | ||||
| > | entication Monitoring - Kubernetes Authentication Logs | ||||
| > | - kubectl audit logs \u2013 Captures authentication attemp | ||||
| > | ts for service accounts and admin users. - Azure Kub | ||||
| > | ernetes Service (AKS) and Google Kubernetes Engine (GKE) \u2013 L | ||||
| > | ogs IAM authentication events. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The initial establishment of a new user, service, or machine | t | 1 | The initial establishment of a new user, service, or machine |
| > | account within an operating system, cloud environment, or i | > | account within an operating system, cloud environment, or i | ||
| > | dentity management system. *Data Collection Measures:* - H | > | dentity management system. | ||
| > | ost-Based Logging - Windows Event Logs - Event I | ||||
| > | D 4720 \u2013 A new user account was created. - Event ID | ||||
| > | 4732/4735 \u2013 A user was added to a privileged group. | ||||
| > | - Event ID 4798 \u2013 Enumeration of user accounts. - Linux/ | ||||
| > | macOS Authentication Logs - `/var/log/auth.log`, `/v | ||||
| > | ar/log/secure` \u2013 Logs `useradd`, `adduser`, `passwd`, and `g | ||||
| > | roupmod` activities. - AuditD \u2013 Detects new account | ||||
| > | creation via PAM (`useradd`, `usermod`). - OSQuery \u2013 | ||||
| > | The `users` table tracks newly created accounts. - Cloud-Ba | ||||
| > | sed Logging - Azure AD Logs - Azure AD Audit Log | ||||
| > | s \u2013 Tracks new user and service account creation. - | ||||
| > | Azure Graph API \u2013 Provides logs on new account provisioning. | ||||
| > | - AWS IAM & CloudTrail Logs - CreateUser, Creat | ||||
| > | eRole \u2013 Tracks new IAM user creation. - AttachRolePo | ||||
| > | licy \u2013 Identifies privilege escalation via account creation. | ||||
| > | - Google Workspace & Office 365 Logs - Google A | ||||
| > | dmin Console \u2013 Logs user creation in User Accounts API. | ||||
| > | - Microsoft 365 Unified Audit Log \u2013 Tracks new account p | ||||
| > | rovisioning. - Container & Network Account Creation Logs | ||||
| > | - Kubernetes Account Creation Logs - kubectl audit | ||||
| > | logs \u2013 Detects new service account provisioning. - G | ||||
| > | KE/Azure AKS Logs \u2013 Track new container service accounts. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The removal of a user, service, or machine account from an o | t | 1 | The removal of a user, service, or machine account from an o |
| > | perating system, cloud identity management system, or direct | > | perating system, cloud identity management system, or direct | ||
| > | ory service. *Data Collection Measures:* - Host-Based Logg | > | ory service. | ||
| > | ing - Windows Event Logs - Event ID 4726 \u2013 A use | ||||
| > | r account was deleted. - Event ID 4733/4735 \u2013 A user | ||||
| > | was removed from a privileged group. - Event ID 110 | ||||
| > | 2 \u2013 Security log was cleared (potential cover-up). - Lin | ||||
| > | ux/macOS Authentication Logs - `/var/log/auth.log`, | ||||
| > | `/var/log/secure` \u2013 Logs `userdel`, `deluser`, `passwd -l`. | ||||
| > | - AuditD \u2013 Tracks account deletions via PAM events ( | ||||
| > | `userdel`). - OSQuery \u2013 The `users` table can detect | ||||
| > | account removal. - Cloud-Based Logging - Azure AD Logs | ||||
| > | - Azure AD Audit Logs \u2013 Tracks user and service acco | ||||
| > | unt deletions. - Azure Graph API \u2013 Monitors identity | ||||
| > | changes. - AWS IAM & CloudTrail Logs - `DeleteU | ||||
| > | ser`, `DeleteRole` \u2013 Tracks IAM user deletion. - Det | ||||
| > | achRolePolicy \u2013 Identifies privilege revocation before delet | ||||
| > | ion. - Google Workspace & Office 365 Logs - Goog | ||||
| > | le Admin Console \u2013 Logs user removal activities. - M | ||||
| > | icrosoft 365 Unified Audit Log \u2013 Captures deleted accounts i | ||||
| > | n Active Directory. - Container & Network Account Deletion L | ||||
| > | ogs - Kubernetes Service Account Deletion - kube | ||||
| > | ctl audit logs \u2013 Detects when service accounts are removed f | ||||
| > | rom pods. - GKE/Azure AKS Logs \u2013 Track containerized | ||||
| > | identity removals. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to an existing user, service, or machine accoun | t | 1 | Changes made to an existing user, service, or machine accoun |
| > | t, including alterations to attributes, permissions, roles, | > | t, including alterations to attributes, permissions, roles, | ||
| > | authentication methods, or group memberships. *Data Collect | > | authentication methods, or group memberships. | ||
| > | ion Measures:* - Host-Based Logging - Windows Event Log | ||||
| > | s - Event ID 4738 \u2013 A user account was changed. | ||||
| > | - Event ID 4725 \u2013 A user account was disabled. - | ||||
| > | Event ID 4724 \u2013 An attempt was made to reset an account's p | ||||
| > | assword. - Event ID 4767 \u2013 A user account was unlock | ||||
| > | ed. - Linux/macOS Authentication Logs - `/var/lo | ||||
| > | g/auth.log`, `/var/log/secure` \u2013 Tracks account modification | ||||
| > | s (`usermod`, `chage`, `passwd`). - AuditD \u2013 Monitor | ||||
| > | s account changes (`useradd`, `usermod`, `gpasswd`). | ||||
| > | - OSQuery \u2013 Queries the `users` table for recent modificati | ||||
| > | ons. - Cloud-Based Logging - Azure AD Logs - Azu | ||||
| > | re AD Audit Logs \u2013 Tracks modifications to users and securit | ||||
| > | y groups. - Azure Graph API \u2013 Captures changes to au | ||||
| > | thentication policies and MFA settings. - AWS IAM & Clou | ||||
| > | dTrail Logs - `ModifyUser`, `UpdateLoginProfile` \u2013 C | ||||
| > | aptures changes to IAM user attributes. - `AttachUse | ||||
| > | rPolicy`, `AddUserToGroup` \u2013 Detects policy and group modifi | ||||
| > | cations. - Google Workspace & Office 365 Logs - | ||||
| > | Google Admin Console \u2013 Logs account changes, role modificati | ||||
| > | ons, and group membership updates. - Microsoft 365 U | ||||
| > | nified Audit Log \u2013 Captures modifications to security settin | ||||
| > | gs and privileged account changes. - Container & Network Acc | ||||
| > | ount Modification Logs - Kubernetes Service Account Chan | ||||
| > | ges - kubectl audit logs \u2013 Detects service account m | ||||
| > | odifications in Kubernetes clusters. - GKE/Azure AKS | ||||
| > | Logs \u2013 Monitors role and permission changes. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The initial provisioning of block storage volumes in cloud o | t | 1 | The initial provisioning of block storage volumes in cloud o |
| > | r on-prem environments, typically used for data storage, bac | > | r on-prem environments, typically used for data storage, bac | ||
| > | kup, or workload scaling. *Data Collection Measures:* - Cl | > | kup, or workload scaling. | ||
| > | oud-Based Logging & Monitoring - AWS CloudTrail | ||||
| > | - `CreateVolume` \u2013 Logs the creation of new Amazon Elastic B | ||||
| > | lock Store (EBS) volumes. - `RunInstances` \u2013 Can be | ||||
| > | correlated to detect automatic volume provisioning. - Az | ||||
| > | ure Monitor & Log Analytics - `Microsoft.Compute/dis | ||||
| > | ks/write` \u2013 Captures creation of new managed/unmanaged disks | ||||
| > | . - `Microsoft.Storage/storageAccounts/write` \u2013 Dete | ||||
| > | cts creation of new Azure Blob Storage volumes. - Google | ||||
| > | Cloud Logging (GCP) - `compute.disks.insert` \u2013 Trac | ||||
| > | ks new persistent disk creation. - `compute.instance | ||||
| > | s.attachDisk` \u2013 Logs attachment of a volume to a running VM. | ||||
| > | - OpenStack Logs - `volume.create` \u2013 Captures n | ||||
| > | ew storage volume provisioning. - `cinder.volume.cre | ||||
| > | ate` \u2013 Logs OpenStack Cinder block storage creation. - Host- | ||||
| > | Based & SIEM Detection - Linux/macOS System Logs | ||||
| > | - `/var/log/syslog` & `/var/log/messages` \u2013 Detects new mou | ||||
| > | nt points or attached storage. - `dmesg | grep \"new | ||||
| > | disk\"` \u2013 Identifies kernel messages for volume attachment. | ||||
| > | - AuditD: Tracks `mkfs` (filesystem creation) for new | ||||
| > | volume provisioning. - Windows Event Logs - Eve | ||||
| > | nt ID 1006 (Storage Management Events) \u2013 Captures disk volum | ||||
| > | e creation. - Event ID 5145 (Object Access: File Sha | ||||
| > | re) \u2013 Detects access to newly created storage shares. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Initial construction of a WMI object, such as a filter, cons | t | 1 | Initial construction of a WMI object, such as a filter, cons |
| > | umer, subscription, binding, or providers. *Data Collectio | > | umer, subscription, binding, or providers. | ||
| > | n Measures:* - Windows Security Event Logs: - Event ID | ||||
| > | 5861 (WMI Permanent Event Subscription) - Event ID 5860 | ||||
| > | (WMI Event Filter Activity) - Event ID 5857 (WMI Event C | ||||
| > | onsumer Activity) - Sysmon Logs: - Sysmon Event ID 19 \u2013 | ||||
| > | WMI Event Filter Created - Sysmon Event ID 20 \u2013 WMI Even | ||||
| > | t Consumer Created - Sysmon Event ID 21 \u2013 WMI Event Bind | ||||
| > | ing Created - Endpoint Detection & Response (EDR) - Dete | ||||
| > | cts WMI-based persistence techniques. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The action of opening a specific Windows Registry key, typic | t | 1 | The action of opening a specific Windows Registry key, typic |
| > | ally to read its associated value. This activity can be used | > | ally to read its associated value. This activity can be used | ||
| > | for system configuration, application settings retrieval, a | > | for system configuration, application settings retrieval, a | ||
| > | nd security policies. *Data Collection Measures:* - Window | > | nd security policies. | ||
| > | s Event Logs - Event ID 4656 - Handle to an Object was R | ||||
| > | equested: Logs attempts to open registry keys. - Event I | ||||
| > | D 4663 - An Object was Accessed: Captures read/write operati | ||||
| > | ons on registry keys. - Event ID 4657 - Registry Value M | ||||
| > | odification: Useful for detecting changes to registry keys a | ||||
| > | fter being accessed. - Sysmon - Sysmon Event ID 13 - Reg | ||||
| > | istry Value Set: Captures modifications to existing registry | ||||
| > | keys. - Endpoint Detection and Response (EDR) Solutions | ||||
| > | - Provide telemetry on registry key access activities, espe | ||||
| > | cially when linked to suspicious processes. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Initial construction of a new registry key within the Window | t | 1 | Initial construction of a new registry key within the Window |
| > | s operating system. *Data Collection Measures:* - Window | > | s operating system. | ||
| > | s Event Logs - Event ID 4656 - Registry Object Handle Re | ||||
| > | quested: Tracks registry key access, including newly created | ||||
| > | keys. - Event ID 4657 - Registry Value Modification: De | ||||
| > | tects modifications to an existing registry key after creati | ||||
| > | on. - Sysmon (System Monitor) for Windows - Sysmon Event | ||||
| > | ID 12 - Registry Key Created: Logs when a new registry key | ||||
| > | is created. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Command Execution involves monitoring and capturing the exec | t | 1 | Command Execution involves monitoring and capturing the exec |
| > | ution of textual commands (including shell commands, cmdlets | > | ution of textual commands (including shell commands, cmdlets | ||
| > | , and scripts) within an operating system or application. Th | > | , and scripts) within an operating system or application. Th | ||
| > | ese commands may include arguments or parameters and are typ | > | ese commands may include arguments or parameters and are typ | ||
| > | ically executed through interpreters such as `cmd.exe`, `bas | > | ically executed through interpreters such as `cmd.exe`, `bas | ||
| > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | ||
| > | : - Windows Command Prompt - dir \u2013 Lists directory con | > | : - Windows Command Prompt - dir \u2013 Lists directory con | ||
| > | tents. - net user \u2013 Queries or manipulates user accounts | > | tents. - net user \u2013 Queries or manipulates user accounts | ||
| > | . - tasklist \u2013 Lists running processes. - PowerShell | > | . - tasklist \u2013 Lists running processes. - PowerShell | ||
| > | - Get-Process \u2013 Retrieves processes running on a system. | > | - Get-Process \u2013 Retrieves processes running on a system. | ||
| > | - Set-ExecutionPolicy \u2013 Changes PowerShell script executio | > | - Set-ExecutionPolicy \u2013 Changes PowerShell script executio | ||
| > | n policies. - Invoke-WebRequest \u2013 Downloads remote resou | > | n policies. - Invoke-WebRequest \u2013 Downloads remote resou | ||
| > | rces. - Linux Shell - ls \u2013 Lists files in a directory. | > | rces. - Linux Shell - ls \u2013 Lists files in a directory. | ||
| > | - cat /etc/passwd \u2013 Reads the user accounts file. - c | > | - cat /etc/passwd \u2013 Reads the user accounts file. - c | ||
| > | url http://malicious-site.com \u2013 Retrieves content from a mal | > | url http://malicious-site.com \u2013 Retrieves content from a mal | ||
| > | icious URL. - Container Environments - docker exec \u2013 Exe | > | icious URL. - Container Environments - docker exec \u2013 Exe | ||
| > | cutes a command inside a running container. - kubectl ex | > | cutes a command inside a running container. - kubectl ex | ||
| > | ec \u2013 Runs commands in Kubernetes pods. - macOS Terminal | > | ec \u2013 Runs commands in Kubernetes pods. - macOS Terminal | ||
| > | - open \u2013 Opens files or URLs. - dscl . -list /Users \u2013 Li | > | - open \u2013 Opens files or URLs. - dscl . -list /Users \u2013 Li | ||
| > | sts all users on the system. - osascript -e \u2013 Executes A | > | sts all users on the system. - osascript -e \u2013 Executes A | ||
| > | ppleScript commands. This data component can be collected t | > | ppleScript commands. | ||
| > | hrough the following measures: Enable Command Logging - Wi | ||||
| > | ndows: - Enable PowerShell logging: `Set-ExecutionPolicy | ||||
| > | Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\M | ||||
| > | icrosoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name Enable | ||||
| > | ScriptBlockLogging -Value 1` - Enable Windows Event Logg | ||||
| > | ing: - Event ID 4688: Tracks process creation, inclu | ||||
| > | ding command-line arguments. - Event ID 4104: Logs P | ||||
| > | owerShell script block execution. - Linux/macOS: - Enabl | ||||
| > | e shell history logging in `.bashrc` or `.zshrc`: `export HI | ||||
| > | STTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='histor | ||||
| > | y -a; history -w'` - Use audit frameworks (e.g., `auditd | ||||
| > | `) to log command executions. Example rule to log all `execv | ||||
| > | e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex | ||||
| > | ec` - Containers: - Use runtime-specific tools like Dock | ||||
| > | er\u2019s --log-driver or Kubernetes Audit Logs to capture exec c | ||||
| > | ommands. Integrate with Centralized Logging - Collect logs | ||||
| > | using a SIEM (e.g., Splunk) or cloud-based log aggregation | ||||
| > | tools like AWS CloudWatch or Azure Monitor. Example Splunk S | ||||
| > | earch for Windows Event 4688: `index=windows EventID=4688 Co | ||||
| > | mmandLine=*` Use Endpoint Detection and Response (EDR) Tool | ||||
| > | s - Monitor command executions via EDR solutions Deploy S | ||||
| > | ysmon for Advanced Logging (Windows) - Use Sysmon's Event I | ||||
| > | D 1 to log process creation with command-line arguments |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Summarized network packet data that captures session-level d | t | 1 | Summarized network packet data that captures session-level d |
| > | etails such as source/destination IPs, ports, protocol types | > | etails such as source/destination IPs, ports, protocol types | ||
| > | , timestamps, and data volume, without storing full packet p | > | , timestamps, and data volume, without storing full packet p | ||
| > | ayloads. This is commonly used for traffic analysis, anomaly | > | ayloads. This is commonly used for traffic analysis, anomaly | ||
| > | detection, and network performance monitoring. *Data Colle | > | detection, and network performance monitoring. | ||
| > | ction Measures:* - Network Flow Logs (Metadata Collection) | ||||
| > | - NetFlow - Summarized metadata for network con | ||||
| > | versations (no packet payloads). - sFlow (Sampled Flow L | ||||
| > | ogging) - Captures sampled packets from switches and | ||||
| > | routers. - Used for real-time traffic monitoring an | ||||
| > | d anomaly detection. - Zeek (Bro) Flow Logs - Ze | ||||
| > | ek logs session-level details in logs like conn.log, http.lo | ||||
| > | g, dns.log, etc. - Host-Based Collection - Sysmon Event | ||||
| > | ID 3 \u2013 Network Connection Initiated - Logs process-l | ||||
| > | evel network activity, useful for detecting malicious outbou | ||||
| > | nd connections. - AuditD (Linux) \u2013 syscall=connect | ||||
| > | - Monitors system calls for network connections. `auditct | ||||
| > | l -a always,exit -F arch=b64 -S connect -k network_activity` | ||||
| > | - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs | ||||
| > | - Captures metadata for traffic between EC2 instances, s | ||||
| > | ecurity groups, and internet gateways. - Azure NSG Flow | ||||
| > | Logs / Google VPC Flow Logs - Logs ingress/egress tr | ||||
| > | affic for cloud-based resources. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Calls made by a process to operating system-provided Applica | t | 1 | Calls made by a process to operating system-provided Applica |
| > | tion Programming Interfaces (APIs). These calls are essentia | > | tion Programming Interfaces (APIs). These calls are essentia | ||
| > | l for interacting with system resources such as memory, file | > | l for interacting with system resources such as memory, file | ||
| > | s, and hardware, or for performing system-level tasks. Monit | > | s, and hardware, or for performing system-level tasks. Monit | ||
| > | oring these calls can provide insight into a process's inten | > | oring these calls can provide insight into a process's inten | ||
| > | t, especially if the process is malicious. *Data Collection | > | t, especially if the process is malicious. | ||
| > | Measures:* - Endpoint Detection and Response (EDR) Tools: | ||||
| > | - Leverage tools to monitor API execution behaviors at t | ||||
| > | he process level. - Example: Sysmon Event ID 10 captures | ||||
| > | API call traces for process access and memory allocation. - | ||||
| > | Process Monitor (ProcMon): - Use ProcMon to collect det | ||||
| > | ailed logs of process and API activity. ProcMon can provide | ||||
| > | granular details on API usage and identify malicious behavio | ||||
| > | r during analysis. - Windows Event Logs: - Use Event IDs | ||||
| > | from Windows logs for specific API-related activities: | ||||
| > | - Event ID 4688: A new process has been created (can ind | ||||
| > | irectly infer API use). - Event ID 4657: A registry | ||||
| > | value has been modified (to monitor registry-altering APIs). | ||||
| > | - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, | ||||
| > | Flare VM, or Hybrid Analysis monitor API execution during ma | ||||
| > | lware detonation. - Host-Based Logs: - On Linux/macOS sy | ||||
| > | stems, leverage audit frameworks (e.g., `auditd`, `strace`) | ||||
| > | to capture and analyze system call usage that APIs map to. - | ||||
| > | Runtime Monitors: - Runtime security tools like Falco c | ||||
| > | an monitor system-level calls for API execution. - Debugging | ||||
| > | and Tracing: - Use debugging tools like gdb (Linux) or | ||||
| > | WinDbg (Windows) for deep tracing of API executions in real | ||||
| > | time. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to the event in which a new process (executable) is i | t | 1 | Refers to the event in which a new process (executable) is i |
| > | nitialized by an operating system. This can involve parent-c | > | nitialized by an operating system. This can involve parent-c | ||
| > | hild process relationships, process arguments, and environme | > | hild process relationships, process arguments, and environme | ||
| > | ntal variables. Monitoring process creation is crucial for d | > | ntal variables. Monitoring process creation is crucial for d | ||
| > | etecting malicious behaviors, such as execution of unauthori | > | etecting malicious behaviors, such as execution of unauthori | ||
| > | zed binaries, scripting abuse, or privilege escalation attem | > | zed binaries, scripting abuse, or privilege escalation attem | ||
| > | pts. *Data Collection Measures:* - Endpoint Detection and | > | pts.. | ||
| > | Response (EDR) Tools: - EDRs provide process telemetry, | ||||
| > | tracking execution flows and arguments. - Windows Event Logs | ||||
| > | : - Event ID 4688 (Audit Process Creation): Captures pro | ||||
| > | cess creation with associated parent process. - Sysmon (Wind | ||||
| > | ows): - Event ID 1 (Process Creation): Provides detailed | ||||
| > | logging - Linux/macOS Monitoring: - AuditD (execve sysc | ||||
| > | all): Logs process creation. - eBPF/XDP: Used for low-le | ||||
| > | vel monitoring of system calls related to process execution. | ||||
| > | - OSQuery: Allows SQL-like queries to track process eve | ||||
| > | nts (process_events table). - Apple Endpoint Security Fr | ||||
| > | amework (ESF): Monitors process creation on macOS. - Network | ||||
| > | -Based Monitoring: - Zeek (Bro) Logs: Captures network-b | ||||
| > | ased process execution related to remote shells. - Syslo | ||||
| > | g/OSSEC: Tracks execution of processes on distributed system | ||||
| > | s. - Behavioral SIEM Rules: - Monitor process creation f | ||||
| > | or uncommon binaries in user directories. - Detect proce | ||||
| > | sses with suspicious command-line arguments. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The exit or termination of a running process on a system. Th | t | 1 | The exit or termination of a running process on a system. Th |
| > | is can occur due to normal operations, user-initiated comman | > | is can occur due to normal operations, user-initiated comman | ||
| > | ds, or malicious actions such as process termination by malw | > | ds, or malicious actions such as process termination by malw | ||
| > | are to disable security controls. *Data Collection Measures | > | are to disable security controls. | ||
| > | :* - Endpoint Detection and Response (EDR) Tools: - Mon | ||||
| > | itor process termination events. - Windows Event Logs: - | ||||
| > | Event ID 4689 (Process Termination) \u2013 Captures when a proce | ||||
| > | ss exits, including process ID and parent process. - Eve | ||||
| > | nt ID 7036 (Service Control Manager) \u2013 Monitors system servi | ||||
| > | ce stops. - Sysmon (Windows): - Event ID 5 (Process Term | ||||
| > | ination) \u2013 Detects when a process exits, including parent-ch | ||||
| > | ild relationships. - Linux/macOS Monitoring: - AuditD (` | ||||
| > | execve`, `exit_group`, `kill` syscalls) \u2013 Captures process t | ||||
| > | ermination via command-line interactions. - eBPF/XDP: Mo | ||||
| > | nitors low-level system calls related to process termination | ||||
| > | . - OSQuery: The processes table can be queried for abno | ||||
| > | rmal exits. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Application Log Content refers to logs generated by applicat | t | 1 | Application Log Content refers to logs generated by applicat |
| > | ions or services, providing a record of their activity. Thes | > | ions or services, providing a record of their activity. Thes | ||
| > | e logs may include metrics, errors, performance data, and op | > | e logs may include metrics, errors, performance data, and op | ||
| > | erational alerts from web, mail, or other applications. Thes | > | erational alerts from web, mail, or other applications. Thes | ||
| > | e logs are vital for monitoring application behavior and det | > | e logs are vital for monitoring application behavior and det | ||
| > | ecting malicious activities or anomalies. Examples: - Web | > | ecting malicious activities or anomalies. Examples: - Web | ||
| > | Application Logs: These logs include information about reque | > | Application Logs: These logs include information about reque | ||
| > | sts, responses, errors, and security events (e.g., unauthori | > | sts, responses, errors, and security events (e.g., unauthori | ||
| > | zed access attempts). - Email Application Logs: Logs contain | > | zed access attempts). - Email Application Logs: Logs contain | ||
| > | metadata about emails sent, received, or blocked (e.g., sen | > | metadata about emails sent, received, or blocked (e.g., sen | ||
| > | der/receiver addresses, message IDs). - SaaS Application Log | > | der/receiver addresses, message IDs). - SaaS Application Log | ||
| > | s: Activity logs include user logins, configuration changes, | > | s: Activity logs include user logins, configuration changes, | ||
| > | and access to sensitive resources. - Cloud Application Logs | > | and access to sensitive resources. - Cloud Application Logs | ||
| > | : Logs detail control plane activities, including API calls, | > | : Logs detail control plane activities, including API calls, | ||
| > | instance modifications, and network changes. - System/Appli | > | instance modifications, and network changes. - System/Appli | ||
| > | cation Monitoring Logs: Logs provide insights into applicati | > | cation Monitoring Logs: Logs provide insights into applicati | ||
| > | on performance, errors, and anomalies. This data component | > | on performance, errors, and anomalies. | ||
| > | can be collected through the following measures: Configure | ||||
| > | Application Logging - Enable logging within the application | ||||
| > | or service. - Examples: - Web Servers: Enable access an | ||||
| > | d error logs in NGINX or Apache. - Email Systems: Enable | ||||
| > | audit logging in Microsoft Exchange or Gmail. Centralized | ||||
| > | Log Management - Use log management solutions like Splunk, | ||||
| > | or a cloud-native logging solution. - Configure the applicat | ||||
| > | ion to send logs to a centralized system for analysis. Clou | ||||
| > | d-Specific Collection - Use services like AWS CloudWatch, A | ||||
| > | zure Monitor, or Google Cloud Operations Suite for cloud-bas | ||||
| > | ed applications. - Ensure logging is enabled for all critica | ||||
| > | l resources (e.g., API calls, IAM changes). SIEM Integratio | ||||
| > | n - Integrate application logs with a SIEM platform (e.g., | ||||
| > | Splunk, QRadar) for real-time correlation and analysis. - Us | ||||
| > | e parsers to standardize log formats and extract key fields | ||||
| > | like timestamps, user IDs, and error codes. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Command Execution involves monitoring and capturing the exec | t | 1 | Command Execution involves monitoring and capturing the exec |
| > | ution of textual commands (including shell commands, cmdlets | > | ution of textual commands (including shell commands, cmdlets | ||
| > | , and scripts) within an operating system or application. Th | > | , and scripts) within an operating system or application. Th | ||
| > | ese commands may include arguments or parameters and are typ | > | ese commands may include arguments or parameters and are typ | ||
| > | ically executed through interpreters such as `cmd.exe`, `bas | > | ically executed through interpreters such as `cmd.exe`, `bas | ||
| > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | > | h`, `zsh`, `PowerShell`, or programmatic execution. Examples | ||
| > | : - Windows Command Prompt - dir \u2013 Lists directory con | > | : - Windows Command Prompt - dir \u2013 Lists directory con | ||
| > | tents. - net user \u2013 Queries or manipulates user accounts | > | tents. - net user \u2013 Queries or manipulates user accounts | ||
| > | . - tasklist \u2013 Lists running processes. - PowerShell | > | . - tasklist \u2013 Lists running processes. - PowerShell | ||
| > | - Get-Process \u2013 Retrieves processes running on a system. | > | - Get-Process \u2013 Retrieves processes running on a system. | ||
| > | - Set-ExecutionPolicy \u2013 Changes PowerShell script executio | > | - Set-ExecutionPolicy \u2013 Changes PowerShell script executio | ||
| > | n policies. - Invoke-WebRequest \u2013 Downloads remote resou | > | n policies. - Invoke-WebRequest \u2013 Downloads remote resou | ||
| > | rces. - Linux Shell - ls \u2013 Lists files in a directory. | > | rces. - Linux Shell - ls \u2013 Lists files in a directory. | ||
| > | - cat /etc/passwd \u2013 Reads the user accounts file. - c | > | - cat /etc/passwd \u2013 Reads the user accounts file. - c | ||
| > | url http://malicious-site.com \u2013 Retrieves content from a mal | > | url http://malicious-site.com \u2013 Retrieves content from a mal | ||
| > | icious URL. - Container Environments - docker exec \u2013 Exe | > | icious URL. - Container Environments - docker exec \u2013 Exe | ||
| > | cutes a command inside a running container. - kubectl ex | > | cutes a command inside a running container. - kubectl ex | ||
| > | ec \u2013 Runs commands in Kubernetes pods. - macOS Terminal | > | ec \u2013 Runs commands in Kubernetes pods. - macOS Terminal | ||
| > | - open \u2013 Opens files or URLs. - dscl . -list /Users \u2013 Li | > | - open \u2013 Opens files or URLs. - dscl . -list /Users \u2013 Li | ||
| > | sts all users on the system. - osascript -e \u2013 Executes A | > | sts all users on the system. - osascript -e \u2013 Executes A | ||
| > | ppleScript commands. This data component can be collected t | > | ppleScript commands. | ||
| > | hrough the following measures: Enable Command Logging - Wi | ||||
| > | ndows: - Enable PowerShell logging: `Set-ExecutionPolicy | ||||
| > | Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\M | ||||
| > | icrosoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name Enable | ||||
| > | ScriptBlockLogging -Value 1` - Enable Windows Event Logg | ||||
| > | ing: - Event ID 4688: Tracks process creation, inclu | ||||
| > | ding command-line arguments. - Event ID 4104: Logs P | ||||
| > | owerShell script block execution. - Linux/macOS: - Enabl | ||||
| > | e shell history logging in `.bashrc` or `.zshrc`: `export HI | ||||
| > | STTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='histor | ||||
| > | y -a; history -w'` - Use audit frameworks (e.g., `auditd | ||||
| > | `) to log command executions. Example rule to log all `execv | ||||
| > | e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex | ||||
| > | ec` - Containers: - Use runtime-specific tools like Dock | ||||
| > | er\u2019s --log-driver or Kubernetes Audit Logs to capture exec c | ||||
| > | ommands. Integrate with Centralized Logging - Collect logs | ||||
| > | using a SIEM (e.g., Splunk) or cloud-based log aggregation | ||||
| > | tools like AWS CloudWatch or Azure Monitor. Example Splunk S | ||||
| > | earch for Windows Event 4688: `index=windows EventID=4688 Co | ||||
| > | mmandLine=*` Use Endpoint Detection and Response (EDR) Tool | ||||
| > | s - Monitor command executions via EDR solutions Deploy S | ||||
| > | ysmon for Advanced Logging (Windows) - Use Sysmon's Event I | ||||
| > | D 1 to log process creation with command-line arguments |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The activity of assigning a new drive letter or creating a m | t | 1 | The activity of assigning a new drive letter or creating a m |
| > | ount point for a data storage device, such as a USB, network | > | ount point for a data storage device, such as a USB, network | ||
| > | share, or external hard drive, enabling access to its conte | > | share, or external hard drive, enabling access to its conte | ||
| > | nt on a host system. Examples: - USB Drive Insertion: A US | > | nt on a host system. Examples: - USB Drive Insertion: A US | ||
| > | B drive is plugged in and automatically assigned the letter | > | B drive is plugged in and automatically assigned the letter | ||
| > | `E:\\` on a Windows machine. - Network Drive Mapping: A netwo | > | `E:\\` on a Windows machine. - Network Drive Mapping: A netwo | ||
| > | rk share `\\\\server\\share` is mapped to the drive `Z:\\`. - Vi | > | rk share `\\\\server\\share` is mapped to the drive `Z:\\`. - Vi | ||
| > | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir | > | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir | ||
| > | tualdrive` using an ISO image or a virtual hard disk (VHD). | > | tualdrive` using an ISO image or a virtual hard disk (VHD). | ||
| > | - Cloud Storage Mounting: Google Drive is mounted as `G:\\` o | > | - Cloud Storage Mounting: Google Drive is mounted as `G:\\` o | ||
| > | n a Windows machine using a cloud sync tool. - External Stor | > | n a Windows machine using a cloud sync tool. - External Stor | ||
| > | age Integration: An external HDD or SSD is connected and ass | > | age Integration: An external HDD or SSD is connected and ass | ||
| > | igned `/mnt/external` on a Linux system. This data componen | > | igned `/mnt/external` on a Linux system.. | ||
| > | t can be collected through the following measures: Windows | ||||
| > | Event Logs - Relevant Events: - Event ID 98: Logs the c | ||||
| > | reation of a volume (mount or new drive letter assignment). | ||||
| > | - Event ID 1006: Logs removable storage device insertion | ||||
| > | s. - Configuration: Enable \"Removable Storage Events\" in the | ||||
| > | Group Policy settings: `Computer Configuration > Administra | ||||
| > | tive Templates > System > Removable Storage Access` Linux S | ||||
| > | ystem Logs - Command-Line Monitoring: Use `dmesg` or `journ | ||||
| > | alctl` to monitor mount events. - Auditd Configuration: Add | ||||
| > | audit rules to track mount points. - Logs can be reviewed i | ||||
| > | n /var/log/audit/audit.log. macOS System Logs - Unified Lo | ||||
| > | gs: Monitor system logs for mount activity: - Command-Line T | ||||
| > | ools: Use `diskutil list` to verify newly created or mounted | ||||
| > | drives. Endpoint Detection and Response (EDR) Tools - EDR | ||||
| > | solutions can log removable drive usage and network-mounted | ||||
| > | drives. Configure EDR policies to alert on suspicious drive | ||||
| > | creation events. SIEM Tools - Centralize logs from multip | ||||
| > | le platforms into a SIEM (e.g., Splunk) to correlate and ale | ||||
| > | rt on suspicious drive creation activities. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | To events where a file is opened or accessed, making its con | t | 1 | To events where a file is opened or accessed, making its con |
| > | tents available to the requester. This includes reading, exe | > | tents available to the requester. This includes reading, exe | ||
| > | cuting, or interacting with files by authorized or unauthori | > | cuting, or interacting with files by authorized or unauthori | ||
| > | zed entities. Examples include logging file access events (e | > | zed entities. Examples include logging file access events (e | ||
| > | .g., Windows Event ID 4663), monitoring file reads, and dete | > | .g., Windows Event ID 4663), monitoring file reads, and dete | ||
| > | cting unusual file access patterns. Examples: - File Read | > | cting unusual file access patterns. Examples: - File Read | ||
| > | Operations: A user opens a sensitive document (e.g., financi | > | Operations: A user opens a sensitive document (e.g., financi | ||
| > | al_report.xlsx) on a shared drive. - File Execution: A scrip | > | al_report.xlsx) on a shared drive. - File Execution: A scrip | ||
| > | t or executable file is accessed and executed (e.g., malware | > | t or executable file is accessed and executed (e.g., malware | ||
| > | .exe is run from a temporary directory). - Unauthorized File | > | .exe is run from a temporary directory). - Unauthorized File | ||
| > | Access: An unauthorized user attempts to access a protected | > | Access: An unauthorized user attempts to access a protected | ||
| > | configuration file (e.g., `/etc/passwd` on Linux or `System | > | configuration file (e.g., `/etc/passwd` on Linux or `System | ||
| > | 32` files on Windows). - File Access Patterns: Bulk access t | > | 32` files on Windows). - File Access Patterns: Bulk access t | ||
| > | o multiple files in a short time (e.g., mass access to docum | > | o multiple files in a short time (e.g., mass access to docum | ||
| > | ents on a file server). - File Access via Network: Files on | > | ents on a file server). - File Access via Network: Files on | ||
| > | a network share are accessed remotely (e.g., logs of SMB fil | > | a network share are accessed remotely (e.g., logs of SMB fil | ||
| > | e access). This data component can be collected through the | > | e access). | ||
| > | following measures: Windows - Windows Event Logs: Event I | ||||
| > | D 4663: Captures file system auditing details, including who | ||||
| > | accessed the file, access type, and file name. - Sysmon: | ||||
| > | - Event ID 11: Logs file creation time changes. - Even | ||||
| > | t ID 1 (process creation): Can provide insight into files ex | ||||
| > | ecuted. - PowerShell: Commands to monitor file access in rea | ||||
| > | l-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; | ||||
| > | ID=4663}` Linux - Auditd: Monitor file access events usin | ||||
| > | g audit rules: `auditctl -w /path/to/file -p rwxa -k file_ac | ||||
| > | cess` - View logs: `ausearch -k file_access` - Inotify: Use | ||||
| > | inotify to track file access on Linux: `inotifywait -m /path | ||||
| > | /to/watch -e access` macOS - Unified Logs: Monitor file ac | ||||
| > | cess using the macOS Unified Logging System. - FSEvents: Fil | ||||
| > | e System Events can track file accesses: `fs_usage | grep op | ||||
| > | en` Network Devices - SMB/CIFS Logs: Monitor file access o | ||||
| > | ver network shares using logs from SMB or CIFS protocol. - N | ||||
| > | AS Logs: Collect logs from network-attached storage systems | ||||
| > | for file access events. SIEM Integration - Collect file ac | ||||
| > | cess logs from all platforms (Windows, Linux, macOS) and cen | ||||
| > | tralize in a SIEM for correlation and analysis. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | A new file is created on a system or network storage. This a | t | 1 | A new file is created on a system or network storage. This a |
| > | ction often signifies an operation such as saving a document | > | ction often signifies an operation such as saving a document | ||
| > | , writing data, or deploying a file. Logging these events he | > | , writing data, or deploying a file. Logging these events he | ||
| > | lps identify legitimate or potentially malicious file creati | > | lps identify legitimate or potentially malicious file creati | ||
| > | on activities. Examples include logging file creation events | > | on activities. Examples include logging file creation events | ||
| > | (e.g., Sysmon Event ID 11 or Linux auditd logs). This dat | > | (e.g., Sysmon Event ID 11 or Linux auditd logs). | ||
| > | a component can be collected through the following measures: | ||||
| > | Windows - Sysmon: Event ID 11: Logs file creation events, | ||||
| > | capturing details like the file path, hash, and creation ti | ||||
| > | me. - Windows Event Log: Enable \"Object Access\" auditing in | ||||
| > | Group Policy to track file creation under Event ID 4663. - P | ||||
| > | owerShell: Real-time monitoring of file creation:`Get-WinEve | ||||
| > | nt -FilterHashtable @{LogName='Security'; ID=4663}` Linux | ||||
| > | - Auditd: Use audit rules to monitor file creation: `auditct | ||||
| > | l -w /path/to/directory -p w -k file_creation` - View logs: | ||||
| > | `ausearch -k file_creation` - Inotify: Monitor file creation | ||||
| > | with inotifywait: `inotifywait -m /path/to/watch -e create` | ||||
| > | macOS - Unified Logs: Use the macOS Unified Logging Syste | ||||
| > | m to capture file creation events. - FSEvents: Use File Syst | ||||
| > | em Events to monitor file creation: `fs_usage | grep create` | ||||
| > | Network Devices - NAS Logs: Monitor file creation events | ||||
| > | on network-attached storage devices. - SMB Logs: Collect log | ||||
| > | s of file creation activities over SMB/CIFS protocols. SIEM | ||||
| > | Integration - Forward logs from all platforms (Windows, Li | ||||
| > | nux, macOS) to a SIEM for central analysis and alerting. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to events where files are removed from a system or st | t | 1 | Refers to events where files are removed from a system or st |
| > | orage device. These events can indicate legitimate housekeep | > | orage device. These events can indicate legitimate housekeep | ||
| > | ing activities or malicious actions such as attackers attemp | > | ing activities or malicious actions such as attackers attemp | ||
| > | ting to cover their tracks. Monitoring file deletions helps | > | ting to cover their tracks. Monitoring file deletions helps | ||
| > | organizations identify unauthorized or suspicious activities | > | organizations identify unauthorized or suspicious activities | ||
| > | . This data component can be collected through the followin | > | . | ||
| > | g measures: Windows - Sysmon: Event ID 23: Logs file delet | ||||
| > | ion events, including details such as file paths and respons | ||||
| > | ible processes. - Windows Event Log: Enable \"Object Access\" | ||||
| > | auditing to monitor file deletions. - PowerShell: `Get-WinEv | ||||
| > | ent -FilterHashtable @{LogName='Security'; ID=4663} | Where- | ||||
| > | Object {$_.Message -like '*DELETE*'}` Linux - Auditd: Use | ||||
| > | audit rules to capture file deletion events: `auditctl -a al | ||||
| > | ways,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_d | ||||
| > | eletion` - Query logs: `ausearch -k file_deletion` - Inotify | ||||
| > | : Use inotifywait to monitor file deletions: `inotifywait -m | ||||
| > | /path/to/watch -e delete` macOS - Endpoint Security Frame | ||||
| > | work (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to | ||||
| > | capture file deletion activities. - FSEvents: Track file de | ||||
| > | letion activities in real-time: `fs_usage | grep unlink` SI | ||||
| > | EM Integration - Forward file deletion logs to a SIEM for c | ||||
| > | entralized monitoring and correlation with other events. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | contextual information about a file, including attributes su | t | 1 | contextual information about a file, including attributes su |
| > | ch as the file's name, size, type, content (e.g., signatures | > | ch as the file's name, size, type, content (e.g., signatures | ||
| > | , headers, media), user/owner, permissions, timestamps, and | > | , headers, media), user/owner, permissions, timestamps, and | ||
| > | other related properties. File metadata provides insights in | > | other related properties. File metadata provides insights in | ||
| > | to a file's characteristics and can be used to detect malici | > | to a file's characteristics and can be used to detect malici | ||
| > | ous activity, unauthorized modifications, or other anomalies | > | ous activity, unauthorized modifications, or other anomalies | ||
| > | . Examples: - File Ownership and Permissions: Checking the | > | . Examples: - File Ownership and Permissions: Checking the | ||
| > | owner and permissions of a critical configuration file like | > | owner and permissions of a critical configuration file like | ||
| > | /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on W | > | /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on W | ||
| > | indows. - Timestamps: Analyzing the creation, modification, | > | indows. - Timestamps: Analyzing the creation, modification, | ||
| > | and access timestamps of a file. - File Content and Signatur | > | and access timestamps of a file. - File Content and Signatur | ||
| > | es: Extracting the headers of an executable file to verify i | > | es: Extracting the headers of an executable file to verify i | ||
| > | ts signature or detect packing/obfuscation. - File Attribute | > | ts signature or detect packing/obfuscation. - File Attribute | ||
| > | s: Analyzing attributes like hidden, system, or read-only fl | > | s: Analyzing attributes like hidden, system, or read-only fl | ||
| > | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA | > | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA | ||
| > | -256 hashes of files to compare against threat intelligence | > | -256 hashes of files to compare against threat intelligence | ||
| > | feeds. - File Location: Monitoring files located in unusual | > | feeds. - File Location: Monitoring files located in unusual | ||
| > | directories or paths, such as temporary or user folders. Th | > | directories or paths, such as temporary or user folders. | ||
| > | is data component can be collected through the following mea | ||||
| > | sures: Windows - Sysinternals Tools: Use `AccessEnum` or ` | ||||
| > | PSFile` to retrieve metadata about file access and permissio | ||||
| > | ns. - Windows Event Logs: Enable object access auditing and | ||||
| > | monitor events like 4663 (Object Access) and 5140 (A network | ||||
| > | share object was accessed). - PowerShell: Use Get-Item or G | ||||
| > | et-ChildItem cmdlets: `Get-ChildItem -Path \"C:\\Path\\To\\Direc | ||||
| > | tory\" -Recurse | Select-Object Name, Length, LastWriteTime, | ||||
| > | Attributes` Linux - File System Commands: Use `ls -l` or s | ||||
| > | tat to retrieve file metadata: `stat /path/to/file` - Auditd | ||||
| > | : Configure audit rules to log metadata access: `auditctl -w | ||||
| > | /path/to/file -p wa -k file_metadata` - Filesystem Integrit | ||||
| > | y Tools: Tools like tripwire or AIDE (Advanced Intrusion Det | ||||
| > | ection Environment) can monitor file metadata changes. macO | ||||
| > | S - FSEvents: Use FSEvents to track file metadata changes. | ||||
| > | - Endpoint Security Framework (ESF): Capture metadata-relate | ||||
| > | d events via ESF APIs. - Command-Line Tools: Use ls -l or xa | ||||
| > | ttr for file attributes: `ls -l@ /path/to/file` SIEM Integr | ||||
| > | ation - Forward file metadata logs from endpoint or network | ||||
| > | devices to a SIEM for centralized analysis. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to a file, including updates to its contents, m | t | 1 | Changes made to a file, including updates to its contents, m |
| > | etadata, access permissions, or attributes. These modificati | > | etadata, access permissions, or attributes. These modificati | ||
| > | ons may indicate legitimate activity (e.g., software updates | > | ons may indicate legitimate activity (e.g., software updates | ||
| > | ) or unauthorized changes (e.g., tampering, ransomware, or a | > | ) or unauthorized changes (e.g., tampering, ransomware, or a | ||
| > | dversarial modifications). Examples: - Content Modificatio | > | dversarial modifications). Examples: - Content Modificatio | ||
| > | ns: Changes to the content of a configuration file, such as | > | ns: Changes to the content of a configuration file, such as | ||
| > | modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\Sys | > | modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\Sys | ||
| > | tem32\\drivers\\etc\\hosts` on Windows. - Permission Changes: A | > | tem32\\drivers\\etc\\hosts` on Windows. - Permission Changes: A | ||
| > | ltering file permissions to allow broader access, such as ch | > | ltering file permissions to allow broader access, such as ch | ||
| > | anging a file from `644` to `777` on Linux or modifying NTFS | > | anging a file from `644` to `777` on Linux or modifying NTFS | ||
| > | permissions on Windows. - Attribute Modifications: Changing | > | permissions on Windows. - Attribute Modifications: Changing | ||
| > | a file's attributes to hidden, read-only, or system on Wind | > | a file's attributes to hidden, read-only, or system on Wind | ||
| > | ows. - Timestamp Manipulation: Adjusting a file's creation o | > | ows. - Timestamp Manipulation: Adjusting a file's creation o | ||
| > | r modification timestamp using tools like `touch` in Linux o | > | r modification timestamp using tools like `touch` in Linux o | ||
| > | r timestomping tools on Windows. - Software or System File C | > | r timestomping tools on Windows. - Software or System File C | ||
| > | hanges: Modifying system files such as `boot.ini`, kernel mo | > | hanges: Modifying system files such as `boot.ini`, kernel mo | ||
| > | dules, or application binaries. This data component can be | > | dules, or application binaries. | ||
| > | collected through the following measures: Windows - Event | ||||
| > | Logs: Enable file system auditing to monitor file modificati | ||||
| > | ons using Security Event ID 4670 (File System Audit) or Sysm | ||||
| > | on Event ID 2 (File creation time changed). - PowerShell: Us | ||||
| > | e Get-ItemProperty or Get-Acl cmdlets to monitor file proper | ||||
| > | ties: `Get-Item -Path \"C:\\path\\to\\file\" | Select-Object Name | ||||
| > | , Attributes, LastWriteTime` Linux - File System Monitorin | ||||
| > | g: Use tools like auditd with rules to monitor file modifica | ||||
| > | tions: `auditctl -w /path/to/file -p wa -k file_modification | ||||
| > | ` - Inotify: Use inotifywait to watch for real-time changes | ||||
| > | to files or directories: `inotifywait -m /path/to/file` mac | ||||
| > | OS - Endpoint Security Framework (ESF): Monitor file modifi | ||||
| > | cation events using ESF APIs. - Audit Framework: Configure a | ||||
| > | udit rules to track file changes. - Command-Line Tools: Use | ||||
| > | fs_usage to monitor file activities: `fs_usage -w /path/to/f | ||||
| > | ile` SIEM Tools - Collect logs from endpoint agents (e.g., | ||||
| > | Sysmon, Auditd) and file servers to centralize file modific | ||||
| > | ation event data. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The successful establishment of a new user session following | t | 1 | The successful establishment of a new user session following |
| > | a successful authentication attempt. This typically signifi | > | a successful authentication attempt. This typically signifi | ||
| > | es that a user has provided valid credentials or authenticat | > | es that a user has provided valid credentials or authenticat | ||
| > | ion tokens, and the system has initiated a session associate | > | ion tokens, and the system has initiated a session associate | ||
| > | d with that user account. This data is crucial for tracking | > | d with that user account. This data is crucial for tracking | ||
| > | authentication events and identifying potential unauthorized | > | authentication events and identifying potential unauthorized | ||
| > | access. Examples: - Windows Systems - Event ID: 4624 | > | access. Examples: - Windows Systems - Event ID: 4624 | ||
| > | - Logon Type: 2 (Interactive) or 10 (Remote Interact | > | - Logon Type: 2 (Interactive) or 10 (Remote Interact | ||
| > | ive via RDP). - Account Name: JohnDoe - Sour | > | ive via RDP). - Account Name: JohnDoe - Sour | ||
| > | ce Network Address: 192.168.1.100 - Authentication P | > | ce Network Address: 192.168.1.100 - Authentication P | ||
| > | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log | > | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log | ||
| > | /wtmp: - Log format: login user [tty] from [source_i | > | /wtmp: - Log format: login user [tty] from [source_i | ||
| > | p] - User: jane - IP: 10.0.0.5 - Tim | > | p] - User: jane - IP: 10.0.0.5 - Tim | ||
| > | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a | > | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a | ||
| > | sl.log or unified logging framework: - Log: com.appl | > | sl.log or unified logging framework: - Log: com.appl | ||
| > | e.securityd: Authentication succeeded for user 'admin' - Clo | > | e.securityd: Authentication succeeded for user 'admin' - Clo | ||
| > | ud Environments - Azure Sign-In Logs: - Activity | > | ud Environments - Azure Sign-In Logs: - Activity | ||
| > | : Sign-in successful - Client App: Browser - | > | : Sign-in successful - Client App: Browser - | ||
| > | Location: Unknown (Country: X) - Google Workspace - Act | > | Location: Unknown (Country: X) - Google Workspace - Act | ||
| > | ivity: Login - Event Type: successful_login | > | ivity: Login - Event Type: successful_login | ||
| > | - Source IP: 203.0.113.55 This data component can be collec | > | - Source IP: 203.0.113.55 | ||
| > | ted through the following measures: - Windows Systems - | ||||
| > | Event Logs: Monitor Security Event Logs using Event ID 4624 | ||||
| > | for successful logons. - PowerShell Example: `Get-Event | ||||
| > | Log -LogName Security -InstanceId 4624` - Linux Systems | ||||
| > | - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/ | ||||
| > | var/log/auth.log` for logon events. - Tools: Use `last` | ||||
| > | or `who` commands to parse login records. - macOS Systems | ||||
| > | - Log Sources: Monitor `/var/log/asl.log` or Apple Unified | ||||
| > | Logs using the `log show` command. - Command Example: ` | ||||
| > | log show --predicate 'eventMessage contains \"Authentication | ||||
| > | succeeded\"' --info` - Cloud Environments - Azure AD: Use | ||||
| > | Azure Monitor to analyze sign-in logs. Example CLI Query: ` | ||||
| > | az monitor log-analytics query -w <workspace_id> --analytics | ||||
| > | -query \"AzureActivity | where ActivityStatus == 'Success' an | ||||
| > | d OperationName == 'Sign-in'\"` - Google Workspace: Enabl | ||||
| > | e and monitor Login Audit logs from the Admin Console. - | ||||
| > | Office 365: Use Audit Log Search in Microsoft 365 Security | ||||
| > | & Compliance Center for login-related events. - Network Logs | ||||
| > | - Sources: Network authentication mechanisms (e.g., RAD | ||||
| > | IUS or TACACS logs). - Enable EDR Monitoring: - EDR too | ||||
| > | ls monitor logon session activity, including the creation of | ||||
| > | new sessions. - Configure alerts for: Suspicious logon | ||||
| > | types (e.g., Logon Type 10 for RDP or Type 5 for Service). L | ||||
| > | ogons from unusual locations, accounts, or devices. - Le | ||||
| > | verage EDR telemetry for session attributes like source IP, | ||||
| > | session duration, and originating process. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | When a process or program dynamically attaches a shared libr | t | 1 | When a process or program dynamically attaches a shared libr |
| > | ary, module, or plugin into its memory space. This action is | > | ary, module, or plugin into its memory space. This action is | ||
| > | typically performed to extend the functionality of an appli | > | typically performed to extend the functionality of an appli | ||
| > | cation, access shared system resources, or interact with ker | > | cation, access shared system resources, or interact with ker | ||
| > | nel-mode components. *Data Collection Measures:* - Event L | > | nel-mode components. | ||
| > | ogging (Windows): - Sysmon Event ID 7: Logs when a DLL i | ||||
| > | s loaded into a process. - Windows Security Event ID 468 | ||||
| > | 8: Captures process creation events, often useful for correl | ||||
| > | ating module loads. - Windows Defender ATP: Can provide | ||||
| > | visibility into suspicious module loads. - Event Logging (Li | ||||
| > | nux/macOS): - AuditD (`execve` and `open` syscalls): Cap | ||||
| > | tures when shared libraries (`.so` files) are loaded. - | ||||
| > | Ltrace/Strace: Monitors process behavior, including library | ||||
| > | calls (`dlopen`, `execve`). - MacOS Endpoint Security Fr | ||||
| > | amework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY | ||||
| > | _DYLD_INSERT_LIBRARIES`). - Endpoint Detection & Response (E | ||||
| > | DR): - Provide real-time telemetry on module loads and | ||||
| > | process injections. - Sysinternals Process Monitor (`pro | ||||
| > | cmon`): Captures loaded modules and their execution context. | ||||
| > | - Memory Forensics: - Volatility Framework (`malfind`, | ||||
| > | `ldrmodules`): Detects injected DLLs and anomalous module lo | ||||
| > | ads. - Rekall Framework: Useful for kernel-mode module d | ||||
| > | etection. - SIEM and Log Analysis: - Centralized log agg | ||||
| > | regation to correlate suspicious module loads across the env | ||||
| > | ironment. - Detection rules using correlation searches a | ||||
| > | nd behavioral analytics. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Opening a network share, which makes the contents available | t | 1 | Opening a network share, which makes the contents available |
| > | to the requestor (ex: Windows EID 5140 or 5145) *Data Colle | > | to the requestor (ex: Windows EID 5140 or 5145) | ||
| > | ction Measures:* - Windows: - Event ID 5140 \u2013 Network S | ||||
| > | hare Object Access Logs every access attempt to a network sh | ||||
| > | are. - Event ID 5145 \u2013 Detailed Network Share Object Acc | ||||
| > | ess Captures granular access control information, including | ||||
| > | the requesting user, source IP, and access permissions. | ||||
| > | - Sysmon Event ID 3 \u2013 Network Connection Initiated Helps tra | ||||
| > | ck SMB connections to suspicious or unauthorized network sha | ||||
| > | res. - Enable Audit Policy for Network Share Access: `au | ||||
| > | ditpol /set /subcategory:\"File Share\" /success:enable /failu | ||||
| > | re:enable` - Enable PowerShell Logging to Detect Unautho | ||||
| > | rized SMB Access: `Set-ExecutionPolicy RemoteSigned` - R | ||||
| > | estrict Network Share Access with Group Policy (GPO): `Compu | ||||
| > | ter Configuration \u2192 Windows Settings \u2192 Security Settings \u2192 L | ||||
| > | ocal Policies \u2192 User Rights Assignment` Set \"Access this com | ||||
| > | puter from the network\" to restrict unauthorized accounts. - | ||||
| > | Linux/macOS: - AuditD (`open`, `read`, `write`, `connec | ||||
| > | t` syscalls) Detects access to NFS, CIFS, and SMB network sh | ||||
| > | ares. - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Id | ||||
| > | entifies active network share connections. - Mount (`mou | ||||
| > | nt | grep nfs` or `mount | grep cifs`) Lists currently mount | ||||
| > | ed network shares. - Enable AuditD for SMB/NFS Access: ` | ||||
| > | auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/sha | ||||
| > | re -k network_share_access` - Monitor Active Network Sha | ||||
| > | res Using Netstat: `netstat -an | grep :445` - Endpoint Dete | ||||
| > | ction & Response (EDR): - Detects abnormal network share | ||||
| > | access behavior, such as unusual account usage, large file | ||||
| > | transfers, or encrypted file activity. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Summarized network packet data that captures session-level d | t | 1 | Summarized network packet data that captures session-level d |
| > | etails such as source/destination IPs, ports, protocol types | > | etails such as source/destination IPs, ports, protocol types | ||
| > | , timestamps, and data volume, without storing full packet p | > | , timestamps, and data volume, without storing full packet p | ||
| > | ayloads. This is commonly used for traffic analysis, anomaly | > | ayloads. This is commonly used for traffic analysis, anomaly | ||
| > | detection, and network performance monitoring. *Data Colle | > | detection, and network performance monitoring. | ||
| > | ction Measures:* - Network Flow Logs (Metadata Collection) | ||||
| > | - NetFlow - Summarized metadata for network con | ||||
| > | versations (no packet payloads). - sFlow (Sampled Flow L | ||||
| > | ogging) - Captures sampled packets from switches and | ||||
| > | routers. - Used for real-time traffic monitoring an | ||||
| > | d anomaly detection. - Zeek (Bro) Flow Logs - Ze | ||||
| > | ek logs session-level details in logs like conn.log, http.lo | ||||
| > | g, dns.log, etc. - Host-Based Collection - Sysmon Event | ||||
| > | ID 3 \u2013 Network Connection Initiated - Logs process-l | ||||
| > | evel network activity, useful for detecting malicious outbou | ||||
| > | nd connections. - AuditD (Linux) \u2013 syscall=connect | ||||
| > | - Monitors system calls for network connections. `auditct | ||||
| > | l -a always,exit -F arch=b64 -S connect -k network_activity` | ||||
| > | - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs | ||||
| > | - Captures metadata for traffic between EC2 instances, s | ||||
| > | ecurity groups, and internet gateways. - Azure NSG Flow | ||||
| > | Logs / Google VPC Flow Logs - Logs ingress/egress tr | ||||
| > | affic for cloud-based resources. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Calls made by a process to operating system-provided Applica | t | 1 | Calls made by a process to operating system-provided Applica |
| > | tion Programming Interfaces (APIs). These calls are essentia | > | tion Programming Interfaces (APIs). These calls are essentia | ||
| > | l for interacting with system resources such as memory, file | > | l for interacting with system resources such as memory, file | ||
| > | s, and hardware, or for performing system-level tasks. Monit | > | s, and hardware, or for performing system-level tasks. Monit | ||
| > | oring these calls can provide insight into a process's inten | > | oring these calls can provide insight into a process's inten | ||
| > | t, especially if the process is malicious. *Data Collection | > | t, especially if the process is malicious. | ||
| > | Measures:* - Endpoint Detection and Response (EDR) Tools: | ||||
| > | - Leverage tools to monitor API execution behaviors at t | ||||
| > | he process level. - Example: Sysmon Event ID 10 captures | ||||
| > | API call traces for process access and memory allocation. - | ||||
| > | Process Monitor (ProcMon): - Use ProcMon to collect det | ||||
| > | ailed logs of process and API activity. ProcMon can provide | ||||
| > | granular details on API usage and identify malicious behavio | ||||
| > | r during analysis. - Windows Event Logs: - Use Event IDs | ||||
| > | from Windows logs for specific API-related activities: | ||||
| > | - Event ID 4688: A new process has been created (can ind | ||||
| > | irectly infer API use). - Event ID 4657: A registry | ||||
| > | value has been modified (to monitor registry-altering APIs). | ||||
| > | - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, | ||||
| > | Flare VM, or Hybrid Analysis monitor API execution during ma | ||||
| > | lware detonation. - Host-Based Logs: - On Linux/macOS sy | ||||
| > | stems, leverage audit frameworks (e.g., `auditd`, `strace`) | ||||
| > | to capture and analyze system call usage that APIs map to. - | ||||
| > | Runtime Monitors: - Runtime security tools like Falco c | ||||
| > | an monitor system-level calls for API execution. - Debugging | ||||
| > | and Tracing: - Use debugging tools like gdb (Linux) or | ||||
| > | WinDbg (Windows) for deep tracing of API executions in real | ||||
| > | time. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Refers to the event in which a new process (executable) is i | t | 1 | Refers to the event in which a new process (executable) is i |
| > | nitialized by an operating system. This can involve parent-c | > | nitialized by an operating system. This can involve parent-c | ||
| > | hild process relationships, process arguments, and environme | > | hild process relationships, process arguments, and environme | ||
| > | ntal variables. Monitoring process creation is crucial for d | > | ntal variables. Monitoring process creation is crucial for d | ||
| > | etecting malicious behaviors, such as execution of unauthori | > | etecting malicious behaviors, such as execution of unauthori | ||
| > | zed binaries, scripting abuse, or privilege escalation attem | > | zed binaries, scripting abuse, or privilege escalation attem | ||
| > | pts. *Data Collection Measures:* - Endpoint Detection and | > | pts.. | ||
| > | Response (EDR) Tools: - EDRs provide process telemetry, | ||||
| > | tracking execution flows and arguments. - Windows Event Logs | ||||
| > | : - Event ID 4688 (Audit Process Creation): Captures pro | ||||
| > | cess creation with associated parent process. - Sysmon (Wind | ||||
| > | ows): - Event ID 1 (Process Creation): Provides detailed | ||||
| > | logging - Linux/macOS Monitoring: - AuditD (execve sysc | ||||
| > | all): Logs process creation. - eBPF/XDP: Used for low-le | ||||
| > | vel monitoring of system calls related to process execution. | ||||
| > | - OSQuery: Allows SQL-like queries to track process eve | ||||
| > | nts (process_events table). - Apple Endpoint Security Fr | ||||
| > | amework (ESF): Monitors process creation on macOS. - Network | ||||
| > | -Based Monitoring: - Zeek (Bro) Logs: Captures network-b | ||||
| > | ased process execution related to remote shells. - Syslo | ||||
| > | g/OSSEC: Tracks execution of processes on distributed system | ||||
| > | s. - Behavioral SIEM Rules: - Monitor process creation f | ||||
| > | or uncommon binaries in user directories. - Detect proce | ||||
| > | sses with suspicious command-line arguments. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The exit or termination of a running process on a system. Th | t | 1 | The exit or termination of a running process on a system. Th |
| > | is can occur due to normal operations, user-initiated comman | > | is can occur due to normal operations, user-initiated comman | ||
| > | ds, or malicious actions such as process termination by malw | > | ds, or malicious actions such as process termination by malw | ||
| > | are to disable security controls. *Data Collection Measures | > | are to disable security controls. | ||
| > | :* - Endpoint Detection and Response (EDR) Tools: - Mon | ||||
| > | itor process termination events. - Windows Event Logs: - | ||||
| > | Event ID 4689 (Process Termination) \u2013 Captures when a proce | ||||
| > | ss exits, including process ID and parent process. - Eve | ||||
| > | nt ID 7036 (Service Control Manager) \u2013 Monitors system servi | ||||
| > | ce stops. - Sysmon (Windows): - Event ID 5 (Process Term | ||||
| > | ination) \u2013 Detects when a process exits, including parent-ch | ||||
| > | ild relationships. - Linux/macOS Monitoring: - AuditD (` | ||||
| > | execve`, `exit_group`, `kill` syscalls) \u2013 Captures process t | ||||
| > | ermination via command-line interactions. - eBPF/XDP: Mo | ||||
| > | nitors low-level system calls related to process termination | ||||
| > | . - OSQuery: The processes table can be queried for abno | ||||
| > | rmal exits. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The establishment of a task or job that will execute at a pr | t | 1 | The establishment of a task or job that will execute at a pr |
| > | edefined time or based on specific triggers. *Data Collecti | > | edefined time or based on specific triggers. | ||
| > | on Measures: * - Windows Event Logs: - Event ID 4698 (S | ||||
| > | cheduled Task Created) \u2013 Detects the creation of new schedul | ||||
| > | ed tasks. - Event ID 4702 (Scheduled Task Updated) \u2013 Ide | ||||
| > | ntifies modifications to existing scheduled jobs. - Even | ||||
| > | t ID 106 (TaskScheduler Operational Log) \u2013 Provides details | ||||
| > | about scheduled task execution. - Sysmon (Windows): - Ev | ||||
| > | ent ID 1 (Process Creation) \u2013 Detects the execution of suspi | ||||
| > | cious tasks started by `schtasks.exe`, `at.exe`, or `taskeng | ||||
| > | .exe`. - Linux/macOS Monitoring: - AuditD: Monitor modif | ||||
| > | ications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` | ||||
| > | files. - Syslog: Capture cron job execution logs from `/ | ||||
| > | var/log/cron`. - OSQuery: Query the `crontab` and `launc | ||||
| > | hd` tables for scheduled job configurations. - Endpoint Dete | ||||
| > | ction and Response (EDR) Tools: - Track scheduled task c | ||||
| > | reation and modification events. - SIEM & XDR Detection Rule | ||||
| > | s: - Monitor for scheduled jobs created by unusual users | ||||
| > | . - Detect tasks executing scripts from non-standard dir | ||||
| > | ectories. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | The execution of a text file that contains code via the inte | t | 1 | The execution of a text file that contains code via the inte |
| > | rpreter. *Data Collection Measures:* - Windows Event Logs: | > | rpreter. | ||
| > | - Event ID 4104 (PowerShell Script Block Logging) \u2013 Cap | ||||
| > | tures full command-line execution of PowerShell scripts. | ||||
| > | - Event ID 4688 (Process Creation) \u2013 Detects script executi | ||||
| > | on by tracking process launches (`powershell.exe`, `wscript. | ||||
| > | exe`, `cscript.exe`). - Event ID 5861 (Script Execution) | ||||
| > | \u2013 Captures script execution via Windows Defender AMSI loggi | ||||
| > | ng. - Sysmon (Windows): - Event ID 1 (Process Creation) | ||||
| > | \u2013 Monitors script execution initiated by scripting engines. | ||||
| > | - Event ID 11 (File Creation) \u2013 Detects new script files | ||||
| > | written to disk before execution. - Endpoint Detection and | ||||
| > | Response (EDR) Tools: - Track script execution behavior, | ||||
| > | detect obfuscated commands, and prevent malicious scripts. | ||||
| > | - PowerShell Logging: - Enable Module Logging: Logs all | ||||
| > | loaded modules and cmdlets. - Enable Script Block Loggin | ||||
| > | g: Captures complete PowerShell script execution history. - | ||||
| > | SIEM Detection Rules: - Detect script execution with obf | ||||
| > | uscated, encoded, or remote URLs. - Alert on script exec | ||||
| > | utions using `-EncodedCommand` or `iex(iwr)`. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Changes made to an existing service or daemon, such as modif | t | 1 | Changes made to an existing service or daemon, such as modif |
| > | ying the service name, start type, execution parameters, or | > | ying the service name, start type, execution parameters, or | ||
| > | security configurations. *Data Collection Measures: * - Wi | > | security configurations. | ||
| > | ndows Event Logs - Event ID 7040 - Detects modifications | ||||
| > | to the startup behavior of a service. - Event ID 7045 - | ||||
| > | Can capture changes made to existing services. - Event | ||||
| > | ID 7036 - Tracks when services start or stop, potentially in | ||||
| > | dicating malicious tampering. - Event ID 4697 - Can dete | ||||
| > | ct when an adversary reinstalls a service with different par | ||||
| > | ameters. - Sysmon Logs - Sysmon Event ID 13 - Detects ch | ||||
| > | anges to service configurations in the Windows Registry (e.g | ||||
| > | ., `HKLM\\SYSTEM\\CurrentControlSet\\Services\\`). - Sysmon | ||||
| > | Event ID 1 - Can track execution of `sc.exe` or `PowerShell | ||||
| > | Set-Service`. - PowerShell Logging - Event ID 4104 (Scri | ||||
| > | pt Block Logging) - Captures execution of commands like `Set | ||||
| > | -Service`, `New-Service`, or `sc config`. - Command-Line | ||||
| > | Logging (Event ID 4688) - Tracks usage of service modificat | ||||
| > | ion commands: - `sc config <service_name> start= aut | ||||
| > | o` - `sc qc <service_name>` - Linux/macOS Collec | ||||
| > | tion Methods - Systemd Journals (`journalctl -u <service | ||||
| > | _name>`) Tracks modifications to systemd service configurati | ||||
| > | ons. - Daemon Logs (`/var/log/syslog`, `/var/log/message | ||||
| > | s`, `/var/log/daemon.log`) Captures changes to service state | ||||
| > | and execution parameters. - AuditD Rules for Service Mo | ||||
| > | dification - Monitor modifications to `/etc/systemd | ||||
| > | /system/` for new or altered service unit files: `auditctl - | ||||
| > | w /etc/systemd/system/ -p wa -k service_modification` | ||||
| > | - Track execution of `systemctl` or `service` commands: `a | ||||
| > | uditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl | ||||
| > | -F key=service_mod` - OSQuery for Linux/macOS Monitorin | ||||
| > | g - Query modified services using OSQuery\u2019s `process | ||||
| > | es` or `system_info` tables: `SELECT * FROM systemd_units WH | ||||
| > | ERE state != 'running';` - macOS Launch Daemon/Agent Mod | ||||
| > | ification - Monitor for changes in: - `/ | ||||
| > | Library/LaunchDaemons/` - `/Library/LaunchAgents | ||||
| > | /` - Track modifications to `.plist` files indicatin | ||||
| > | g persistence attempts. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An attempt (successful and failed login attempts) by a user, | t | 1 | An attempt (successful and failed login attempts) by a user, |
| > | service, or application to gain access to a network, system | > | service, or application to gain access to a network, system | ||
| > | , or cloud-based resource. This typically involves credentia | > | , or cloud-based resource. This typically involves credentia | ||
| > | ls such as passwords, tokens, multi-factor authentication (M | > | ls such as passwords, tokens, multi-factor authentication (M | ||
| > | FA), or biometric validation. *Data Collection Measures:* | > | FA), or biometric validation. | ||
| > | - Host-Based Authentication Logs - Windows Event Logs | ||||
| > | - Event ID 4776 \u2013 NTLM authentication attempt. | ||||
| > | - Event ID 4624 \u2013 Successful user logon. - Event ID | ||||
| > | 4625 \u2013 Failed authentication attempt. - Event ID 46 | ||||
| > | 48 \u2013 Explicit logon with alternate credentials. - Linux/ | ||||
| > | macOS Authentication Logs - `/var/log/auth.log`, `/v | ||||
| > | ar/log/secure` \u2013 Logs SSH, sudo, and other authentication at | ||||
| > | tempts. - AuditD \u2013 Tracks authentication events via | ||||
| > | PAM modules. - macOS Unified Logs \u2013 `/var/db/diagnos | ||||
| > | tics` captures authentication failures. - Cloud Authenticati | ||||
| > | on Logs - Azure AD Logs - Sign-in Logs \u2013 Tracks | ||||
| > | authentication attempts, MFA challenges, and conditional acc | ||||
| > | ess failures. - Audit Logs \u2013 Captures authentication | ||||
| > | -related configuration changes. - Microsoft Graph AP | ||||
| > | I \u2013 Provides real-time sign-in analytics. - Google Works | ||||
| > | pace & Office 365 - Google Admin Console \u2013 `User Log | ||||
| > | in Report` tracks login attempts and failures. - Off | ||||
| > | ice 365 Unified Audit Logs \u2013 Captures logins across Exchange | ||||
| > | , SharePoint, and Teams. - AWS CloudTrail & IAM | ||||
| > | - Tracks authentication via `AWS IAM AuthenticateUser` and ` | ||||
| > | sts:GetSessionToken`. - Logs failed authentications | ||||
| > | to AWS Management Console and API requests. - Container Auth | ||||
| > | entication Monitoring - Kubernetes Authentication Logs | ||||
| > | - kubectl audit logs \u2013 Captures authentication attemp | ||||
| > | ts for service accounts and admin users. - Azure Kub | ||||
| > | ernetes Service (AKS) and Google Kubernetes Engine (GKE) \u2013 L | ||||
| > | ogs IAM authentication events. |