Information from host telemetry providing insights about system status, errors, or other notable functional activity
Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)
Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Mobile | T1398 | Boot or Logon Initialization Scripts |
On Android, Verified Boot can detect unauthorized modifications to the system partition.[1] Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. |
|
| Mobile | T1645 | Compromise Client Software Binary |
Verified Boot can detect unauthorized modifications to the system partition.[1] Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. |
|
| Mobile | T1634 | Credentials from Password Store |
Mobile security products can potentially detect jailbroken devices. |
|
| .001 | Keychain |
Mobile security products can potentially detect jailbroken devices. |
||
| Mobile | T1456 | Drive-By Compromise |
Mobile security products can often alert the user if their device is vulnerable to known exploits. |
|
| Enterprise | T1499 | Endpoint Denial of Service |
Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
|
| .001 | OS Exhaustion Flood |
Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
||
| .002 | Service Exhaustion Flood |
Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
||
| .003 | Application Exhaustion Flood |
Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
||
| .004 | Application or System Exploitation |
Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
||
| Mobile | T1664 | Exploitation for Initial Access |
Mobile security products can often alert the user if their device is vulnerable to known exploits. |
|
| Mobile | T1404 | Exploitation for Privilege Escalation |
Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. |
|
| Mobile | T1625 | Hijack Execution Flow |
Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. |
|
| .001 | System Runtime API Hijacking |
Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. |
||
| Enterprise | T1562 | Impair Defenses |
Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious. |
|
| .001 | Disable or Modify Tools |
Lack of expected log events may be suspicious. Monitor for telemetry that provides context for modification or deletion of information related to security software processes or services such as Windows Defender definition files in Windows and System log files in Linux. |
||
| .002 | Disable Windows Event Logging |
Monitor for logging, messaging that may disable Windows event logging to limit data that can be leveraged for detections and audits. For example, adversaries may modify the EventLog file path to a different file name and location.[2] |
||
| .003 | Impair Command History Logging |
Users checking or changing their |
||
| .006 | Indicator Blocking |
Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data. Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. [3] |
||
| .011 | Spoof Security Alerting |
Monitor logging, messaging, and other artifacts highlighting the health of host sensors (e.g., metrics, errors, and/or exceptions from logging applications), especially correlating and comparing centralized telemetry against potentially suspicious notifications presented on individual systems. |
||
| Mobile | T1630 | .003 | Indicator Removal on Host: Disguise Root/Jailbreak Indicators |
Mobile security products can use attestation to detect compromised devices. |
| Mobile | T1461 | Lockscreen Bypass |
Mobile security products can often alert the user if their device is vulnerable to known exploits. |
|
| Enterprise | T1498 | Network Denial of Service |
Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
|
| .001 | Direct Network Flood |
Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
||
| .002 | Reflection Amplification |
Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
||
| Mobile | T1458 | Replication Through Removable Media |
Mobile security products can often alert the user if their device is vulnerable to known exploits. |
|
| Enterprise | T1496 | Resource Hijacking |
Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. |
|
| Enterprise | T1195 | Supply Chain Compromise |
Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes and compare against known good baseline behavior. |
|
| .003 | Compromise Hardware Supply Chain |
Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes and and compare against known good baseline behavior. |
||
| Mobile | T1474 | .002 | Supply Chain Compromise: Compromise Hardware Supply Chain |
Integrity checking mechanisms can potentially detect unauthorized hardware modifications. |
| .003 | Supply Chain Compromise: Compromise Software Supply Chain |
System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition. |
||
| Enterprise | T1529 | System Shutdown/Reboot |
Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may suggest the shutting down or rebooting of the system. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. |
|