Application Log

Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)[1]

ID: DS0015
Platforms: Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Host
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Application Log: Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Application Log: Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Domain ID Name Detects
Enterprise T1098 .002 Account Manipulation: Additional Email Delegate Permissions

Enable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None.

A larger than normal volume of emails sent from an account and similar phishing emails sent from real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.

.005 Account Manipulation: Device Registration

Azure AD creates several log entries when new devices are enrolled, which can be monitored for unexpected device registrations.[2] Additionally, joined devices can be viewed via the Azure AD portal.[3]

ICS T0800 Activate Firmware Update Mode
Enterprise T1557 Adversary-in-the-Middle

Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.[4]

.003 DHCP Spoofing

Monitor Windows logs (ex: EIDs 1341, 1342, 1020, and 1063) for changes to DHCP settings. These may also highlight DHCP issues such as when IP allocations are low or have run out.[4][5]

ICS T0878 Alarm Suppression
ICS T0803 Block Command Message
ICS T0804 Block Reporting Message
ICS T0805 Block Serial COM
Enterprise T1110 Brute Force

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.

.001 Password Guessing

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.

.002 Password Cracking

Monitor authentication logs for system and application login failures of Valid Accounts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting.

.003 Password Spraying

Monitor authentication logs for system and application login failures of Valid Accounts. Consider the following event IDs:[6]Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625.Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771.All systems: "Audit Logon" (Success & Failure) for event ID 4648.

.004 Credential Stuffing

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.

ICS T0806 Brute Force I/O
ICS T0858 Change Operating Mode
Enterprise T1213 Data from Information Repositories

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.

.001 Confluence

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Confluence repositories to mine valuable information. Watch for access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.

.002 Sharepoint

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage the SharePoint repository as a source to mine valuable information. Monitor access to Microsoft SharePoint repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.

.003 Code Repositories

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage code repositories to collect valuable information. Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.

ICS T0811 Data from Information Repositories
Enterprise T1622 Debugger Evasion

Monitor debugger logs for signs of abnormal and potentially malicious activity.

Enterprise T1491 Defacement

Monitor for third-party application logging, messaging, and/or other artifacts that may modify visual content available internally or externally to an enterprise network.

.001 Internal Defacement

Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems internal to an organization in an attempt to intimidate or mislead users.

.002 External Defacement

Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.

ICS T0814 Denial of Service
Enterprise T1610 Deploy Container

Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.

ICS T0816 Device Restart/Shutdown
Enterprise T1189 Drive-by Compromise

Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.

ICS T0817 Drive-by Compromise
Enterprise T1114 Email Collection

Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.[7] High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.

.003 Email Forwarding Rule

Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.[8]Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.[7] High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.

Enterprise T1499 Endpoint Denial of Service

Monitor for third-party application logging, messaging, and/or other artifacts that may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS.

.002 Service Exhaustion Flood

Monitor for third-party application logging, messaging, and/or other artifacts that may target the different network services provided by systems to conduct a DoS. In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS.

.003 Application Exhaustion Flood

Monitor for third-party application logging, messaging, and/or other artifacts that may target resource intensive features of web applications to cause a denial of service (DoS). In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS.

.004 Application or System Exploitation

Monitor for third-party application logging, messaging, and/or other artifacts that may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. [9] Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.

Enterprise T1190 Exploit Public-Facing Application

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.

ICS T0819 Exploit Public-Facing Application
Enterprise T1203 Exploitation for Client Execution

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.

Enterprise T1212 Exploitation for Credential Access

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.

Enterprise T1211 Exploitation for Defense Evasion

Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.

Enterprise T1210 Exploitation of Remote Services

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.

ICS T0866 Exploitation of Remote Services
Enterprise T1133 External Remote Services

When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.

ICS T0822 External Remote Services
Enterprise T1200 Hardware Additions

Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.

Enterprise T1564 Hide Artifacts

Monitor for third-party application logging, messaging, and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection.

.008 Email Hiding Rules

Monitor for third-party application logging, messaging, and/or other artifacts that may use email rules to hide inbound emails in a compromised user's mailbox. Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.

Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Monitor for third-party application logging, messaging, and/or other artifacts provided by third-party services that may disable Windows event logging to limit data that can be leveraged for detections and audits.

Enterprise T1534 Internal Spearphishing

Monitor email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.[10]

ICS T0838 Modify Alarm Settings
ICS T0836 Modify Parameter
Enterprise T1621 Multi-Factor Authentication Request Generation

Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised.

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

Enterprise T1137 Office Application Startup

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Microsoft Office-based applications for persistence between startups. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[11]

.003 Outlook Forms

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[11]

.004 Outlook Home Page

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[11]

.005 Outlook Rules

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[11]

Enterprise T1069 Permission Groups Discovery

Monitor for logging, messaging, and other artifacts provided by cloud services.

.003 Cloud Groups

Monitor for events collected that may attempt to find cloud groups and permission settings.

Enterprise T1566 Phishing

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

.001 Spearphishing Attachment

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[14]

.002 Spearphishing Link

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

.003 Spearphishing via Service

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing messages via third-party services in an attempt to gain access to victim systems.

Enterprise T1598 Phishing for Information

Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13]When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).

.001 Spearphishing Service

Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

.002 Spearphishing Attachment

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13]

.003 Spearphishing Link

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13]Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.

ICS T0843 Program Download
ICS T0845 Program Upload
ICS T0888 Remote System Information Discovery
ICS T0848 Rogue Master
Enterprise T1594 Search Victim-Owned Websites

Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

Enterprise T1505 Server Software Component

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse legitimate extensible development features of servers to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [15]

.001 SQL Stored Procedures

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse SQL stored procedures to establish persistent access to systems. On a MSSQL Server, consider monitoring for xp_cmdshell usage.[16] Consider enabling audit features that can log malicious startup activities.

.002 Transport Agent

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft transport agents to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components.

.003 Web Shell

Monitor for third-party application logging, messaging, and/or other artifacts that may backdoor web servers with web shells to establish persistent access to systems. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [15]

Enterprise T1072 Software Deployment Tools

Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.Perform application deployment at regular times so that irregular deployment activity stands out.

ICS T0865 Spearphishing Attachment
ICS T0856 Spoof Reporting Message
Enterprise T1199 Trusted Relationship

Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.

ICS T0855 Unauthorized Command Message
Enterprise T1550 Use Alternate Authentication Material

Monitor for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

.004 Web Session Cookie

Monitor for third-party application logging, messaging, and/or other service artifacts that provide context of user authentication to web applications, including cloud-based services. Combine this information with web credentials usage events to identify authentication events that do not fit the organization baseline.

Enterprise T1204 User Execution

Monitor for third-party application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.

.003 Malicious Image

Monitor for third-party application logging, messaging, and/or other artifacts that may rely on a user running a malicious image to facilitate execution.

ICS T0863 User Execution
ICS T0860 Wireless Compromise

References