Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)[1]
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1098 | .002 | Account Manipulation: Additional Email Delegate Permissions |
Enable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. A larger than normal volume of emails sent from an account and similar phishing emails sent from real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring. |
| .005 | Account Manipulation: Device Registration |
Azure AD creates several log entries when new devices are enrolled, which can be monitored for unexpected device registrations.[2] Additionally, joined devices can be viewed via the Azure AD portal.[3] |
||
| ICS | T0800 | Activate Firmware Update Mode |
Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode. |
|
| Enterprise | T1557 | Adversary-in-the-Middle |
Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.[4] |
|
| .003 | DHCP Spoofing |
Monitor Windows logs (ex: EIDs 1341, 1342, 1020, and 1063) for changes to DHCP settings. These may also highlight DHCP issues such as when IP allocations are low or have run out.[4][5] |
||
| ICS | T0830 | Adversary-in-the-Middle |
Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM. |
|
| ICS | T0803 | Block Command Message |
Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications. |
|
| ICS | T0804 | Block Reporting Message |
Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications. |
|
| ICS | T0805 | Block Serial COM |
Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications. |
|
| Enterprise | T1110 | Brute Force |
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. |
|
| .001 | Password Guessing |
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.[6] |
||
| .002 | Password Cracking |
Monitor authentication logs for system and application login failures of Valid Accounts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting. |
||
| .003 | Password Spraying |
Monitor authentication logs for system and application login failures of Valid Accounts. Consider the following event IDs:[7]Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625.Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771.All systems: "Audit Logon" (Success & Failure) for event ID 4648.[6] |
||
| .004 | Credential Stuffing |
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.[6] |
||
| ICS | T0806 | Brute Force I/O |
Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. |
|
| ICS | T0858 | Change Operating Mode |
Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs. |
|
| ICS | T0807 | Command-Line Interface |
Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features. |
|
| Enterprise | T1213 | Data from Information Repositories |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. |
|
| .001 | Confluence |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Confluence repositories to mine valuable information. Watch for access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. |
||
| .002 | Sharepoint |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage the SharePoint repository as a source to mine valuable information. Monitor access to Microsoft SharePoint repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. |
||
| .003 | Code Repositories |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage code repositories to collect valuable information. Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies. |
||
| ICS | T0811 | Data from Information Repositories |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies. |
|
| Enterprise | T1622 | Debugger Evasion |
Monitor debugger logs for signs of abnormal and potentially malicious activity. |
|
| Enterprise | T1491 | Defacement |
Monitor for third-party application logging, messaging, and/or other artifacts that may modify visual content available internally or externally to an enterprise network. |
|
| .001 | Internal Defacement |
Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems internal to an organization in an attempt to intimidate or mislead users. |
||
| .002 | External Defacement |
Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. |
||
| ICS | T0814 | Denial of Service |
Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection. |
|
| Enterprise | T1610 | Deploy Container |
Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network. |
|
| ICS | T0816 | Device Restart/Shutdown |
Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns. |
|
| Enterprise | T1189 | Drive-by Compromise |
Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before. |
|
| ICS | T0817 | Drive-by Compromise |
Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before. |
|
| Enterprise | T1114 | Email Collection |
Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include |
|
| .002 | Remote Email Collection |
In Office365 environments, consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior.[6] |
||
| .003 | Email Forwarding Rule |
Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.[9]Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.[8] High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level. In environments using Exchange, monitor logs for the creation or modification of mail transport rules. |
||
| Enterprise | T1499 | Endpoint Denial of Service |
Monitor for third-party application logging, messaging, and/or other artifacts that may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS. |
|
| .002 | Service Exhaustion Flood |
Monitor for third-party application logging, messaging, and/or other artifacts that may target the different network services provided by systems to conduct a DoS. In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS. |
||
| .003 | Application Exhaustion Flood |
Monitor for third-party application logging, messaging, and/or other artifacts that may target resource intensive features of web applications to cause a denial of service (DoS). In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS. |
||
| .004 | Application or System Exploitation |
Monitor for third-party application logging, messaging, and/or other artifacts that may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. [10] Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS. |
||
| Enterprise | T1048 | Exfiltration Over Alternative Protocol |
Monitor cloud-based file hosting services, such as Google Drive and Microsoft OneDrive, for unusual instances of file downloads – for example, many downloads by a single user in a short period of time. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies. Additionally, data loss prevention policies can be defined to detect and alert on exfiltration events on particularly sensitive data. |
|
| Enterprise | T1567 | Exfiltration Over Web Service |
Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks or other features that could be abused to exfiltrate data. |
|
| .004 | Exfiltration Over Webhook |
Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks. |
||
| Enterprise | T1190 | Exploit Public-Facing Application |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. |
|
| ICS | T0819 | Exploit Public-Facing Application |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. |
|
| Enterprise | T1203 | Exploitation for Client Execution |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. |
|
| Enterprise | T1212 | Exploitation for Credential Access |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. |
|
| Enterprise | T1211 | Exploitation for Defense Evasion |
Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. |
|
| ICS | T0820 | Exploitation for Evasion |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. |
|
| ICS | T0890 | Exploitation for Privilege Escalation |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. |
|
| Enterprise | T1210 | Exploitation of Remote Services |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. |
|
| ICS | T0866 | Exploitation of Remote Services |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash, which may be recorded in the application log. |
|
| Enterprise | T1133 | External Remote Services |
When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application. |
|
| ICS | T0822 | External Remote Services |
When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application. |
|
| Enterprise | T1657 | Financial Theft |
Review and monitor financial application logs for signs of financial theft, such as abnormal monetary transactions or resource balances. Email logs may also highlight account takeovers, impersonation, or another activity that may enable monetary theft. |
|
| Enterprise | T1200 | Hardware Additions |
Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network. |
|
| Enterprise | T1564 | Hide Artifacts |
Monitor for third-party application logging, messaging, and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
| .008 | Email Hiding Rules |
Monitor for third-party application logging, messaging, and/or other artifacts that may use email rules to hide inbound emails in a compromised user's mailbox. Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries. In environments using Exchange, monitor logs for the creation or modification of mail transport rules. |
||
| Enterprise | T1562 | .002 | Impair Defenses: Disable Windows Event Logging |
Monitor for third-party application logging, messaging, and/or other artifacts provided by third-party services that may disable Windows event logging to limit data that can be leveraged for detections and audits. |
| Enterprise | T1656 | Impersonation |
Review and monitor email and other user communication logs for signs of impersonation, such as suspicious emails (e.g., from known malicious or compromised accounts) or content associated with an adversary's actions on objective (e.g., abnormal monetary transactions). |
|
| Enterprise | T1070 | Indicator Removal |
Monitor logs for abnormal modifications to application settings, such as the creation of malicious Exchange transport rules. |
|
| .008 | Clear Mailbox Data |
In environments using Exchange, monitor logs for the creation or modification of mail processing settings, such as transport rules. |
||
| Enterprise | T1534 | Internal Spearphishing |
Monitor email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.[11] |
|
| ICS | T0838 | Modify Alarm Settings |
Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs. |
|
| Enterprise | T1556 | Modify Authentication Process |
Enable security auditing to collect logs from hybrid identity solutions. For example, monitor sign-ins to the Azure AD Application Proxy Connector, which are typically generated only when a new Pass Through Authentication (PTA) Agent is added. [12] If AD FS is in use, review the logs for event ID 501, which specifies all EKU attributes on a claim, and raise alerts on any values that are not configured in your environment.[13] |
|
| .007 | Hybrid Identity |
Enable security auditing to collect logs from hybrid identity solutions. For example, monitor sign-ins to the Azure AD Application Proxy Connector, which are typically generated only when a new PTA Agent is added. [12] If AD FS is in use, review the logs for event ID 501, which specifies all EKU attributes on a claim, and raise alerts on any values that are not configured in your environment.[13] |
||
| ICS | T0821 | Modify Controller Tasking |
Monitor asset application logs for information that indicate task parameters have changed. |
|
| ICS | T0836 | Modify Parameter |
Monitor device application logs parameter changes, although not all devices will produce such logs. |
|
| ICS | T0889 | Modify Program |
Monitor device application logs that indicate the program has changed, although not all devices produce such logs. |
|
| ICS | T0839 | Module Firmware |
Monitor device application logs for firmware changes, although not all devices will produce such logs. |
|
| ICS | T0801 | Monitor Process State |
Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux). |
|
| Enterprise | T1621 | Multi-Factor Authentication Request Generation |
Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised. |
|
| Enterprise | T1027 | .005 | Obfuscated Files or Information: Indicator Removal from Tools |
The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. |
| Enterprise | T1137 | Office Application Startup |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Microsoft Office-based applications for persistence between startups. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[14] |
|
| .003 | Outlook Forms |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[14] |
||
| .004 | Outlook Home Page |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[14] |
||
| .005 | Outlook Rules |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[14] |
||
| Enterprise | T1069 | Permission Groups Discovery |
Monitor for logging, messaging, and other artifacts provided by cloud services. |
|
| .003 | Cloud Groups |
Monitor for events collected that may attempt to find cloud groups and permission settings. |
||
| Enterprise | T1566 | Phishing |
Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[15][16] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events. |
|
| .001 | Spearphishing Attachment |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[15][16] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[17] |
||
| .002 | Spearphishing Link |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[15][16] URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites.[18] Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). |
||
| .003 | Spearphishing via Service |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing messages via third-party services in an attempt to gain access to victim systems. |
||
| .004 | Spearphishing Voice |
Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events. |
||
| Enterprise | T1598 | Phishing for Information |
Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[15][16]When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts). Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. |
|
| .001 | Spearphishing Service |
Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. |
||
| .002 | Spearphishing Attachment |
Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[15][16] |
||
| .003 | Spearphishing Link |
Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[15][16] Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can also help detect links leading to known malicious sites.[18] Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). |
||
| .004 | Spearphishing Voice |
Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. |
||
| ICS | T0861 | Point & Tag Identification |
Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used. |
|
| ICS | T0843 | Program Download |
Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred. |
|
| ICS | T0845 | Program Upload |
Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms. |
|
| ICS | T0848 | Rogue Master |
Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs. |
|
| Enterprise | T1594 | Search Victim-Owned Websites |
Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. |
|
| Enterprise | T1505 | Server Software Component |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse legitimate extensible development features of servers to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [19] |
|
| .001 | SQL Stored Procedures |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse SQL stored procedures to establish persistent access to systems. On a MSSQL Server, consider monitoring for xp_cmdshell usage.[20] Consider enabling audit features that can log malicious startup activities. |
||
| .002 | Transport Agent |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft transport agents to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. |
||
| .003 | Web Shell |
Monitor for third-party application logging, messaging, and/or other artifacts that may backdoor web servers with web shells to establish persistent access to systems. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [19] |
||
| Enterprise | T1648 | Serverless Execution |
Monitor logs generated by serverless execution for unusual activity. For example, in Exchange environments emails sent by Power Automate via the Outlook 365 connector include the phrase ‘Power App’ or ‘Power Automate’ in the SMTP header 'x-ms-mail-application.'[21] |
|
| Enterprise | T1072 | Software Deployment Tools |
Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.Perform application deployment at regular times so that irregular deployment activity stands out. |
|
| ICS | T0865 | Spearphishing Attachment |
Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.[15][16] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. |
|
| Enterprise | T1649 | Steal or Forge Authentication Certificates |
Ensure CA audit logs are enabled and monitor these services for signs of abuse.[22] |
|
| ICS | T0857 | System Firmware |
Monitor device application logs for firmware changes, although not all devices will produce such logs. |
|
| ICS | T0864 | Transient Cyber Asset |
Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network. |
|
| Enterprise | T1199 | Trusted Relationship |
Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network. Monitor logs for unexpected actions taken by any delegated administrator accounts.[23] |
|
| ICS | T0855 | Unauthorized Command Message |
Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs. |
|
| Enterprise | T1552 | Unsecured Credentials |
Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.[24] |
|
| .008 | Chat Messages |
Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.[24] |
||
| Enterprise | T1550 | Use Alternate Authentication Material |
Monitor for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
|
| .004 | Web Session Cookie |
Monitor for third-party application logging, messaging, and/or other service artifacts that provide context of user authentication to web applications, including cloud-based services. Combine this information with web credentials usage events to identify authentication events that do not fit the organization baseline. |
||
| Enterprise | T1204 | User Execution |
Monitor for third-party application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution. |
|
| .003 | Malicious Image |
Monitor for third-party application logging, messaging, and/or other artifacts that may rely on a user running a malicious image to facilitate execution. |
||
| ICS | T0863 | User Execution |
Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution. |
|
| ICS | T0860 | Wireless Compromise |
Monitor application logs for new or unexpected devices or sessions on wireless networks. |
|