ATT&CK Changes Between v18.0 and v18.1

Key

New objects: ATT&CK objects which are only present in the new release.
Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
Object revocations: ATT&CK objects which are revoked by a different object.
Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
Object deletions: ATT&CK objects which are no longer found in the STIX data.

Additional formats

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

This JSON file contains the machine readble output used to create this page: changelog.json

Techniques

enterprise-attack

Patches

[T1574.001] Hijack Execution Flow: DLL

Current version: 2.1

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-24 17:48:35.900000+00:00	2025-11-06 17:52:37.747000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Yusuke Niwa, ITOCHU Cyber & Intelligence Inc.
x_mitre_contributors		Suguru Ishimaru, ITOCHU Cyber & Intelligence Inc.
x_mitre_contributors		Hajime Yanagishita, Macnica, Inc.

[T1564.006] Hide Artifacts: Run Virtual Instance

Current version: 1.3

	Old Description			New Description
t	1	Adversaries may carry out malicious operations using a virtu	t	1	Adversaries may carry out malicious operations using a virtu
	>	al instance to avoid detection. A wide variety of virtualiza		>	al instance to avoid detection. A wide variety of virtualiza
	>	tion technologies exist that allow for the emulation of a co		>	tion technologies exist that allow for the emulation of a co
	>	mputer or computing environment. By running malicious code i		>	mputer or computing environment. By running malicious code i
	>	nside of a virtual instance, adversaries can hide artifacts		>	nside of a virtual instance, adversaries can hide artifacts
	>	associated with their behavior from security tools that are		>	associated with their behavior from security tools that are
	>	unable to monitor activity inside the virtual instance.(Cita		>	unable to monitor activity inside the virtual instance.(Cita
	>	tion: CyberCX Akira Ransomware) Additionally, depending on t		>	tion: CyberCX Akira Ransomware) Additionally, depending on t
	>	he virtual networking implementation (ex: bridged adapter),		>	he virtual networking implementation (ex: bridged adapter),
	>	network traffic generated by the virtual instance can be dif		>	network traffic generated by the virtual instance can be dif
	>	ficult to trace back to the compromised host as the IP addre		>	ficult to trace back to the compromised host as the IP addre
	>	ss and hostname might not match known values.(Citation: Sing		>	ss and hostname might not match known values.(Citation: Sing
	>	Health Breach Jan 2019) Adversaries may utilize native supp		>	Health Breach Jan 2019) Adversaries may utilize native supp
	>	ort for virtualization (ex: Hyper-V), deploy lightweight emu		>	ort for virtualization (ex: Hyper-V), deploy lightweight emu
	>	lators (ex: QEMU), or drop the necessary files to run a virt		>	lators (ex: QEMU), or drop the necessary files to run a virt
	>	ual instance (ex: VirtualBox binaries).(Citation: Securonix		>	ual instance (ex: VirtualBox binaries).(Citation: Securonix
	>	CronTrap 2024) After running a virtual instance, adversaries		>	CronTrap 2024) After running a virtual instance, adversaries
	>	may create a shared folder between the guest and host with		>	may create a shared folder between the guest and host with
	>	permissions that enable the virtual instance to interact wit		>	permissions that enable the virtual instance to interact wit
	>	h the host file system.(Citation: Sophos Ragnar May 2020) T		>	h the host file system.(Citation: Sophos Ragnar May 2020) T
	>	hreat actors may also leverage temporary virtualized environ		>	hreat actors may also leverage temporary virtualized environ
	>	ments such as the Windows Sandbox, which supports the use of		>	ments such as the Windows Sandbox, which supports the use of
	>	`.wsb` configuration files for defining execution parameter		>	`.wsb` configuration files for defining execution parameter
	>	s. For example, the `<MappedFolder>` property supports the c		>	s. For example, the `<MappedFolder>` property supports the c
	>	reation of a shared folder, while the `<LogonCommand>` prope		>	reation of a shared folder, while the `<LogonCommand>` prope
	>	rty allows the specification of a payload.(Citation: ESET Mi		>	rty allows the specification of a payload.(Citation: ESET Mi
	>	rrorFace 2025) In VMWare environments, adversaries may leve		>	rrorFace 2025)(Citation: ITOCHU Hack the Sandbox)(Citation:
	>	rage the vCenter console to create new virtual machines. How		>	ITOCHU Sandbox PPT) In VMWare environments, adversaries may
	>	ever, they may also create virtual machines directly on ESXi		>	leverage the vCenter console to create new virtual machines
	>	servers by running a valid `.vmx` file with the `/bin/vmx`		>	. However, they may also create virtual machines directly on
	>	utility. Adding this command to `/etc/rc.local.d/local.sh` (		>	ESXi servers by running a valid `.vmx` file with the `/bin/
	>	i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037		>	vmx` utility. Adding this command to `/etc/rc.local.d/local.
	>	/004)) will cause the VM to persistently restart.(Citation:		>	sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/
	>	vNinja Rogue VMs 2024) Creating a VM this way prevents it fr		>	T1037/004)) will cause the VM to persistently restart.(Citat
	>	om appearing in the vCenter console or in the output to the		>	ion: vNinja Rogue VMs 2024) Creating a VM this way prevents
	>	`vim-cmd vmsvc/getallvms` command on the ESXi server, thereb		>	it from appearing in the vCenter console or in the output to
	>	y hiding it from typical administrative activities.(Citation		>	the `vim-cmd vmsvc/getallvms` command on the ESXi server, t
	>	: MITRE VMware Abuse 2024)		>	hereby hiding it from typical administrative activities.(Cit
				>	ation: MITRE VMware Abuse 2024)

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-24 17:49:15.607000+00:00	2025-11-05 15:22:05.269000+00:00
description	Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019) Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020) Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the `` property supports the creation of a shared folder, while the `` property allows the specification of a payload.(Citation: ESET MirrorFace 2025) In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid `.vmx` file with the `/bin/vmx` utility. Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037/004)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the `vim-cmd vmsvc/getallvms` command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)	Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019) Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020) Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the `` property supports the creation of a shared folder, while the `` property allows the specification of a payload.(Citation: ESET MirrorFace 2025)(Citation: ITOCHU Hack the Sandbox)(Citation: ITOCHU Sandbox PPT) In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid `.vmx` file with the `/bin/vmx` utility. Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037/004)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the `vim-cmd vmsvc/getallvms` command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)
external_references[6]['source_name']	Shadowbunny VM Defense Evasion	ITOCHU Sandbox PPT
external_references[6]['description']	Johann Rehberger. (2020, September 23). Beware of the Shadowbunny - Using virtual machines to persist and evade detections. Retrieved September 22, 2021.	ITOCHU Cyber & Intelligence Inc.. (n.d.). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025.
external_references[6]['url']	https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/	https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_2_9_kamekawa_sasada_niwa_en.pdf

iterable_item_added
STIX Field	Old value	New Value
external_references		{'source_name': 'ITOCHU Hack the Sandbox', 'description': 'ITOCHU Cyber & Intelligence Inc.. (2025, March 12). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025.', 'url': 'https://blog-en.itochuci.co.jp/entry/2025/03/12/140000'}

[T1199] Trusted Relationship

Current version: 2.4

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-24 17:49:09.835000+00:00	2025-11-12 15:42:52.705000+00:00
x_mitre_attack_spec_version	3.2.0	3.3.0

mobile-attack

New Techniques

[T1454] Malicious SMS Message

Current version: 1.0

Description:

Test

Groups

enterprise-attack

Patches

[G0094] Kimsuky

Current version: 5.1

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-24 00:59:31.235000+00:00	2025-11-12 18:55:12.319000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_contributors		Wai Linn Oo @ Kernellix

[G0129] Mustang Panda

Current version: 3.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-23 18:52:40.872000+00:00	2025-11-04 19:40:42.270000+00:00
x_mitre_contributors[2]	YH Chang, ZScaler ThreatLabz	ZScaler ThreatLabz

Campaigns

enterprise-attack

Patches

[C0058] SharePoint ToolShell Exploitation

Current version: 1.0

	Old Description			New Description
t	1	The [SharePoint ToolShell Exploitation](https://attack.mitre	t	1	The [SharePoint ToolShell Exploitation](https://attack.mitre
	>	.org/campaigns/C0058) campaign was conducted in July 2025 an		>	.org/campaigns/C0058) campaign was conducted in July 2025 an
	>	d encompassed the first waves of exploitation against incomp		>	d encompassed the first waves of exploitation against incomp
	>	etely patched spoofing (CVE-2025-49706) and remote code exec		>	letely patched spoofing (CVE-2025-49706) and remote code exe
	>	ution (CVE-2025-49704) vulnerabilities affecting on-premises		>	cution (CVE-2025-49704) vulnerabilities affecting on-premise
	>	Microsoft SharePoint servers. Later patched and updated as		>	s Microsoft SharePoint servers. Later patched and updated as
	>	CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabili		>	CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabil
	>	ties were widely exploited including by China-based ransomwa		>	ities were widely exploited including by China-based ransomw
	>	re actor Storm-2603 and espionage actors [Threat Group-3390]		>	are actor Storm-2603 and espionage actors [Threat Group-3390
	>	(https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](http		>	](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](htt
	>	s://attack.mitre.org/groups/G0128). [SharePoint ToolShell Ex		>	ps://attack.mitre.org/groups/G0128). [SharePoint ToolShell E
	>	ploitation](https://attack.mitre.org/campaigns/C0058) target		>	xploitation](https://attack.mitre.org/campaigns/C0058) targe
	>	ed multiple regions and industries including finance, educat		>	ted multiple regions and industries including finance, educa
	>	ion, energy, and healthcare across Asia, Europe, and the Uni		>	tion, energy, and healthcare across Asia, Europe, and the Un
	>	ted States.(Citation: Microsoft SharePoint Exploit JUL 2025)		>	ited States.(Citation: Microsoft SharePoint Exploit JUL 2025
	>	(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Ci		>	)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(C
	>	tation: Eye Research ToolShell JUL 2025)(Citation: ESET Tool		>	itation: Eye Research ToolShell JUL 2025)(Citation: ESET Too
	>	Shell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL		>	lShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JU
	>	2025)		>	L 2025)

Details

dictionary_item_added
STIX Field	Old value	New Value
x_mitre_contributors		['Wai Linn Oo @ Kernellix']

values_changed
STIX Field	Old value	New Value
modified	2025-10-24 04:12:20.214000+00:00	2025-11-12 15:13:10.723000+00:00
description	The [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompetely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors [Threat Group-3390](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](https://attack.mitre.org/groups/G0128). [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)	The [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompletely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors [Threat Group-3390](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](https://attack.mitre.org/groups/G0128). [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)

Data Components

enterprise-attack

Patches

[DC0084] Active Directory Credential Request

Current version: 2.0

	Old Description			New Description
t	1	Requests for authentication credentials via Kerberos or othe	t	1	Requests for authentication credentials via Kerberos or othe
	>	r methods like NTLM and LDAP queries. Examples: - Kerberos		>	r methods like NTLM and LDAP queries. Examples: - Kerberos
	>	TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authen		>	TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authen
	>	tication Events - LDAP Bind Requests *Data Collection Measu		>	tication Events - LDAP Bind Requests.
	>	res:* - Security Event Logging: - Enable "`Audit Kerber
	>	os Authentication Service`" or "`Audit Kerberos Service Tick
	>	et Operations`." - Captured Events: IDs 4768, 4769, 4624
	>	. - Windows Event Forwarding (WEF): Forward domain controlle
	>	r logs to SIEM. - SIEM Integration: Use tools like Splunk or
	>	Azure Sentinel for log analysis. - Kerberos Debug Logging:
	>	- Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Ls
	>	a\Kerberos\Parameters. - Set DWORD LogLevel to 1. - Azur
	>	e AD Logs: Monitor Sign-In Logs for authentication and polic
	>	y issues. - Enable EDR Monitoring: - Use EDR to detect s
	>	uspicious processes querying authentication mechanisms (e.g.
	>	, lsass.exe memory access).

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 18:41:09.269000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0084	https://attack.mitre.org/datacomponents/DC0084
description	Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples: - Kerberos TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authentication Events - LDAP Bind Requests Data Collection Measures: - Security Event Logging: - Enable "`Audit Kerberos Authentication Service`" or "`Audit Kerberos Service Ticket Operations`." - Captured Events: IDs 4768, 4769, 4624. - Windows Event Forwarding (WEF): Forward domain controller logs to SIEM. - SIEM Integration: Use tools like Splunk or Azure Sentinel for log analysis. - Kerberos Debug Logging: - Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters. - Set DWORD LogLevel to 1. - Azure AD Logs: Monitor Sign-In Logs for authentication and policy issues. - Enable EDR Monitoring: - Use EDR to detect suspicious processes querying authentication mechanisms (e.g., lsass.exe memory access).	Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples: - Kerberos TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authentication Events - LDAP Bind Requests.

[DC0087] Active Directory Object Creation

Current version: 2.0

	Old Description			New Description
t	1	Creating new objects in AD, such as user accounts, groups, o	t	1	Creating new objects in AD, such as user accounts, groups, o
	>	rganizational units (OUs), or trust relationships. Logged as		>	rganizational units (OUs), or trust relationships. Logged as
	>	Event ID 5137. Examples: - User Account Creation: New user		>	Event ID 5137. Examples: - User Account Creation: New user
	>	account. - Group Creation: New security/distribution group.		>	account. - Group Creation: New security/distribution group.
	>	- OU Creation: New organizational unit. - Service Account C		>	- OU Creation: New organizational unit. - Service Account C
	>	reation: New service account for automation or malicious tas		>	reation: New service account for automation or malicious tas
	>	ks. - Trust Object Creation: Trust relationship with another		>	ks. - Trust Object Creation: Trust relationship with another
	>	domain. Data Collection Measures: - Audit Policy: -		>	domain.
	>	Enable "Audit Directory Service Changes" (Success and Failu
	>	re). - Path: `Computer Configuration > Policies > Window
	>	s Settings > Security Settings > Advanced Audit Policy Confi
	>	guration > Audit Policies > Directory Service Changes`.
	>	- Key Event: Event ID 5137 (object creation). - Log Forwardi
	>	ng: Use WEF to centralize logs for SIEM tools (e.g., Splunk)
	>	. - Enable EDR Monitoring: - Track processes that create
	>	new accounts or modify AD objects. - Correlate object c
	>	reation with suspicious commands (e.g., net user /add).

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.803000+00:00	2025-11-12 22:03:39.105000+00:00
description	Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples: - User Account Creation: New user account. - Group Creation: New security/distribution group. - OU Creation: New organizational unit. - Service Account Creation: New service account for automation or malicious tasks. - Trust Object Creation: Trust relationship with another domain. Data Collection Measures: - Audit Policy: - Enable "Audit Directory Service Changes" (Success and Failure). - Path: `Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes`. - Key Event: Event ID 5137 (object creation). - Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk). - Enable EDR Monitoring: - Track processes that create new accounts or modify AD objects. - Correlate object creation with suspicious commands (e.g., net user /add).	Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples: - User Account Creation: New user account. - Group Creation: New security/distribution group. - OU Creation: New organizational unit. - Service Account Creation: New service account for automation or malicious tasks. - Trust Object Creation: Trust relationship with another domain.

[DC0068] Active Directory Object Deletion

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:40.681000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[0]['name']	WinEventLog:DirectoryService	WinEventLog:Security

[DC0066] Active Directory Object Modification

Current version: 2.0

	Old Description			New Description
t	1	Changes to AD objects (e.g., users, groups, OUs) are logged	t	1	Changes to AD objects (e.g., users, groups, OUs) are logged
	>	as Event ID 5136 (Object Modification) or 5163 (Attribute Ch		>	as Event ID 5136 (Object Modification) or 5163 (Attribute Ch
	>	anges). Examples: - User Account: Modifying attributes (e.g		>	anges). Examples: - User Account: Modifying attributes (e.g
	>	., group membership, enabling/disabling accounts). - Group M		>	., group membership, enabling/disabling accounts). - Group M
	>	embership: Adding/removing members. - OU: Changing propertie		>	embership: Adding/removing members. - OU: Changing propertie
	>	s/permissions (e.g., delegation). - Service Account: Modifyi		>	s/permissions (e.g., delegation). - Service Account: Modifyi
	>	ng SPNs or other attributes. - Object Attributes: Changes to		>	ng SPNs or other attributes. - Object Attributes: Changes to
	>	passwords, logon hours, or control flags. *Data Collection		>	passwords, logon hours, or control flags.
	>	Measures:* - Audit Policy: - Enable "Audit Directory S
	>	ervice Changes" (Success and Failure). - Path: `Computer
	>	Configuration > Policies > Windows Settings > Security Sett
	>	ings > Advanced Audit Policy Configuration > Audit Policies
	>	> Directory Service Changes`. - Key Events: 5136 (modifi
	>	cations), 5163 (attribute changes). - Log Forwarding: -
	>	Use WEF to centralize logs for SIEM. - Parse logs to ext
	>	ract: Object Name, Attribute Changed, Initiator Account Name
	>	. - Enable EDR Monitoring: - Detect changes to critical
	>	attributes (e.g., memberOf, logonHours). - Track process
	>	es modifying directory service objects (e.g., Set-ADUser or
	>	dsmod). - Enable EDR Monitoring: - Detect changes to cri
	>	tical attributes (e.g., memberOf, logonHours). - Track p
	>	rocesses modifying directory service objects (e.g., Set-ADUs
	>	er or dsmod).

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 18:42:57.886000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0066	https://attack.mitre.org/datacomponents/DC0066
description	Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples: - User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts). - Group Membership: Adding/removing members. - OU: Changing properties/permissions (e.g., delegation). - Service Account: Modifying SPNs or other attributes. - Object Attributes: Changes to passwords, logon hours, or control flags. Data Collection Measures: - Audit Policy: - Enable "Audit Directory Service Changes" (Success and Failure). - Path: `Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes`. - Key Events: 5136 (modifications), 5163 (attribute changes). - Log Forwarding: - Use WEF to centralize logs for SIEM. - Parse logs to extract: Object Name, Attribute Changed, Initiator Account Name. - Enable EDR Monitoring: - Detect changes to critical attributes (e.g., memberOf, logonHours). - Track processes modifying directory service objects (e.g., Set-ADUser or dsmod). - Enable EDR Monitoring: - Detect changes to critical attributes (e.g., memberOf, logonHours). - Track processes modifying directory service objects (e.g., Set-ADUser or dsmod).	Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples: - User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts). - Group Membership: Adding/removing members. - OU: Changing properties/permissions (e.g., delegation). - Service Account: Modifying SPNs or other attributes. - Object Attributes: Changes to passwords, logon hours, or control flags.
x_mitre_log_sources[6]['name']	WinEventLog:DirectoryService	WinEventLog:Security
x_mitre_log_sources[6]['channel']	EventCode=5136	EventCode=5163
x_mitre_log_sources[4]['name']	azure:SigninLogs	azure:signinlogs
x_mitre_log_sources[7]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'}

[DC0038] Application Log Content

Current version: 2.0

	Old Description			New Description
t	1	Application Log Content refers to logs generated by applicat	t	1	Application Log Content refers to logs generated by applicat
	>	ions or services, providing a record of their activity. Thes		>	ions or services, providing a record of their activity. Thes
	>	e logs may include metrics, errors, performance data, and op		>	e logs may include metrics, errors, performance data, and op
	>	erational alerts from web, mail, or other applications. Thes		>	erational alerts from web, mail, or other applications. Thes
	>	e logs are vital for monitoring application behavior and det		>	e logs are vital for monitoring application behavior and det
	>	ecting malicious activities or anomalies. Examples: - Web		>	ecting malicious activities or anomalies. Examples: - Web
	>	Application Logs: These logs include information about reque		>	Application Logs: These logs include information about reque
	>	sts, responses, errors, and security events (e.g., unauthori		>	sts, responses, errors, and security events (e.g., unauthori
	>	zed access attempts). - Email Application Logs: Logs contain		>	zed access attempts). - Email Application Logs: Logs contain
	>	metadata about emails sent, received, or blocked (e.g., sen		>	metadata about emails sent, received, or blocked (e.g., sen
	>	der/receiver addresses, message IDs). - SaaS Application Log		>	der/receiver addresses, message IDs). - SaaS Application Log
	>	s: Activity logs include user logins, configuration changes,		>	s: Activity logs include user logins, configuration changes,
	>	and access to sensitive resources. - Cloud Application Logs		>	and access to sensitive resources. - Cloud Application Logs
	>	: Logs detail control plane activities, including API calls,		>	: Logs detail control plane activities, including API calls,
	>	instance modifications, and network changes. - System/Appli		>	instance modifications, and network changes. - System/Appli
	>	cation Monitoring Logs: Logs provide insights into applicati		>	cation Monitoring Logs: Logs provide insights into applicati
	>	on performance, errors, and anomalies. This data component		>	on performance, errors, and anomalies.
	>	can be collected through the following measures: Configure
	>	Application Logging - Enable logging within the application
	>	or service. - Examples: - Web Servers: Enable access an
	>	d error logs in NGINX or Apache. - Email Systems: Enable
	>	audit logging in Microsoft Exchange or Gmail. Centralized
	>	Log Management - Use log management solutions like Splunk,
	>	or a cloud-native logging solution. - Configure the applicat
	>	ion to send logs to a centralized system for analysis. Clou
	>	d-Specific Collection - Use services like AWS CloudWatch, A
	>	zure Monitor, or Google Cloud Operations Suite for cloud-bas
	>	ed applications. - Ensure logging is enabled for all critica
	>	l resources (e.g., API calls, IAM changes). SIEM Integratio
	>	n - Integrate application logs with a SIEM platform (e.g.,
	>	Splunk, QRadar) for real-time correlation and analysis. - Us
	>	e parsers to standardize log formats and extract key fields
	>	like timestamps, user IDs, and error codes.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.580000+00:00	2025-11-12 22:03:39.105000+00:00
description	Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: - Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts). - Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs). - SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources. - Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes. - System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies. This data component can be collected through the following measures: Configure Application Logging - Enable logging within the application or service. - Examples: - Web Servers: Enable access and error logs in NGINX or Apache. - Email Systems: Enable audit logging in Microsoft Exchange or Gmail. Centralized Log Management - Use log management solutions like Splunk, or a cloud-native logging solution. - Configure the application to send logs to a centralized system for analysis. Cloud-Specific Collection - Use services like AWS CloudWatch, Azure Monitor, or Google Cloud Operations Suite for cloud-based applications. - Ensure logging is enabled for all critical resources (e.g., API calls, IAM changes). SIEM Integration - Integrate application logs with a SIEM platform (e.g., Splunk, QRadar) for real-time correlation and analysis. - Use parsers to standardize log formats and extract key fields like timestamps, user IDs, and error codes.	Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: - Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts). - Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs). - SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources. - Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes. - System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.
x_mitre_log_sources[17]['name']	WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational	WinEventLog:System
x_mitre_log_sources[37]['name']	azure:signinLogs	azure:signinlogs
x_mitre_log_sources[75]['name']	WinEventLog:Application	WinEventLog:System
x_mitre_log_sources[75]['channel']	EventCode=1000-1026	EventCode=1000
x_mitre_log_sources[44]['channel']	EventCode=7031,7034,1000,1001	EventCode=1341, 1342, 1020, 1063
x_mitre_log_sources[172]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Application', 'channel': 'EventCode=1000, 1001, 1002'}
x_mitre_log_sources	{'name': 'WinEventLog:System', 'channel': 'EventCode=1341,1342,1020,1063'}
x_mitre_log_sources	{'name': 'WinEventLog:Application', 'channel': 'EventCode=1000,1001'}

[DC0090] Cloud Service Disable

Current version: 2.0

	Old Description			New Description
t	1	This data component refers to monitoring actions that deacti	t	1	This data component refers to monitoring actions that deacti
	>	vate or stop a cloud service in a cloud control plane. Examp		>	vate or stop a cloud service in a cloud control plane. Examp
	>	les include disabling essential logging services like AWS Cl		>	les include disabling essential logging services like AWS Cl
	>	oudTrail (`StopLogging` API call), Microsoft Azure Monitor L		>	oudTrail (`StopLogging` API call), Microsoft Azure Monitor L
	>	ogs, or Google Cloud's Operations Suite (formerly Stackdrive		>	ogs, or Google Cloud's Operations Suite (formerly Stackdrive
	>	r). Disabling such services can hinder visibility into adver		>	r). Disabling such services can hinder visibility into adver
	>	sary activities within the cloud environment. Examples: -		>	sary activities within the cloud environment. Examples: -
	>	AWS CloudTrail StopLogging: This action stops logging of API		>	AWS CloudTrail StopLogging: This action stops logging of API
	>	activity for a particular trail, effectively reducing the m		>	activity for a particular trail, effectively reducing the m
	>	onitoring and visibility of AWS resources and activities. -		>	onitoring and visibility of AWS resources and activities. -
	>	Microsoft Azure Monitor Logs: Disabling these logs hinders t		>	Microsoft Azure Monitor Logs: Disabling these logs hinders t
	>	he organization’s ability to detect anomalous activities and		>	he organization’s ability to detect anomalous activities and
	>	trace malicious actions. - Google Cloud Logging: Disabling		>	trace malicious actions. - Google Cloud Logging: Disabling
	>	cloud logging removes visibility into resource activity, pre		>	cloud logging removes visibility into resource activity, pre
	>	venting monitoring of service access or configuration change		>	venting monitoring of service access or configuration change
	>	s. - SaaS Applications: Stopping logging removes visibility		>	s. - SaaS Applications: Stopping logging removes visibility
	>	into user activities, such as email access or file downloads		>	into user activities, such as email access or file downloads
	>	, enabling undetected malicious behavior. This data compone		>	, enabling undetected malicious behavior.
	>	nt can be collected through the following measures: Enable
	>	and Monitor Cloud Service Logging - Ensure logging is enabl
	>	ed for all cloud services, including administrative actions
	>	like StopLogging. - Example: Use AWS Config to verify that C
	>	loudTrail is enabled and enforce logging as a compliance rul
	>	e. API Monitoring - Use API monitoring tools to detect cal
	>	ls like StopLogging or equivalent service-stopping actions i
	>	n other platforms. - Example: Monitor AWS CloudWatch for spe
	>	cific API events such as StopLogging and flag unauthorized u
	>	sers. SIEM Integration - Collect logs and events from the
	>	cloud control plane into a centralized SIEM for real-time an
	>	alysis and correlation. - Example: Ingest AWS CloudTrail log
	>	s into Splunk or Azure Monitor logs into Sentinel. Cloud Se
	>	curity Posture Management (CSPM) Tools - Leverage CSPM tool
	>	s like Prisma Cloud, Dome9, or AWS Security Hub to detect mi
	>	sconfigurations or suspicious activity, such as disabled log
	>	ging. - Example: Set alerts for changes to logging configura
	>	tions in CSPM dashboards. Configure Alerts in Cloud Platfor
	>	ms - Create native alerts in cloud platforms to detect serv
	>	ice stoppages. - Example: Configure an AWS CloudWatch alarm
	>	to trigger when StopLogging is invoked.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:39.702000+00:00	2025-11-12 22:03:39.105000+00:00
description	This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (`StopLogging` API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples: - AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities. - Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions. - Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes. - SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior. This data component can be collected through the following measures: Enable and Monitor Cloud Service Logging - Ensure logging is enabled for all cloud services, including administrative actions like StopLogging. - Example: Use AWS Config to verify that CloudTrail is enabled and enforce logging as a compliance rule. API Monitoring - Use API monitoring tools to detect calls like StopLogging or equivalent service-stopping actions in other platforms. - Example: Monitor AWS CloudWatch for specific API events such as StopLogging and flag unauthorized users. SIEM Integration - Collect logs and events from the cloud control plane into a centralized SIEM for real-time analysis and correlation. - Example: Ingest AWS CloudTrail logs into Splunk or Azure Monitor logs into Sentinel. Cloud Security Posture Management (CSPM) Tools - Leverage CSPM tools like Prisma Cloud, Dome9, or AWS Security Hub to detect misconfigurations or suspicious activity, such as disabled logging. - Example: Set alerts for changes to logging configurations in CSPM dashboards. Configure Alerts in Cloud Platforms - Create native alerts in cloud platforms to detect service stoppages. - Example: Configure an AWS CloudWatch alarm to trigger when StopLogging is invoked.	This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (`StopLogging` API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples: - AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities. - Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions. - Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes. - SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior.

[DC0083] Cloud Service Enumeration

Current version: 2.0

	Old Description			New Description
t	1	Cloud service enumeration involves listing or querying avail	t	1	Cloud service enumeration involves listing or querying avail
	>	able cloud services in a cloud control plane. This activity		>	able cloud services in a cloud control plane. This activity
	>	is often performed to identify resources such as virtual mac		>	is often performed to identify resources such as virtual mac
	>	hines, storage buckets, compute clusters, or other services		>	hines, storage buckets, compute clusters, or other services
	>	within a cloud environment. Examples include API calls like		>	within a cloud environment. Examples include API calls like
	>	`AWS ECS ListServices`, `Azure ListAllResources`, or `Google		>	`AWS ECS ListServices`, `Azure ListAllResources`, or `Google
	>	Cloud ListInstances`. Examples: AWS Cloud Service Enumera		>	Cloud ListInstances`. Examples: AWS Cloud Service Enumera
	>	tion: The adversary gathers details about existing ECS servi		>	tion: The adversary gathers details about existing ECS servi
	>	ces to identify opportunities for privilege escalation or ex		>	ces to identify opportunities for privilege escalation or ex
	>	filtration. - Azure Resource Enumeration: The adversary coll		>	filtration. - Azure Resource Enumeration: The adversary coll
	>	ects information about virtual machines, resource groups, an		>	ects information about virtual machines, resource groups, an
	>	d other Azure assets for reconnaissance purposes. - Google C		>	d other Azure assets for reconnaissance purposes. - Google C
	>	loud Resource Enumeration: The attacker seeks to map the env		>	loud Resource Enumeration: The attacker seeks to map the env
	>	ironment and find misconfigured or underutilized resources f		>	ironment and find misconfigured or underutilized resources f
	>	or exploitation. - Office 365 Service Enumeration: The attac		>	or exploitation. - Office 365 Service Enumeration: The attac
	>	ker may look for data repositories or collaboration tools to		>	ker may look for data repositories or collaboration tools to
	>	exfiltrate sensitive information. This data component can		>	exfiltrate sensitive information.
	>	be collected through the following measures: Enable Cloud
	>	Activity Logging - Ensure cloud service logs are enabled fo
	>	r API calls and resource usage. - Example: Enable AWS CloudT
	>	rail, Azure Monitor, or Google Cloud Logging to track resour
	>	ce queries. Centralize Logs in a SIEM - Aggregate logs fro
	>	m cloud control planes into a centralized SIEM (e.g., Splunk
	>	, Azure Sentinel). - Example: Collect AWS CloudTrail logs an
	>	d set up alerts for API calls related to service enumeration
	>	. Use Native Cloud Security Tools - Leverage cloud-native
	>	security solutions like AWS GuardDuty, Azure Defender, or Go
	>	ogle Security Command Center. - Example: Use GuardDuty to de
	>	tect anomalous API activity, such as ListServices being exec
	>	uted by an unknown user. Implement Network Flow Logging -
	>	Monitor and analyze VPC flow logs to identify lateral moveme
	>	nt or enumeration activity. - Example: Inspect flow logs for
	>	unexpected traffic between compute instances and the cloud
	>	control plane. API Access Monitoring - Monitor API keys an
	>	d tokens used for enumeration to identify misuse or compromi
	>	se. - Example: Use AWS Secrets Manager or Azure Key Vault to
	>	manage and rotate keys securely.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:38.498000+00:00	2025-11-12 22:03:39.105000+00:00
description	Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like `AWS ECS ListServices`, `Azure ListAllResources`, or `Google Cloud ListInstances`. Examples: AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration. - Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes. - Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation. - Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information. This data component can be collected through the following measures: Enable Cloud Activity Logging - Ensure cloud service logs are enabled for API calls and resource usage. - Example: Enable AWS CloudTrail, Azure Monitor, or Google Cloud Logging to track resource queries. Centralize Logs in a SIEM - Aggregate logs from cloud control planes into a centralized SIEM (e.g., Splunk, Azure Sentinel). - Example: Collect AWS CloudTrail logs and set up alerts for API calls related to service enumeration. Use Native Cloud Security Tools - Leverage cloud-native security solutions like AWS GuardDuty, Azure Defender, or Google Security Command Center. - Example: Use GuardDuty to detect anomalous API activity, such as ListServices being executed by an unknown user. Implement Network Flow Logging - Monitor and analyze VPC flow logs to identify lateral movement or enumeration activity. - Example: Inspect flow logs for unexpected traffic between compute instances and the cloud control plane. API Access Monitoring - Monitor API keys and tokens used for enumeration to identify misuse or compromise. - Example: Use AWS Secrets Manager or Azure Key Vault to manage and rotate keys securely.	Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like `AWS ECS ListServices`, `Azure ListAllResources`, or `Google Cloud ListInstances`. Examples: AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration. - Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes. - Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation. - Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.

[DC0070] Cloud Service Metadata

Current version: 2.0

	Old Description			New Description
t	1	Cloud service metadata refers to the contextual and descript	t	1	Cloud service metadata refers to the contextual and descript
	>	ive information about cloud services, including their name,		>	ive information about cloud services, including their name,
	>	type, purpose, configuration, and activity around them. This		>	type, purpose, configuration, and activity around them. This
	>	metadata is essential for understanding the roles and funct		>	metadata is essential for understanding the roles and funct
	>	ions of cloud services, their operational status, and their		>	ions of cloud services, their operational status, and their
	>	potential misuse. Examples: - Azure Service Metadata: Meta		>	potential misuse. Examples: - Azure Service Metadata: Meta
	>	data describing a resource in Azure, such as an Azure Storag		>	data describing a resource in Azure, such as an Azure Storag
	>	e Account or a Virtual Machine. - AWS Cloud Service Metadata		>	e Account or a Virtual Machine. - AWS Cloud Service Metadata
	>	: Metadata for an AWS EC2 instance collected using the `Desc		>	: Metadata for an AWS EC2 instance collected using the `Desc
	>	ribeInstances` API call. - Google Cloud Service Metadata: Me		>	ribeInstances` API call. - Google Cloud Service Metadata: Me
	>	tadata for a Google Compute Engine instance collected using		>	tadata for a Google Compute Engine instance collected using
	>	`gcloud compute instances describe`. - Office 365 Metadata:		>	`gcloud compute instances describe`. - Office 365 Metadata:
	>	Metadata about an Office 365 SharePoint site. This data com		>	Metadata about an Office 365 SharePoint site.
	>	ponent can be collected through the following measures: Ena
	>	ble Cloud Metadata APIs - Leverage APIs provided by cloud p
	>	roviders to query metadata about services. - AWS: Use AW
	>	S CLI or SDKs for `DescribeInstances`, `DescribeBuckets`, et
	>	c. - Azure: Use `az resource list` or SDKs. - Google
	>	Cloud: Use `gcloud compute instances describe` or related c
	>	ommands. - Office 365: Use Microsoft Graph API. Central
	>	ize Metadata in a Security Platform - Aggregate metadata fr
	>	om multiple clouds into a SIEM or CSPM (Cloud Security Postu
	>	re Management) tool. - Example: Integrate AWS CloudTrail wit
	>	h Splunk or Azure Monitor with Sentinel. Enable Continuous
	>	Monitoring - Set up automated jobs or workflows to regularl
	>	y query and update metadata. - Example: Use AWS Config to tr
	>	ack resource configurations and changes over time. Configur
	>	e Access and Logging - Enable logging for API queries to en
	>	sure access and usage of metadata are monitored. - Example:
	>	Use AWS CloudTrail to log API activity for metadata queries.
	>	Use Cloud Security Tools - Employ CSPM tools like Prisma
	>	Cloud, Wiz, or Dome9 to gather metadata and identify misconf
	>	igurations. - Example: Prisma Cloud provides consolidated vi
	>	ews of metadata for resources across AWS, Azure, and GCP.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.276000+00:00	2025-11-12 22:03:39.105000+00:00
description	Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples: - Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine. - AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the `DescribeInstances` API call. - Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using `gcloud compute instances describe`. - Office 365 Metadata: Metadata about an Office 365 SharePoint site. This data component can be collected through the following measures: Enable Cloud Metadata APIs - Leverage APIs provided by cloud providers to query metadata about services. - AWS: Use AWS CLI or SDKs for `DescribeInstances`, `DescribeBuckets`, etc. - Azure: Use `az resource list` or SDKs. - Google Cloud: Use `gcloud compute instances describe` or related commands. - Office 365: Use Microsoft Graph API. Centralize Metadata in a Security Platform - Aggregate metadata from multiple clouds into a SIEM or CSPM (Cloud Security Posture Management) tool. - Example: Integrate AWS CloudTrail with Splunk or Azure Monitor with Sentinel. Enable Continuous Monitoring - Set up automated jobs or workflows to regularly query and update metadata. - Example: Use AWS Config to track resource configurations and changes over time. Configure Access and Logging - Enable logging for API queries to ensure access and usage of metadata are monitored. - Example: Use AWS CloudTrail to log API activity for metadata queries. Use Cloud Security Tools - Employ CSPM tools like Prisma Cloud, Wiz, or Dome9 to gather metadata and identify misconfigurations. - Example: Prisma Cloud provides consolidated views of metadata for resources across AWS, Azure, and GCP.	Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples: - Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine. - AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the `DescribeInstances` API call. - Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using `gcloud compute instances describe`. - Office 365 Metadata: Metadata about an Office 365 SharePoint site.
x_mitre_log_sources[0]['name']	CloudTrail:GetInstanceIdentityDocument	AWS:CloudTrail
x_mitre_log_sources[4]['name']	CloudTrail:GetSecretValue	AWS:CloudTrail
x_mitre_log_sources[4]['channel']	API call to retrieve secret or access key	GetSecretValue
x_mitre_log_sources[5]['name']	CloudTrail:InvokeFunction	AWS:CloudTrail

[DC0069] Cloud Service Modification

Current version: 2.0

	Old Description			New Description
t	1	Cloud service modification refers to changes made to the con	t	1	Cloud service modification refers to changes made to the con
	>	figuration, settings, or data of a cloud service. These modi		>	figuration, settings, or data of a cloud service. These modi
	>	fications can include administrative changes such as enablin		>	fications can include administrative changes such as enablin
	>	g or disabling features, altering permissions, or deleting c		>	g or disabling features, altering permissions, or deleting c
	>	ritical components. Monitoring these changes is critical to		>	ritical components. Monitoring these changes is critical to
	>	detect potential misconfigurations or malicious activity. Ex		>	detect potential misconfigurations or malicious activity. Ex
	>	amples: - AWS Cloud Service Modifications: A user disables		>	amples: - AWS Cloud Service Modifications: A user disables
	>	AWS CloudTrail logging (StopLogging) or deletes a CloudWatc		>	AWS CloudTrail logging (StopLogging) or deletes a CloudWatc
	>	h configuration rule (DeleteConfigRule). - Azure Cloud Servi		>	h configuration rule (DeleteConfigRule). - Azure Cloud Servi
	>	ce Modifications: Changes to Azure Role-Based Access Control		>	ce Modifications: Changes to Azure Role-Based Access Control
	>	(RBAC) roles, such as adding a new Contributor role to a se		>	(RBAC) roles, such as adding a new Contributor role to a se
	>	nsitive resource. - Google Cloud Service Modifications: Dele		>	nsitive resource. - Google Cloud Service Modifications: Dele
	>	tion of a Google Cloud Storage bucket or disabling a Google		>	tion of a Google Cloud Storage bucket or disabling a Google
	>	Cloud Function. - Office 365 Cloud Service Modifications: Al		>	Cloud Function. - Office 365 Cloud Service Modifications: Al
	>	tering mailbox permissions or disabling auditing in Microsof		>	tering mailbox permissions or disabling auditing in Microsof
	>	t 365. This data component can be collected through the fol		>	t 365.
	>	lowing measures: Enable Cloud Audit Logging - AWS: Enable
	>	AWS CloudTrail for logging management events such as StopLog
	>	ging or DeleteTrail. - Azure: Use Azure Activity Logs to mon
	>	itor resource changes and access actions. - Google Cloud: En
	>	able Google Cloud Audit Logs to track API calls, resource mo
	>	difications, and policy changes. - Office 365: Use Unified A
	>	udit Logs in Microsoft Purview to track administrative actio
	>	ns. Centralize Log Storage - Consolidate logs from all clo
	>	ud providers into a SIEM or CSPM (Cloud Security Posture Man
	>	agement) tool. - Example: Use Splunk or Elastic Stack to ing
	>	est and analyze logs from AWS, Azure, and Google Cloud. Aut
	>	omate Alerts for Sensitive Changes - Configure alerts for h
	>	igh-risk actions, such as disabling logging or modifying IAM
	>	roles. - AWS Example: Use AWS Config rules to detect and no
	>	tify changes to critical services. - Azure Example: Set up A
	>	zure Monitor alerts for write actions on sensitive resources
	>	. Enable Continuous Monitoring - Use tools like AWS Securi
	>	ty Hub, Azure Defender, or Google Chronicle to continuously
	>	monitor cloud service modifications for anomalies.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.943000+00:00	2025-11-12 22:03:39.105000+00:00
description	Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples: - AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule). - Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource. - Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function. - Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365. This data component can be collected through the following measures: Enable Cloud Audit Logging - AWS: Enable AWS CloudTrail for logging management events such as StopLogging or DeleteTrail. - Azure: Use Azure Activity Logs to monitor resource changes and access actions. - Google Cloud: Enable Google Cloud Audit Logs to track API calls, resource modifications, and policy changes. - Office 365: Use Unified Audit Logs in Microsoft Purview to track administrative actions. Centralize Log Storage - Consolidate logs from all cloud providers into a SIEM or CSPM (Cloud Security Posture Management) tool. - Example: Use Splunk or Elastic Stack to ingest and analyze logs from AWS, Azure, and Google Cloud. Automate Alerts for Sensitive Changes - Configure alerts for high-risk actions, such as disabling logging or modifying IAM roles. - AWS Example: Use AWS Config rules to detect and notify changes to critical services. - Azure Example: Set up Azure Monitor alerts for write actions on sensitive resources. Enable Continuous Monitoring - Use tools like AWS Security Hub, Azure Defender, or Google Chronicle to continuously monitor cloud service modifications for anomalies.	Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples: - AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule). - Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource. - Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function. - Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365.
x_mitre_log_sources[9]['name']	CloudTrail:Organizations	AWS:CloudTrail
x_mitre_log_sources[15]['name']	CloudTrail:UpdatePolicy	AWS:CloudTrail

[DC0025] Cloud Storage Access

Current version: 2.0

	Old Description			New Description
t	1	Cloud storage access refers to the retrieval or interaction	t	1	Cloud storage access refers to the retrieval or interaction
	>	with data stored in cloud infrastructure. This data componen		>	with data stored in cloud infrastructure. This data componen
	>	t includes activities such as reading, downloading, or acces		>	t includes activities such as reading, downloading, or acces
	>	sing files and objects within cloud storage systems. Common		>	sing files and objects within cloud storage systems. Common
	>	examples include API calls like GetObject in AWS S3, which r		>	examples include API calls like GetObject in AWS S3, which r
	>	etrieves objects from cloud buckets. Examples: - AWS S3 Ac		>	etrieves objects from cloud buckets. Examples: - AWS S3 Ac
	>	cess: An adversary uses the `GetObject` API to retrieve sens		>	cess: An adversary uses the `GetObject` API to retrieve sens
	>	itive data from an AWS S3 bucket. - Azure Blob Storage Acces		>	itive data from an AWS S3 bucket. - Azure Blob Storage Acces
	>	s: A user accesses a blob in Azure Storage using `Get Blob`		>	s: A user accesses a blob in Azure Storage using `Get Blob`
	>	or `Get Blob Properties`. - Google Cloud Storage Access: An		>	or `Get Blob Properties`. - Google Cloud Storage Access: An
	>	adversary uses `storage.objects.get` to download objects fro		>	adversary uses `storage.objects.get` to download objects fro
	>	m - OpenStack Swift Storage Access: A user retrieves an obje		>	m - OpenStack Swift Storage Access: A user retrieves an obje
	>	ct from OpenStack Swift using the `GET` method. This data c		>	ct from OpenStack Swift using the `GET` method.
	>	omponent can be collected through the following measures: E
	>	nable Logging for Cloud Storage Services - AWS S3: Enable S
	>	erver Access Logging to capture API calls like `GetObject` a
	>	nd store them in a designated S3 bucket. - Azure Storage: En
	>	able Azure Storage Logging to capture operations like `GetBl
	>	ob` and log metadata. - Google Cloud Storage: Enable Data Ac
	>	cess audit logs for `storage.objects.get` API calls. - OpenS
	>	tack Swift: Configure middleware for object logging to captu
	>	re GET requests. Centralize and Aggregate Logs - Use a cen
	>	tralized logging solution (e.g., Splunk, ELK, or a cloud-nat
	>	ive SIEM) to ingest and analyze logs from different cloud pr
	>	oviders. - AWS Example: Use AWS CloudTrail to collect AP
	>	I activity logs and forward them to your SIEM. - Azure E
	>	xample: Use Azure Monitor and Log Analytics to analyze stora
	>	ge access logs. Correlate with IAM Logs - Combine storage
	>	access logs with IAM activity logs to correlate user actions
	>	with specific permissions and identities.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.111000+00:00	2025-11-12 22:03:39.105000+00:00
description	Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples: - AWS S3 Access: An adversary uses the `GetObject` API to retrieve sensitive data from an AWS S3 bucket. - Azure Blob Storage Access: A user accesses a blob in Azure Storage using `Get Blob` or `Get Blob Properties`. - Google Cloud Storage Access: An adversary uses `storage.objects.get` to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the `GET` method. This data component can be collected through the following measures: Enable Logging for Cloud Storage Services - AWS S3: Enable Server Access Logging to capture API calls like `GetObject` and store them in a designated S3 bucket. - Azure Storage: Enable Azure Storage Logging to capture operations like `GetBlob` and log metadata. - Google Cloud Storage: Enable Data Access audit logs for `storage.objects.get` API calls. - OpenStack Swift: Configure middleware for object logging to capture GET requests. Centralize and Aggregate Logs - Use a centralized logging solution (e.g., Splunk, ELK, or a cloud-native SIEM) to ingest and analyze logs from different cloud providers. - AWS Example: Use AWS CloudTrail to collect API activity logs and forward them to your SIEM. - Azure Example: Use Azure Monitor and Log Analytics to analyze storage access logs. Correlate with IAM Logs - Combine storage access logs with IAM activity logs to correlate user actions with specific permissions and identities.	Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples: - AWS S3 Access: An adversary uses the `GetObject` API to retrieve sensitive data from an AWS S3 bucket. - Azure Blob Storage Access: A user accesses a blob in Azure Storage using `Get Blob` or `Get Blob Properties`. - Google Cloud Storage Access: An adversary uses `storage.objects.get` to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the `GET` method.
x_mitre_log_sources[0]['channel']	PutObject, CopyObject	GetObject, CopyObject

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'AWS:CloudTrail', 'channel': 'PutObject, GetObject, CopyObject, DeleteObject'}
x_mitre_log_sources	{'name': 'AWS:CloudTrail', 'channel': 'GetObject'}

[DC0024] Cloud Storage Creation

Current version: 2.0

	Old Description			New Description
t	1	Cloud Storage Creation refers to the initial creation of a n	t	1	Cloud Storage Creation refers to the initial creation of a n
	>	ew cloud storage resource, such as buckets, containers, or d		>	ew cloud storage resource, such as buckets, containers, or d
	>	irectories, within a cloud environment. This action is criti		>	irectories, within a cloud environment. This action is criti
	>	cal to track as it might indicate the legitimate provisionin		>	cal to track as it might indicate the legitimate provisionin
	>	g of resources or unauthorized actions taken by adversaries		>	g of resources or unauthorized actions taken by adversaries
	>	to stage, store, or exfiltrate data. Examples: - AWS S3 Bu		>	to stage, store, or exfiltrate data. Examples: - AWS S3 Bu
	>	cket Creation: An AWS user creates a new S3 bucket using the		>	cket Creation: An AWS user creates a new S3 bucket using the
	>	`CreateBucket` API call. - Azure Blob Storage Container Cre		>	`CreateBucket` API call. - Azure Blob Storage Container Cre
	>	ation: A user creates a new container in Azure Blob Storage		>	ation: A user creates a new container in Azure Blob Storage
	>	using the `Create Container` operation. - Google Cloud Stora		>	using the `Create Container` operation. - Google Cloud Stora
	>	ge Bucket Creation: A Google Cloud user creates a new bucket		>	ge Bucket Creation: A Google Cloud user creates a new bucket
	>	using `storage.buckets.create`. - OpenStack Swift Container		>	using `storage.buckets.create`. - OpenStack Swift Container
	>	Creation: A user creates a new container in OpenStack Swift		>	Creation: A user creates a new container in OpenStack Swift
	>	using the `PUT` method. This data component can be collect		>	using the `PUT` method.
	>	ed through the following measures: Enable Logging for Cloud
	>	Storage Services - AWS S3: Enable AWS CloudTrail to log Cr
	>	eateBucket API actions. - Azure Blob Storage: Enable Azure M
	>	onitor and Diagnostic Logs for storage account activity. Use
	>	Azure Event Grid to capture Create Container operations. -
	>	Google Cloud Storage: Enable Data Access logs in Cloud Audit
	>	Logs to monitor storage.buckets.create API calls. - OpenSta
	>	ck Swift: Configure Swift logging to capture PUT requests to
	>	new containers. Centralized Logging and Analysis - Forwar
	>	d logs to centralized platforms like Splunk or cloud-native
	>	SIEM solutions for correlation and analysis.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:39.305000+00:00	2025-11-12 22:03:39.105000+00:00
description	Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples: - AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the `CreateBucket` API call. - Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the `Create Container` operation. - Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using `storage.buckets.create`. - OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the `PUT` method. This data component can be collected through the following measures: Enable Logging for Cloud Storage Services - AWS S3: Enable AWS CloudTrail to log CreateBucket API actions. - Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs for storage account activity. Use Azure Event Grid to capture Create Container operations. - Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.create API calls. - OpenStack Swift: Configure Swift logging to capture PUT requests to new containers. Centralized Logging and Analysis - Forward logs to centralized platforms like Splunk or cloud-native SIEM solutions for correlation and analysis.	Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples: - AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the `CreateBucket` API call. - Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the `Create Container` operation. - Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using `storage.buckets.create`. - OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the `PUT` method.

[DC0022] Cloud Storage Deletion

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:38.644000+00:00	2025-11-12 22:03:39.105000+00:00

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'AWS:CloudTrail', 'channel': 'PutBackupVaultAccessPolicy'}

[DC0017] Cloud Storage Enumeration

Current version: 2.0

	Old Description			New Description
t	1	Cloud Storage Enumeration involves retrieving a list of avai	t	1	Cloud Storage Enumeration involves retrieving a list of avai
	>	lable cloud storage infrastructure, such as buckets, contain		>	lable cloud storage infrastructure, such as buckets, contain
	>	ers, or objects, within a cloud environment. This activity m		>	ers, or objects, within a cloud environment. This activity m
	>	ay be performed for legitimate administrative purposes or ma		>	ay be performed for legitimate administrative purposes or ma
	>	licious reconnaissance by adversaries seeking to identify ac		>	licious reconnaissance by adversaries seeking to identify ac
	>	cessible storage resources.Examples: - AWS S3 Bucket Enumer		>	cessible storage resources.Examples: - AWS S3 Bucket Enumer
	>	ation: An AWS user lists all buckets using the `ListBuckets`		>	ation: An AWS user lists all buckets using the `ListBuckets`
	>	API call. - Azure Blob Storage Container Enumeration: A use		>	API call. - Azure Blob Storage Container Enumeration: A use
	>	r retrieves a list of all containers within a storage accoun		>	r retrieves a list of all containers within a storage accoun
	>	t using the Azure Storage SDK or API. - Google Cloud Storage		>	t using the Azure Storage SDK or API. - Google Cloud Storage
	>	Bucket Enumeration: A Google Cloud user lists all buckets w		>	Bucket Enumeration: A Google Cloud user lists all buckets w
	>	ithin a project using the `storage.buckets.list` API. - Open		>	ithin a project using the `storage.buckets.list` API. - Open
	>	Stack Swift Container Enumeration: A user retrieves a list o		>	Stack Swift Container Enumeration: A user retrieves a list o
	>	f containers in OpenStack Swift using the `GET` method on th		>	f containers in OpenStack Swift using the `GET` method on th
	>	e storage endpoint. This data component can be collected th		>	e storage endpoint.
	>	rough the following measures: Enable Logging for Cloud Stor
	>	age Enumeration - AWS S3: Enable AWS CloudTrail to capture
	>	ListBuckets and ListObjects API calls. - Azure Blob Storage:
	>	Enable Azure Monitor and Diagnostic Logs to capture enumera
	>	tion operations like List Containers. Use Azure Event Grid t
	>	o trigger alerts for container enumeration. - Google Cloud S
	>	torage: Enable Audit Logs in Google Cloud to track storage.b
	>	uckets.list API activity. - OpenStack Swift: Configure Swift
	>	logging to capture GET requests for container enumeration.
	>	Centralized Log Aggregation - Use platforms like Splunk or
	>	native SIEM solutions to collect and analyze enumeration lo
	>	gs.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:38.903000+00:00	2025-11-12 22:03:39.105000+00:00
description	Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples: - AWS S3 Bucket Enumeration: An AWS user lists all buckets using the `ListBuckets` API call. - Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API. - Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the `storage.buckets.list` API. - OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the `GET` method on the storage endpoint. This data component can be collected through the following measures: Enable Logging for Cloud Storage Enumeration - AWS S3: Enable AWS CloudTrail to capture ListBuckets and ListObjects API calls. - Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture enumeration operations like List Containers. Use Azure Event Grid to trigger alerts for container enumeration. - Google Cloud Storage: Enable Audit Logs in Google Cloud to track storage.buckets.list API activity. - OpenStack Swift: Configure Swift logging to capture GET requests for container enumeration. Centralized Log Aggregation - Use platforms like Splunk or native SIEM solutions to collect and analyze enumeration logs.	Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples: - AWS S3 Bucket Enumeration: An AWS user lists all buckets using the `ListBuckets` API call. - Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API. - Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the `storage.buckets.list` API. - OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the `GET` method on the storage endpoint.

[DC0027] Cloud Storage Metadata

Current version: 2.0

	Old Description			New Description
t	1	Cloud Storage Metadata provides contextual information about	t	1	Cloud Storage Metadata provides contextual information about
	>	cloud storage infrastructure and its associated activity. T		>	cloud storage infrastructure and its associated activity. T
	>	his data may include attributes such as storage name, size,		>	his data may include attributes such as storage name, size,
	>	owner, permissions, creation date, region, and activity meta		>	owner, permissions, creation date, region, and activity meta
	>	data. It is essential for monitoring, auditing, and identify		>	data. It is essential for monitoring, auditing, and identify
	>	ing anomalies in cloud storage environments. Examples: - A		>	ing anomalies in cloud storage environments. Examples: - A
	>	WS S3 Bucket Metadata: Metadata about an S3 bucket includes		>	WS S3 Bucket Metadata: Metadata about an S3 bucket includes
	>	the bucket name, region, creation date, owner, storage class		>	the bucket name, region, creation date, owner, storage class
	>	, and permissions. - Azure Blob Storage Metadata: Metadata f		>	, and permissions. - Azure Blob Storage Metadata: Metadata f
	>	or an Azure Blob container includes container name, access l		>	or an Azure Blob container includes container name, access l
	>	evel (e.g., private or public), size, and tags. - Google Clo		>	evel (e.g., private or public), size, and tags. - Google Clo
	>	ud Storage Metadata: Metadata includes bucket name, storage		>	ud Storage Metadata: Metadata includes bucket name, storage
	>	class, location, labels, lifecycle policies, and versioning		>	class, location, labels, lifecycle policies, and versioning
	>	status. - OpenStack Swift Metadata: Metadata for a Swift con		>	status. - OpenStack Swift Metadata: Metadata for a Swift con
	>	tainer includes name, access level, quota, and custom attrib		>	tainer includes name, access level, quota, and custom attrib
	>	utes. This data component can be collected through the foll		>	utes.
	>	owing measures: Enable Logging for Metadata Collection - A
	>	WS S3: Use AWS CloudTrail to log `GetBucketAcl`, `GetBucketP
	>	olicy`, and `HeadBucket` API calls. - Azure Blob Storage: Us
	>	e Azure Monitor to log container metadata retrieval and upda
	>	tes. - Google Cloud Storage: Enable Google Cloud Audit Logs
	>	to capture `storage.buckets.get` and `storage.buckets.update
	>	`. - OpenStack Swift: Enable logging of `HEAD` or `GET` requ
	>	ests to containers. Centralized Log Aggregation - Use a SI
	>	EM solution (e.g., Splunk) to aggregate and analyze metadata
	>	retrieval and modification logs. - Correlate metadata acces
	>	s with user actions, IP addresses, and other contextual data
	>	. API Polling - Use cloud SDKs or APIs to periodically que
	>	ry metadata for analysis: - AWS CLI Example: `aws s3api
	>	get-bucket-acl --bucket company-sensitive-data` - Azure
	>	CLI Example: `az storage container show --name customer-reco
	>	rds` - Google Cloud CLI Example: `gcloud storage buckets
	>	describe user-uploads`

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:39.767000+00:00	2025-11-12 22:03:39.105000+00:00
description	Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples: - AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions. - Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags. - Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status. - OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes. This data component can be collected through the following measures: Enable Logging for Metadata Collection - AWS S3: Use AWS CloudTrail to log `GetBucketAcl`, `GetBucketPolicy`, and `HeadBucket` API calls. - Azure Blob Storage: Use Azure Monitor to log container metadata retrieval and updates. - Google Cloud Storage: Enable Google Cloud Audit Logs to capture `storage.buckets.get` and `storage.buckets.update`. - OpenStack Swift: Enable logging of `HEAD` or `GET` requests to containers. Centralized Log Aggregation - Use a SIEM solution (e.g., Splunk) to aggregate and analyze metadata retrieval and modification logs. - Correlate metadata access with user actions, IP addresses, and other contextual data. API Polling - Use cloud SDKs or APIs to periodically query metadata for analysis: - AWS CLI Example: `aws s3api get-bucket-acl --bucket company-sensitive-data` - Azure CLI Example: `az storage container show --name customer-records` - Google Cloud CLI Example: `gcloud storage buckets describe user-uploads`	Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples: - AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions. - Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags. - Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status. - OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes.

[DC0023] Cloud Storage Modification

Current version: 2.0

	Old Description			New Description
t	1	Cloud Storage Modification involves tracking changes made to	t	1	Cloud Storage Modification involves tracking changes made to
	>	cloud storage infrastructure, including updates to settings		>	cloud storage infrastructure, including updates to settings
	>	, permissions, or stored data. Examples include modifying ob		>	, permissions, or stored data. Examples include modifying ob
	>	ject access control lists (ACLs), uploading new objects, or		>	ject access control lists (ACLs), uploading new objects, or
	>	updating bucket policies. Examples: AWS S3: An object is u		>	updating bucket policies. Examples: AWS S3: An object is u
	>	ploaded or its ACL is modified. - Azure Blob Storage: A blob		>	ploaded or its ACL is modified. - Azure Blob Storage: A blob
	>	's metadata or permissions are updated. - Google Cloud Stora		>	's metadata or permissions are updated. - Google Cloud Stora
	>	ge: An object's lifecycle policy is updated, or a bucket pol		>	ge: An object's lifecycle policy is updated, or a bucket pol
	>	icy is changed. - OpenStack Swift: Modifications to containe		>	icy is changed. - OpenStack Swift: Modifications to containe
	>	r settings or uploading of new objects. This data component		>	r settings or uploading of new objects.
	>	can be collected through the following measures: Enable Lo
	>	gging - AWS S3: Enable AWS CloudTrail to log API events lik
	>	e PutObject, PutObjectAcl, and PutBucketPolicy. - Azure Blob
	>	Storage: Use Azure Monitor to log write and update operatio
	>	ns. - Google Cloud Storage: Enable Google Cloud Audit Logs t
	>	o track storage.objects.update and storage.buckets.update. -
	>	OpenStack Swift: Enable logging for PUT and POST requests t
	>	o track object uploads and container metadata updates. Use
	>	Cloud Monitoring Tools - Integrate with tools like AWS Conf
	>	ig, Azure Security Center, or Google Cloud Monitoring to det
	>	ect configuration drift or unauthorized changes. Centralize
	>	d Log Aggregation - Use a SIEM (e.g., Splunk) to aggregate
	>	logs across multiple cloud providers for unified monitoring
	>	and analysis. Periodic API Queries - AWS CLI Example: Quer
	>	y recent modifications to bucket policies: `aws s3api get-bu
	>	cket-policy --bucket sensitive-data` - Azure CLI Example: Li
	>	st changes to a blob container: `az storage blob show --cont
	>	ainer-name private-docs` - Google Cloud CLI Example: Check m
	>	etadata updates: `gcloud storage objects describe gs://user-
	>	uploads/document.txt`

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.930000+00:00	2025-11-12 22:03:39.105000+00:00
description	Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples: AWS S3: An object is uploaded or its ACL is modified. - Azure Blob Storage: A blob's metadata or permissions are updated. - Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed. - OpenStack Swift: Modifications to container settings or uploading of new objects. This data component can be collected through the following measures: Enable Logging - AWS S3: Enable AWS CloudTrail to log API events like PutObject, PutObjectAcl, and PutBucketPolicy. - Azure Blob Storage: Use Azure Monitor to log write and update operations. - Google Cloud Storage: Enable Google Cloud Audit Logs to track storage.objects.update and storage.buckets.update. - OpenStack Swift: Enable logging for PUT and POST requests to track object uploads and container metadata updates. Use Cloud Monitoring Tools - Integrate with tools like AWS Config, Azure Security Center, or Google Cloud Monitoring to detect configuration drift or unauthorized changes. Centralized Log Aggregation - Use a SIEM (e.g., Splunk) to aggregate logs across multiple cloud providers for unified monitoring and analysis. Periodic API Queries - AWS CLI Example: Query recent modifications to bucket policies: `aws s3api get-bucket-policy --bucket sensitive-data` - Azure CLI Example: List changes to a blob container: `az storage blob show --container-name private-docs` - Google Cloud CLI Example: Check metadata updates: `gcloud storage objects describe gs://user-uploads/document.txt`	Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples: AWS S3: An object is uploaded or its ACL is modified. - Azure Blob Storage: A blob's metadata or permissions are updated. - Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed. - OpenStack Swift: Modifications to container settings or uploading of new objects.

[DC0064] Command Execution

Current version: 2.0

	Old Description			New Description
t	1	Command Execution involves monitoring and capturing the exec	t	1	Command Execution involves monitoring and capturing the exec
	>	ution of textual commands (including shell commands, cmdlets		>	ution of textual commands (including shell commands, cmdlets
	>	, and scripts) within an operating system or application. Th		>	, and scripts) within an operating system or application. Th
	>	ese commands may include arguments or parameters and are typ		>	ese commands may include arguments or parameters and are typ
	>	ically executed through interpreters such as `cmd.exe`, `bas		>	ically executed through interpreters such as `cmd.exe`, `bas
	>	h`, `zsh`, `PowerShell`, or programmatic execution. Examples		>	h`, `zsh`, `PowerShell`, or programmatic execution. Examples
	>	: - Windows Command Prompt - dir – Lists directory con		>	: - Windows Command Prompt - dir – Lists directory con
	>	tents. - net user – Queries or manipulates user accounts		>	tents. - net user – Queries or manipulates user accounts
	>	. - tasklist – Lists running processes. - PowerShell		>	. - tasklist – Lists running processes. - PowerShell
	>	- Get-Process – Retrieves processes running on a system.		>	- Get-Process – Retrieves processes running on a system.
	>	- Set-ExecutionPolicy – Changes PowerShell script executio		>	- Set-ExecutionPolicy – Changes PowerShell script executio
	>	n policies. - Invoke-WebRequest – Downloads remote resou		>	n policies. - Invoke-WebRequest – Downloads remote resou
	>	rces. - Linux Shell - ls – Lists files in a directory.		>	rces. - Linux Shell - ls – Lists files in a directory.
	>	- cat /etc/passwd – Reads the user accounts file. - c		>	- cat /etc/passwd – Reads the user accounts file. - c
	>	url http://malicious-site.com – Retrieves content from a mal		>	url http://malicious-site.com – Retrieves content from a mal
	>	icious URL. - Container Environments - docker exec – Exe		>	icious URL. - Container Environments - docker exec – Exe
	>	cutes a command inside a running container. - kubectl ex		>	cutes a command inside a running container. - kubectl ex
	>	ec – Runs commands in Kubernetes pods. - macOS Terminal		>	ec – Runs commands in Kubernetes pods. - macOS Terminal
	>	- open – Opens files or URLs. - dscl . -list /Users – Li		>	- open – Opens files or URLs. - dscl . -list /Users – Li
	>	sts all users on the system. - osascript -e – Executes A		>	sts all users on the system. - osascript -e – Executes A
	>	ppleScript commands. This data component can be collected t		>	ppleScript commands.
	>	hrough the following measures: Enable Command Logging - Wi
	>	ndows: - Enable PowerShell logging: `Set-ExecutionPolicy
	>	Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\M
	>	icrosoft\Windows\PowerShell\ScriptBlockLogging" -Name Enable
	>	ScriptBlockLogging -Value 1` - Enable Windows Event Logg
	>	ing: - Event ID 4688: Tracks process creation, inclu
	>	ding command-line arguments. - Event ID 4104: Logs P
	>	owerShell script block execution. - Linux/macOS: - Enabl
	>	e shell history logging in `.bashrc` or `.zshrc`: `export HI
	>	STTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='histor
	>	y -a; history -w'` - Use audit frameworks (e.g., `auditd
	>	`) to log command executions. Example rule to log all `execv
	>	e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex
	>	ec` - Containers: - Use runtime-specific tools like Dock
	>	er’s --log-driver or Kubernetes Audit Logs to capture exec c
	>	ommands. Integrate with Centralized Logging - Collect logs
	>	using a SIEM (e.g., Splunk) or cloud-based log aggregation
	>	tools like AWS CloudWatch or Azure Monitor. Example Splunk S
	>	earch for Windows Event 4688: `index=windows EventID=4688 Co
	>	mmandLine=*` Use Endpoint Detection and Response (EDR) Tool
	>	s - Monitor command executions via EDR solutions Deploy S
	>	ysmon for Advanced Logging (Windows) - Use Sysmon's Event I
	>	D 1 to log process creation with command-line arguments

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.849000+00:00	2025-11-12 22:03:39.105000+00:00
description	Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: - Windows Command Prompt - dir – Lists directory contents. - net user – Queries or manipulates user accounts. - tasklist – Lists running processes. - PowerShell - Get-Process – Retrieves processes running on a system. - Set-ExecutionPolicy – Changes PowerShell script execution policies. - Invoke-WebRequest – Downloads remote resources. - Linux Shell - ls – Lists files in a directory. - cat /etc/passwd – Reads the user accounts file. - curl http://malicious-site.com – Retrieves content from a malicious URL. - Container Environments - docker exec – Executes a command inside a running container. - kubectl exec – Runs commands in Kubernetes pods. - macOS Terminal - open – Opens files or URLs. - dscl . -list /Users – Lists all users on the system. - osascript -e – Executes AppleScript commands. This data component can be collected through the following measures: Enable Command Logging - Windows: - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1` - Enable Windows Event Logging: - Event ID 4688: Tracks process creation, including command-line arguments. - Event ID 4104: Logs PowerShell script block execution. - Linux/macOS: - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='history -a; history -w'` - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec` - Containers: - Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands. Integrate with Centralized Logging - Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688: `index=windows EventID=4688 CommandLine=*` Use Endpoint Detection and Response (EDR) Tools - Monitor command executions via EDR solutions Deploy Sysmon for Advanced Logging (Windows) - Use Sysmon's Event ID 1 to log process creation with command-line arguments	Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: - Windows Command Prompt - dir – Lists directory contents. - net user – Queries or manipulates user accounts. - tasklist – Lists running processes. - PowerShell - Get-Process – Retrieves processes running on a system. - Set-ExecutionPolicy – Changes PowerShell script execution policies. - Invoke-WebRequest – Downloads remote resources. - Linux Shell - ls – Lists files in a directory. - cat /etc/passwd – Reads the user accounts file. - curl http://malicious-site.com – Retrieves content from a malicious URL. - Container Environments - docker exec – Executes a command inside a running container. - kubectl exec – Runs commands in Kubernetes pods. - macOS Terminal - open – Opens files or URLs. - dscl . -list /Users – Lists all users on the system. - osascript -e – Executes AppleScript commands.
x_mitre_log_sources[4]['channel']	/var/log/syslog or journalctl	cron activity
x_mitre_log_sources[10]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_sources[35]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_sources[226]['name']	azure:signinLogs	azure:signinlogs

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Powershell', 'channel': 'EventCode=4104'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104,4105, 4106'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4105'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4106'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103, 4104'}

[DC0072] Container Creation

Current version: 2.0

	Old Description			New Description
t	1	"Container Creation" data component captures details about t	t	1	"Container Creation" data component captures details about t
	>	he initial construction of a container in a containerized en		>	he initial construction of a container in a containerized en
	>	vironment. This includes events where a new container is ins		>	vironment. This includes events where a new container is ins
	>	tantiated, such as through Docker, Kubernetes, or other cont		>	tantiated, such as through Docker, Kubernetes, or other cont
	>	ainer orchestration platforms. Monitoring these events helps		>	ainer orchestration platforms. Monitoring these events helps
	>	detect unauthorized or potentially malicious container crea		>	detect unauthorized or potentially malicious container crea
	>	tion. Examples: - Docker Example: `docker create my-contain		>	tion. Examples: - Docker Example: `docker create my-contain
	>	er`, `docker run --name=my-container nginx:latest` - Kuberne		>	er`, `docker run --name=my-container nginx:latest` - Kuberne
	>	tes Example: `kubectl run my-pod --image=nginx`, `kubectl cr		>	tes Example: `kubectl run my-pod --image=nginx`, `kubectl cr
	>	eate deployment my-deployment --image=nginx` - Cloud Contain		>	eate deployment my-deployment --image=nginx` - Cloud Contain
	>	er Services Example - AWS ECS: Task or service creation		>	er Services Example - AWS ECS: Task or service creation
	>	(`RunTask` or `CreateService`). - Azure Container Instan		>	(`RunTask` or `CreateService`). - Azure Container Instan
	>	ces: Deployment of a container group. - Google Kubernete		>	ces: Deployment of a container group. - Google Kubernete
	>	s Engine (GKE): Creation of new pods via GCP APIs. This dat		>	s Engine (GKE): Creation of new pods via GCP APIs.
	>	a component can be collected through the following measures:
	>	- Docker Audit Logging: Enable Docker daemon logging to ca
	>	pture `create` commands. Configure the Docker daemon to use
	>	a log driver such as `syslog` or `json-file`. - Kubernetes A
	>	udit Logs: Enable Kubernetes API server audit logging: - Clo
	>	ud Provider Logs - AWS CloudTrail: Enable logging for EC
	>	S `RunTask` or `CreateService` events. - Azure Monitor:
	>	Enable activity logging for container group creation. -
	>	GCP Cloud Logging: Monitor API calls such as `container.proj
	>	ects.zones.clusters.create`. - SIEM Integration: Use a SIEM
	>	to collect logs from Docker, Kubernetes, or cloud platforms.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.681000+00:00	2025-11-12 22:03:39.105000+00:00
description	"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples: - Docker Example: `docker create my-container`, `docker run --name=my-container nginx:latest` - Kubernetes Example: `kubectl run my-pod --image=nginx`, `kubectl create deployment my-deployment --image=nginx` - Cloud Container Services Example - AWS ECS: Task or service creation (`RunTask` or `CreateService`). - Azure Container Instances: Deployment of a container group. - Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs. This data component can be collected through the following measures: - Docker Audit Logging: Enable Docker daemon logging to capture `create` commands. Configure the Docker daemon to use a log driver such as `syslog` or `json-file`. - Kubernetes Audit Logs: Enable Kubernetes API server audit logging: - Cloud Provider Logs - AWS CloudTrail: Enable logging for ECS `RunTask` or `CreateService` events. - Azure Monitor: Enable activity logging for container group creation. - GCP Cloud Logging: Monitor API calls such as `container.projects.zones.clusters.create`. - SIEM Integration: Use a SIEM to collect logs from Docker, Kubernetes, or cloud platforms.	"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples: - Docker Example: `docker create my-container`, `docker run --name=my-container nginx:latest` - Kubernetes Example: `kubectl run my-pod --image=nginx`, `kubectl create deployment my-deployment --image=nginx` - Cloud Container Services Example - AWS ECS: Task or service creation (`RunTask` or `CreateService`). - Azure Container Instances: Deployment of a container group. - Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs.

[DC0091] Container Enumeration

Current version: 2.0

	Old Description			New Description
t	1	"Container Enumeration" data component captures events and a	t	1	"Container Enumeration" data component captures events and a
	>	ctions related to listing and identifying active or availabl		>	ctions related to listing and identifying active or availabl
	>	e containers within a containerized environment. This includ		>	e containers within a containerized environment. This includ
	>	es information about running, stopped, or configured contain		>	es information about running, stopped, or configured contain
	>	ers, such as their names, IDs, statuses, or associated image		>	ers, such as their names, IDs, statuses, or associated image
	>	s. Monitoring this activity is crucial for detecting unautho		>	s. Monitoring this activity is crucial for detecting unautho
	>	rized discovery or reconnaissance efforts. Examples: - Doc		>	rized discovery or reconnaissance efforts. Examples: - Doc
	>	ker Example: `docker ps`, `docker ps -a` - Kubernetes Exampl		>	ker Example: `docker ps`, `docker ps -a` - Kubernetes Exampl
	>	e: `kubectl get pods`, `kubectl get deployments` - Cloud Con		>	e: `kubectl get pods`, `kubectl get deployments` - Cloud Con
	>	tainer Services Example - AWS ECS: API Call: ListTasks o		>	tainer Services Example - AWS ECS: API Call: ListTasks o
	>	r ListContainers - Azure Kubernetes Service: API Call: L		>	r ListContainers - Azure Kubernetes Service: API Call: L
	>	ist pod or container instances. - Google Kubernetes Engi		>	ist pod or container instances. - Google Kubernetes Engi
	>	ne (GKE): API Call: Retrieve deployments and their associate		>	ne (GKE): API Call: Retrieve deployments and their associate
	>	d containers. This data component can be collected through		>	d containers.
	>	the following measures: - Docker Audit Logging: Enable Dock
	>	er daemon logging to capture enumeration commands. Use tools
	>	like auditd to monitor terminal activity involving docker p
	>	s or similar commands. - Kubernetes Audit Logs: Enable Kuber
	>	netes API server audit logging. Capture events where users q
	>	uery resources such as pods, deployments, or services. - Clo
	>	ud Provider Logs - AWS CloudTrail: Enable logging for AP
	>	I calls like ListTasks or DescribeTasks. - Azure Monitor
	>	: Enable activity logging to track container-related queries
	>	. - GCP Cloud Logging: Track API events involving contai
	>	ner enumerations or deployments. - SIEM Integration: Collect
	>	logs from Docker, Kubernetes, and cloud services for centra
	>	lized analysis.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:40.609000+00:00	2025-11-12 22:03:39.105000+00:00
description	"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples: - Docker Example: `docker ps`, `docker ps -a` - Kubernetes Example: `kubectl get pods`, `kubectl get deployments` - Cloud Container Services Example - AWS ECS: API Call: ListTasks or ListContainers - Azure Kubernetes Service: API Call: List pod or container instances. - Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers. This data component can be collected through the following measures: - Docker Audit Logging: Enable Docker daemon logging to capture enumeration commands. Use tools like auditd to monitor terminal activity involving docker ps or similar commands. - Kubernetes Audit Logs: Enable Kubernetes API server audit logging. Capture events where users query resources such as pods, deployments, or services. - Cloud Provider Logs - AWS CloudTrail: Enable logging for API calls like ListTasks or DescribeTasks. - Azure Monitor: Enable activity logging to track container-related queries. - GCP Cloud Logging: Track API events involving container enumerations or deployments. - SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services for centralized analysis.	"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples: - Docker Example: `docker ps`, `docker ps -a` - Kubernetes Example: `kubectl get pods`, `kubectl get deployments` - Cloud Container Services Example - AWS ECS: API Call: ListTasks or ListContainers - Azure Kubernetes Service: API Call: List pod or container instances. - Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers.

[DC0054] Drive Access

Current version: 2.0

	Old Description			New Description
t	1	Refers to the act of accessing a data storage device, such a	t	1	Refers to the act of accessing a data storage device, such a
	>	s a hard drive, SSD, USB, or network-mounted drive. This dat		>	s a hard drive, SSD, USB, or network-mounted drive. This dat
	>	a component logs the opening or mounting of drives, capturin		>	a component logs the opening or mounting of drives, capturin
	>	g activities such as reading, writing, or executing files wi		>	g activities such as reading, writing, or executing files wi
	>	thin an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or		>	thin an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or
	>	mount point. Examples: - Removable Drive Insertion: A USB		>	mount point. Examples: - Removable Drive Insertion: A USB
	>	drive is inserted, assigned the letter `F:\`, and files are		>	drive is inserted, assigned the letter `F:\`, and files are
	>	accessed. - Network Drive Mounting: A network share `\\serv		>	accessed. - Network Drive Mounting: A network share `\\serv
	>	er\share` is mapped to the drive `Z:\`. - External Hard Driv		>	er\share` is mapped to the drive `Z:\`. - External Hard Driv
	>	e Access: An external drive is connected, mounted at `/mnt/b		>	e Access: An external drive is connected, mounted at `/mnt/b
	>	ackup`, and accessed for copying files. - System Volume Acce		>	ackup`, and accessed for copying files. - System Volume Acce
	>	ss: The system volume `C:\` is accessed for modifications to		>	ss: The system volume `C:\` is accessed for modifications to
	>	critical files. - Cloud-Synced Drives: Cloud storage drives		>	critical files. - Cloud-Synced Drives: Cloud storage drives
	>	like OneDrive or Google Drive are accessed via local mounts		>	like OneDrive or Google Drive are accessed via local mounts
	>	. This data component can be collected through the followin		>	.
	>	g measures: Windows Event Logs - Relevant Events: - Eve
	>	nt ID 4663: Logs access to file or folder objects. - Eve
	>	nt ID 4656: Tracks a handle to an object like a drive or fil
	>	e. - Configuration: - Enable auditing for "Object Access
	>	" in Local Security Policy. - Use Group Policy for broad
	>	er deployment: `Computer Configuration > Windows Settings >
	>	Security Settings > Advanced Audit Policy Configuration > Ob
	>	ject Access` Linux System Logs - Command-Line Monitoring:
	>	Use the `dmesg` or `journalctl` command to monitor drive mou
	>	nt/unmount events. - Auditd Configuration: Add an audit rule
	>	for drive access: `auditctl -w /mnt/drive -p rwxa -k drive_
	>	access` - Review logs via `/var/log/audit/audit.log`. macOS
	>	System Logs - Command-Line Monitoring: Use `diskutil list`
	>	or `fs_usage` to monitor drive access and mount points. - U
	>	nified Logs: Query unified logs using log show for drive-rel
	>	ated activities: `log show --info \| grep "mount"` Endpoint
	>	Detection and Response (EDR) Tools - Use EDR solutions to m
	>	onitor drive activities and collect detailed forensic data.
	>	SIEM Tools - Ingest logs from endpoints to detect drive ac
	>	cess patterns. Configure rules to alert on unusual or unauth
	>	orized drive access.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:38.086000+00:00	2025-11-12 22:03:39.105000+00:00
description	Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or mount point. Examples: - Removable Drive Insertion: A USB drive is inserted, assigned the letter `F:\`, and files are accessed. - Network Drive Mounting: A network share `\\server\share` is mapped to the drive `Z:\`. - External Hard Drive Access: An external drive is connected, mounted at `/mnt/backup`, and accessed for copying files. - System Volume Access: The system volume `C:\` is accessed for modifications to critical files. - Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts. This data component can be collected through the following measures: Windows Event Logs - Relevant Events: - Event ID 4663: Logs access to file or folder objects. - Event ID 4656: Tracks a handle to an object like a drive or file. - Configuration: - Enable auditing for "Object Access" in Local Security Policy. - Use Group Policy for broader deployment: `Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access` Linux System Logs - Command-Line Monitoring: Use the `dmesg` or `journalctl` command to monitor drive mount/unmount events. - Auditd Configuration: Add an audit rule for drive access: `auditctl -w /mnt/drive -p rwxa -k drive_access` - Review logs via `/var/log/audit/audit.log`. macOS System Logs - Command-Line Monitoring: Use `diskutil list` or `fs_usage` to monitor drive access and mount points. - Unified Logs: Query unified logs using log show for drive-related activities: `log show --info \| grep "mount"` Endpoint Detection and Response (EDR) Tools - Use EDR solutions to monitor drive activities and collect detailed forensic data. SIEM Tools - Ingest logs from endpoints to detect drive access patterns. Configure rules to alert on unusual or unauthorized drive access.	Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or mount point. Examples: - Removable Drive Insertion: A USB drive is inserted, assigned the letter `F:\`, and files are accessed. - Network Drive Mounting: A network share `\\server\share` is mapped to the drive `Z:\`. - External Hard Drive Access: An external drive is connected, mounted at `/mnt/backup`, and accessed for copying files. - System Volume Access: The system volume `C:\` is accessed for modifications to critical files. - Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts.

[DC0042] Drive Creation

Current version: 2.0

	Old Description			New Description
t	1	The activity of assigning a new drive letter or creating a m	t	1	The activity of assigning a new drive letter or creating a m
	>	ount point for a data storage device, such as a USB, network		>	ount point for a data storage device, such as a USB, network
	>	share, or external hard drive, enabling access to its conte		>	share, or external hard drive, enabling access to its conte
	>	nt on a host system. Examples: - USB Drive Insertion: A US		>	nt on a host system. Examples: - USB Drive Insertion: A US
	>	B drive is plugged in and automatically assigned the letter		>	B drive is plugged in and automatically assigned the letter
	>	`E:\` on a Windows machine. - Network Drive Mapping: A netwo		>	`E:\` on a Windows machine. - Network Drive Mapping: A netwo
	>	rk share `\\server\share` is mapped to the drive `Z:\`. - Vi		>	rk share `\\server\share` is mapped to the drive `Z:\`. - Vi
	>	rtual Drive Creation: A virtual disk is mounted on `/mnt/vir		>	rtual Drive Creation: A virtual disk is mounted on `/mnt/vir
	>	tualdrive` using an ISO image or a virtual hard disk (VHD).		>	tualdrive` using an ISO image or a virtual hard disk (VHD).
	>	- Cloud Storage Mounting: Google Drive is mounted as `G:\` o		>	- Cloud Storage Mounting: Google Drive is mounted as `G:\` o
	>	n a Windows machine using a cloud sync tool. - External Stor		>	n a Windows machine using a cloud sync tool. - External Stor
	>	age Integration: An external HDD or SSD is connected and ass		>	age Integration: An external HDD or SSD is connected and ass
	>	igned `/mnt/external` on a Linux system. This data componen		>	igned `/mnt/external` on a Linux system..
	>	t can be collected through the following measures: Windows
	>	Event Logs - Relevant Events: - Event ID 98: Logs the c
	>	reation of a volume (mount or new drive letter assignment).
	>	- Event ID 1006: Logs removable storage device insertion
	>	s. - Configuration: Enable "Removable Storage Events" in the
	>	Group Policy settings: `Computer Configuration > Administra
	>	tive Templates > System > Removable Storage Access` Linux S
	>	ystem Logs - Command-Line Monitoring: Use `dmesg` or `journ
	>	alctl` to monitor mount events. - Auditd Configuration: Add
	>	audit rules to track mount points. - Logs can be reviewed i
	>	n /var/log/audit/audit.log. macOS System Logs - Unified Lo
	>	gs: Monitor system logs for mount activity: - Command-Line T
	>	ools: Use `diskutil list` to verify newly created or mounted
	>	drives. Endpoint Detection and Response (EDR) Tools - EDR
	>	solutions can log removable drive usage and network-mounted
	>	drives. Configure EDR policies to alert on suspicious drive
	>	creation events. SIEM Tools - Centralize logs from multip
	>	le platforms into a SIEM (e.g., Splunk) to correlate and ale
	>	rt on suspicious drive creation activities.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.342000+00:00	2025-11-12 22:03:39.105000+00:00
description	The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: - USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine. - Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`. - Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD). - Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool. - External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system. This data component can be collected through the following measures: Windows Event Logs - Relevant Events: - Event ID 98: Logs the creation of a volume (mount or new drive letter assignment). - Event ID 1006: Logs removable storage device insertions. - Configuration: Enable "Removable Storage Events" in the Group Policy settings: `Computer Configuration > Administrative Templates > System > Removable Storage Access` Linux System Logs - Command-Line Monitoring: Use `dmesg` or `journalctl` to monitor mount events. - Auditd Configuration: Add audit rules to track mount points. - Logs can be reviewed in /var/log/audit/audit.log. macOS System Logs - Unified Logs: Monitor system logs for mount activity: - Command-Line Tools: Use `diskutil list` to verify newly created or mounted drives. Endpoint Detection and Response (EDR) Tools - EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events. SIEM Tools - Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities.	The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: - USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine. - Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`. - Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD). - Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool. - External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system..
x_mitre_log_sources[4]['name']	WinEventLog:Microsoft-Windows-Partition/Diagnostic	WinEventLog:System
x_mitre_log_sources[7]['channel']	EventCode=1006,10001	EventCode=1006, 10001

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational', 'channel': 'EventCode=2003'}
x_mitre_log_sources	{'name': 'WinEventLog:System', 'channel': 'EventCode=20001/20003'}
x_mitre_log_sources	{'name': 'WinEventLog:System', 'channel': '20001-20003'}

[DC0046] Drive Modification

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 19:03:17.198000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0046	https://attack.mitre.org/datacomponents/DC0046

[DC0079] Driver Load

Current version: 2.0

	Old Description			New Description
t	1	The process of attaching a driver, which is a software compo	t	1	The process of attaching a driver, which is a software compo
	>	nent that allows the operating system and applications to in		>	nent that allows the operating system and applications to in
	>	teract with hardware devices, to either user-mode or kernel-		>	teract with hardware devices, to either user-mode or kernel-
	>	mode of a system. This can include benign actions (e.g., har		>	mode of a system. This can include benign actions (e.g., har
	>	dware drivers) or malicious behavior (e.g., rootkits or unsi		>	dware drivers) or malicious behavior (e.g., rootkits or unsi
	>	gned drivers). Examples: - Legitimate Driver Loading: A ne		>	gned drivers). Examples: - Legitimate Driver Loading: A ne
	>	w graphics driver from a vendor like NVIDIA or AMD is loaded		>	w graphics driver from a vendor like NVIDIA or AMD is loaded
	>	into the system. - Unsigned Driver Loading: A driver withou		>	into the system. - Unsigned Driver Loading: A driver withou
	>	t a valid digital signature is loaded into the kernel. - Roo		>	t a valid digital signature is loaded into the kernel. - Roo
	>	tkit Installation: A malicious rootkit driver is loaded to m		>	tkit Installation: A malicious rootkit driver is loaded to m
	>	anipulate kernel-mode processes. - Anti-Virus or EDR Driver		>	anipulate kernel-mode processes. - Anti-Virus or EDR Driver
	>	Loading: An Endpoint Detection and Response (EDR) solution l		>	Loading: An Endpoint Detection and Response (EDR) solution l
	>	oads its driver to monitor system activities. - Driver Misus		>	oads its driver to monitor system activities. - Driver Misus
	>	e: A legitimate driver is loaded and exploited to execute ma		>	e: A legitimate driver is loaded and exploited to execute ma
	>	licious actions, such as using vulnerable drivers for bypass		>	licious actions, such as using vulnerable drivers for bypass
	>	ing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD)		>	ing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD)
	>	attacks). This data component can be collected through the		>	attacks).
	>	following measures: Windows - Sysmon Logs: - Event I
	>	D 6: Captures driver loading activity, including file path,
	>	hashes, and signature information. - Configuration: Ensu
	>	re Sysmon is configured with a ruleset that monitors driver
	>	loading events - Windows Event Logs: Enable "Audit Kernel Ob
	>	ject" to capture kernel-related driver loading events. Linu
	>	x - Auditd: Configure audit rules to capture driver loading
	>	events: `auditctl -w /lib/modules/ -p rwxa -k driver_load`
	>	- Kernel Logs (dmesg): Use dmesg to monitor driver-related a
	>	ctivities: `dmesg \| grep "module"` - Syslog or journald: Rev
	>	iew logs for module insertion or removal activities. macOS
	>	- Unified Logs: Use the macOS unified logging system to mon
	>	itor kext (kernel extension) loads: `log show --predicate 'e
	>	ventMessage contains "kext load"'` - Endpoint Security Frame
	>	work: Monitor driver loading via third-party security tools
	>	that leverage Apple’s Endpoint Security Framework. SIEM Too
	>	ls - Ingest driver load logs from Sysmon, Auditd, or macOS
	>	unified logs into a centralized SIEM (e.g., Splunk). - Creat
	>	e rules to detect unsigned drivers, rootkit activity, or kno
	>	wn vulnerable drivers. EDR Solutions - Use EDR tools to de
	>	tect and alert on anomalous driver loading activity.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.274000+00:00	2025-11-12 22:03:39.105000+00:00
description	The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples: - Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system. - Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel. - Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes. - Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities. - Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks). This data component can be collected through the following measures: Windows - Sysmon Logs: - Event ID 6: Captures driver loading activity, including file path, hashes, and signature information. - Configuration: Ensure Sysmon is configured with a ruleset that monitors driver loading events - Windows Event Logs: Enable "Audit Kernel Object" to capture kernel-related driver loading events. Linux - Auditd: Configure audit rules to capture driver loading events: `auditctl -w /lib/modules/ -p rwxa -k driver_load` - Kernel Logs (dmesg): Use dmesg to monitor driver-related activities: `dmesg \| grep "module"` - Syslog or journald: Review logs for module insertion or removal activities. macOS - Unified Logs: Use the macOS unified logging system to monitor kext (kernel extension) loads: `log show --predicate 'eventMessage contains "kext load"'` - Endpoint Security Framework: Monitor driver loading via third-party security tools that leverage Apple’s Endpoint Security Framework. SIEM Tools - Ingest driver load logs from Sysmon, Auditd, or macOS unified logs into a centralized SIEM (e.g., Splunk). - Create rules to detect unsigned drivers, rootkit activity, or known vulnerable drivers. EDR Solutions - Use EDR tools to detect and alert on anomalous driver loading activity.	The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples: - Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system. - Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel. - Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes. - Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities. - Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks).

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:System', 'channel': 'EventCode=6'}

[DC0055] File Access

Current version: 2.0

	Old Description			New Description
t	1	To events where a file is opened or accessed, making its con	t	1	To events where a file is opened or accessed, making its con
	>	tents available to the requester. This includes reading, exe		>	tents available to the requester. This includes reading, exe
	>	cuting, or interacting with files by authorized or unauthori		>	cuting, or interacting with files by authorized or unauthori
	>	zed entities. Examples include logging file access events (e		>	zed entities. Examples include logging file access events (e
	>	.g., Windows Event ID 4663), monitoring file reads, and dete		>	.g., Windows Event ID 4663), monitoring file reads, and dete
	>	cting unusual file access patterns. Examples: - File Read		>	cting unusual file access patterns. Examples: - File Read
	>	Operations: A user opens a sensitive document (e.g., financi		>	Operations: A user opens a sensitive document (e.g., financi
	>	al_report.xlsx) on a shared drive. - File Execution: A scrip		>	al_report.xlsx) on a shared drive. - File Execution: A scrip
	>	t or executable file is accessed and executed (e.g., malware		>	t or executable file is accessed and executed (e.g., malware
	>	.exe is run from a temporary directory). - Unauthorized File		>	.exe is run from a temporary directory). - Unauthorized File
	>	Access: An unauthorized user attempts to access a protected		>	Access: An unauthorized user attempts to access a protected
	>	configuration file (e.g., `/etc/passwd` on Linux or `System		>	configuration file (e.g., `/etc/passwd` on Linux or `System
	>	32` files on Windows). - File Access Patterns: Bulk access t		>	32` files on Windows). - File Access Patterns: Bulk access t
	>	o multiple files in a short time (e.g., mass access to docum		>	o multiple files in a short time (e.g., mass access to docum
	>	ents on a file server). - File Access via Network: Files on		>	ents on a file server). - File Access via Network: Files on
	>	a network share are accessed remotely (e.g., logs of SMB fil		>	a network share are accessed remotely (e.g., logs of SMB fil
	>	e access). This data component can be collected through the		>	e access).
	>	following measures: Windows - Windows Event Logs: Event I
	>	D 4663: Captures file system auditing details, including who
	>	accessed the file, access type, and file name. - Sysmon:
	>	- Event ID 11: Logs file creation time changes. - Even
	>	t ID 1 (process creation): Can provide insight into files ex
	>	ecuted. - PowerShell: Commands to monitor file access in rea
	>	l-time: `Get-WinEvent -FilterHashtable @{LogName='Security';
	>	ID=4663}` Linux - Auditd: Monitor file access events usin
	>	g audit rules: `auditctl -w /path/to/file -p rwxa -k file_ac
	>	cess` - View logs: `ausearch -k file_access` - Inotify: Use
	>	inotify to track file access on Linux: `inotifywait -m /path
	>	/to/watch -e access` macOS - Unified Logs: Monitor file ac
	>	cess using the macOS Unified Logging System. - FSEvents: Fil
	>	e System Events can track file accesses: `fs_usage \| grep op
	>	en` Network Devices - SMB/CIFS Logs: Monitor file access o
	>	ver network shares using logs from SMB or CIFS protocol. - N
	>	AS Logs: Collect logs from network-attached storage systems
	>	for file access events. SIEM Integration - Collect file ac
	>	cess logs from all platforms (Windows, Linux, macOS) and cen
	>	tralize in a SIEM for correlation and analysis.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.674000+00:00	2025-11-12 22:03:39.105000+00:00
description	To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: - File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive. - File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory). - Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows). - File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server). - File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access). This data component can be collected through the following measures: Windows - Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name. - Sysmon: - Event ID 11: Logs file creation time changes. - Event ID 1 (process creation): Can provide insight into files executed. - PowerShell: Commands to monitor file access in real-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}` Linux - Auditd: Monitor file access events using audit rules: `auditctl -w /path/to/file -p rwxa -k file_access` - View logs: `ausearch -k file_access` - Inotify: Use inotify to track file access on Linux: `inotifywait -m /path/to/watch -e access` macOS - Unified Logs: Monitor file access using the macOS Unified Logging System. - FSEvents: File System Events can track file accesses: `fs_usage \| grep open` Network Devices - SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol. - NAS Logs: Collect logs from network-attached storage systems for file access events. SIEM Integration - Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis.	To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: - File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive. - File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory). - Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows). - File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server). - File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).
x_mitre_log_sources[4]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4656, 4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4656,4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4670, 4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4656'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=5145, 4663'}
x_mitre_log_sources	{'name': 'auditd:PATH', 'channel': 'path'}

[DC0039] File Creation

Current version: 2.0

	Old Description			New Description
t	1	A new file is created on a system or network storage. This a	t	1	A new file is created on a system or network storage. This a
	>	ction often signifies an operation such as saving a document		>	ction often signifies an operation such as saving a document
	>	, writing data, or deploying a file. Logging these events he		>	, writing data, or deploying a file. Logging these events he
	>	lps identify legitimate or potentially malicious file creati		>	lps identify legitimate or potentially malicious file creati
	>	on activities. Examples include logging file creation events		>	on activities. Examples include logging file creation events
	>	(e.g., Sysmon Event ID 11 or Linux auditd logs). This dat		>	(e.g., Sysmon Event ID 11 or Linux auditd logs).
	>	a component can be collected through the following measures:
	>	Windows - Sysmon: Event ID 11: Logs file creation events,
	>	capturing details like the file path, hash, and creation ti
	>	me. - Windows Event Log: Enable "Object Access" auditing in
	>	Group Policy to track file creation under Event ID 4663. - P
	>	owerShell: Real-time monitoring of file creation:`Get-WinEve
	>	nt -FilterHashtable @{LogName='Security'; ID=4663}` Linux
	>	- Auditd: Use audit rules to monitor file creation: `auditct
	>	l -w /path/to/directory -p w -k file_creation` - View logs:
	>	`ausearch -k file_creation` - Inotify: Monitor file creation
	>	with inotifywait: `inotifywait -m /path/to/watch -e create`
	>	macOS - Unified Logs: Use the macOS Unified Logging Syste
	>	m to capture file creation events. - FSEvents: Use File Syst
	>	em Events to monitor file creation: `fs_usage \| grep create`
	>	Network Devices - NAS Logs: Monitor file creation events
	>	on network-attached storage devices. - SMB Logs: Collect log
	>	s of file creation activities over SMB/CIFS protocols. SIEM
	>	Integration - Forward logs from all platforms (Windows, Li
	>	nux, macOS) to a SIEM for central analysis and alerting.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 19:32:14.744000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0039	https://attack.mitre.org/datacomponents/DC0039
description	A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). This data component can be collected through the following measures: Windows - Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time. - Windows Event Log: Enable "Object Access" auditing in Group Policy to track file creation under Event ID 4663. - PowerShell: Real-time monitoring of file creation:`Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}` Linux - Auditd: Use audit rules to monitor file creation: `auditctl -w /path/to/directory -p w -k file_creation` - View logs: `ausearch -k file_creation` - Inotify: Monitor file creation with inotifywait: `inotifywait -m /path/to/watch -e create` macOS - Unified Logs: Use the macOS Unified Logging System to capture file creation events. - FSEvents: Use File System Events to monitor file creation: `fs_usage \| grep create` Network Devices - NAS Logs: Monitor file creation events on network-attached storage devices. - SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols. SIEM Integration - Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting.	A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).
x_mitre_log_sources[37]['name']	macos:unified	macos:unifiedlog

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'Modification of .asar in /opt or ~/.config directories'}

[DC0040] File Deletion

Current version: 2.0

	Old Description			New Description
t	1	Refers to events where files are removed from a system or st	t	1	Refers to events where files are removed from a system or st
	>	orage device. These events can indicate legitimate housekeep		>	orage device. These events can indicate legitimate housekeep
	>	ing activities or malicious actions such as attackers attemp		>	ing activities or malicious actions such as attackers attemp
	>	ting to cover their tracks. Monitoring file deletions helps		>	ting to cover their tracks. Monitoring file deletions helps
	>	organizations identify unauthorized or suspicious activities		>	organizations identify unauthorized or suspicious activities
	>	. This data component can be collected through the followin		>	.
	>	g measures: Windows - Sysmon: Event ID 23: Logs file delet
	>	ion events, including details such as file paths and respons
	>	ible processes. - Windows Event Log: Enable "Object Access"
	>	auditing to monitor file deletions. - PowerShell: `Get-WinEv
	>	ent -FilterHashtable @{LogName='Security'; ID=4663} \| Where-
	>	Object {$_.Message -like 'DELETE'}` Linux - Auditd: Use
	>	audit rules to capture file deletion events: `auditctl -a al
	>	ways,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_d
	>	eletion` - Query logs: `ausearch -k file_deletion` - Inotify
	>	: Use inotifywait to monitor file deletions: `inotifywait -m
	>	/path/to/watch -e delete` macOS - Endpoint Security Frame
	>	work (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to
	>	capture file deletion activities. - FSEvents: Track file de
	>	letion activities in real-time: `fs_usage \| grep unlink` SI
	>	EM Integration - Forward file deletion logs to a SIEM for c
	>	entralized monitoring and correlation with other events.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.450000+00:00	2025-11-12 22:03:39.105000+00:00
description	Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities. This data component can be collected through the following measures: Windows - Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes. - Windows Event Log: Enable "Object Access" auditing to monitor file deletions. - PowerShell: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} \| Where-Object {$_.Message -like 'DELETE'}` Linux - Auditd: Use audit rules to capture file deletion events: `auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion` - Query logs: `ausearch -k file_deletion` - Inotify: Use inotifywait to monitor file deletions: `inotifywait -m /path/to/watch -e delete` macOS - Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities. - FSEvents: Track file deletion activities in real-time: `fs_usage \| grep unlink` SIEM Integration - Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events.	Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.

[DC0059] File Metadata

Current version: 2.0

	Old Description			New Description
t	1	contextual information about a file, including attributes su	t	1	contextual information about a file, including attributes su
	>	ch as the file's name, size, type, content (e.g., signatures		>	ch as the file's name, size, type, content (e.g., signatures
	>	, headers, media), user/owner, permissions, timestamps, and		>	, headers, media), user/owner, permissions, timestamps, and
	>	other related properties. File metadata provides insights in		>	other related properties. File metadata provides insights in
	>	to a file's characteristics and can be used to detect malici		>	to a file's characteristics and can be used to detect malici
	>	ous activity, unauthorized modifications, or other anomalies		>	ous activity, unauthorized modifications, or other anomalies
	>	. Examples: - File Ownership and Permissions: Checking the		>	. Examples: - File Ownership and Permissions: Checking the
	>	owner and permissions of a critical configuration file like		>	owner and permissions of a critical configuration file like
	>	/etc/passwd on Linux or C:\Windows\System32\config\SAM on W		>	/etc/passwd on Linux or C:\Windows\System32\config\SAM on W
	>	indows. - Timestamps: Analyzing the creation, modification,		>	indows. - Timestamps: Analyzing the creation, modification,
	>	and access timestamps of a file. - File Content and Signatur		>	and access timestamps of a file. - File Content and Signatur
	>	es: Extracting the headers of an executable file to verify i		>	es: Extracting the headers of an executable file to verify i
	>	ts signature or detect packing/obfuscation. - File Attribute		>	ts signature or detect packing/obfuscation. - File Attribute
	>	s: Analyzing attributes like hidden, system, or read-only fl		>	s: Analyzing attributes like hidden, system, or read-only fl
	>	ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA		>	ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA
	>	-256 hashes of files to compare against threat intelligence		>	-256 hashes of files to compare against threat intelligence
	>	feeds. - File Location: Monitoring files located in unusual		>	feeds. - File Location: Monitoring files located in unusual
	>	directories or paths, such as temporary or user folders. Th		>	directories or paths, such as temporary or user folders.
	>	is data component can be collected through the following mea
	>	sures: Windows - Sysinternals Tools: Use `AccessEnum` or `
	>	PSFile` to retrieve metadata about file access and permissio
	>	ns. - Windows Event Logs: Enable object access auditing and
	>	monitor events like 4663 (Object Access) and 5140 (A network
	>	share object was accessed). - PowerShell: Use Get-Item or G
	>	et-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Direc
	>	tory" -Recurse \| Select-Object Name, Length, LastWriteTime,
	>	Attributes` Linux - File System Commands: Use `ls -l` or s
	>	tat to retrieve file metadata: `stat /path/to/file` - Auditd
	>	: Configure audit rules to log metadata access: `auditctl -w
	>	/path/to/file -p wa -k file_metadata` - Filesystem Integrit
	>	y Tools: Tools like tripwire or AIDE (Advanced Intrusion Det
	>	ection Environment) can monitor file metadata changes. macO
	>	S - FSEvents: Use FSEvents to track file metadata changes.
	>	- Endpoint Security Framework (ESF): Capture metadata-relate
	>	d events via ESF APIs. - Command-Line Tools: Use ls -l or xa
	>	ttr for file attributes: `ls -l@ /path/to/file` SIEM Integr
	>	ation - Forward file metadata logs from endpoint or network
	>	devices to a SIEM for centralized analysis.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.397000+00:00	2025-11-12 22:03:39.105000+00:00
description	contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: - File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows. - Timestamps: Analyzing the creation, modification, and access timestamps of a file. - File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation. - File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds. - File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders. This data component can be collected through the following measures: Windows - Sysinternals Tools: Use `AccessEnum` or `PSFile` to retrieve metadata about file access and permissions. - Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed). - PowerShell: Use Get-Item or Get-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Directory" -Recurse \| Select-Object Name, Length, LastWriteTime, Attributes` Linux - File System Commands: Use `ls -l` or stat to retrieve file metadata: `stat /path/to/file` - Auditd: Configure audit rules to log metadata access: `auditctl -w /path/to/file -p wa -k file_metadata` - Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes. macOS - FSEvents: Use FSEvents to track file metadata changes. - Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs. - Command-Line Tools: Use ls -l or xattr for file attributes: `ls -l@ /path/to/file` SIEM Integration - Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis.	contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: - File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows. - Timestamps: Analyzing the creation, modification, and access timestamps of a file. - File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation. - File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds. - File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.
x_mitre_log_sources[18]['channel']	path	PATH
x_mitre_log_sources[42]['channel']	EventCode=4670	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=15 '}

[DC0061] File Modification

Current version: 2.0

	Old Description			New Description
t	1	Changes made to a file, including updates to its contents, m	t	1	Changes made to a file, including updates to its contents, m
	>	etadata, access permissions, or attributes. These modificati		>	etadata, access permissions, or attributes. These modificati
	>	ons may indicate legitimate activity (e.g., software updates		>	ons may indicate legitimate activity (e.g., software updates
	>	) or unauthorized changes (e.g., tampering, ransomware, or a		>	) or unauthorized changes (e.g., tampering, ransomware, or a
	>	dversarial modifications). Examples: - Content Modificatio		>	dversarial modifications). Examples: - Content Modificatio
	>	ns: Changes to the content of a configuration file, such as		>	ns: Changes to the content of a configuration file, such as
	>	modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys		>	modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys
	>	tem32\drivers\etc\hosts` on Windows. - Permission Changes: A		>	tem32\drivers\etc\hosts` on Windows. - Permission Changes: A
	>	ltering file permissions to allow broader access, such as ch		>	ltering file permissions to allow broader access, such as ch
	>	anging a file from `644` to `777` on Linux or modifying NTFS		>	anging a file from `644` to `777` on Linux or modifying NTFS
	>	permissions on Windows. - Attribute Modifications: Changing		>	permissions on Windows. - Attribute Modifications: Changing
	>	a file's attributes to hidden, read-only, or system on Wind		>	a file's attributes to hidden, read-only, or system on Wind
	>	ows. - Timestamp Manipulation: Adjusting a file's creation o		>	ows. - Timestamp Manipulation: Adjusting a file's creation o
	>	r modification timestamp using tools like `touch` in Linux o		>	r modification timestamp using tools like `touch` in Linux o
	>	r timestomping tools on Windows. - Software or System File C		>	r timestomping tools on Windows. - Software or System File C
	>	hanges: Modifying system files such as `boot.ini`, kernel mo		>	hanges: Modifying system files such as `boot.ini`, kernel mo
	>	dules, or application binaries. This data component can be		>	dules, or application binaries.
	>	collected through the following measures: Windows - Event
	>	Logs: Enable file system auditing to monitor file modificati
	>	ons using Security Event ID 4670 (File System Audit) or Sysm
	>	on Event ID 2 (File creation time changed). - PowerShell: Us
	>	e Get-ItemProperty or Get-Acl cmdlets to monitor file proper
	>	ties: `Get-Item -Path "C:\path\to\file" \| Select-Object Name
	>	, Attributes, LastWriteTime` Linux - File System Monitorin
	>	g: Use tools like auditd with rules to monitor file modifica
	>	tions: `auditctl -w /path/to/file -p wa -k file_modification
	>	` - Inotify: Use inotifywait to watch for real-time changes
	>	to files or directories: `inotifywait -m /path/to/file` mac
	>	OS - Endpoint Security Framework (ESF): Monitor file modifi
	>	cation events using ESF APIs. - Audit Framework: Configure a
	>	udit rules to track file changes. - Command-Line Tools: Use
	>	fs_usage to monitor file activities: `fs_usage -w /path/to/f
	>	ile` SIEM Tools - Collect logs from endpoint agents (e.g.,
	>	Sysmon, Auditd) and file servers to centralize file modific
	>	ation event data.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.239000+00:00	2025-11-12 22:03:39.105000+00:00
description	Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: - Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows. - Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows. - Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows. - Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows. - Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries. This data component can be collected through the following measures: Windows - Event Logs: Enable file system auditing to monitor file modifications using Security Event ID 4670 (File System Audit) or Sysmon Event ID 2 (File creation time changed). - PowerShell: Use Get-ItemProperty or Get-Acl cmdlets to monitor file properties: `Get-Item -Path "C:\path\to\file" \| Select-Object Name, Attributes, LastWriteTime` Linux - File System Monitoring: Use tools like auditd with rules to monitor file modifications: `auditctl -w /path/to/file -p wa -k file_modification` - Inotify: Use inotifywait to watch for real-time changes to files or directories: `inotifywait -m /path/to/file` macOS - Endpoint Security Framework (ESF): Monitor file modification events using ESF APIs. - Audit Framework: Configure audit rules to track file changes. - Command-Line Tools: Use fs_usage to monitor file activities: `fs_usage -w /path/to/file` SIEM Tools - Collect logs from endpoint agents (e.g., Sysmon, Auditd) and file servers to centralize file modification event data.	Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: - Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows. - Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows. - Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows. - Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows. - Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.
x_mitre_log_sources[8]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_sources[59]['name']	WinEventLog:Sysmon	WinEventLog:CodeIntegrity
x_mitre_log_sources[59]['channel']	EvenCode=2	EventCode=3033

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4656,4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'}
x_mitre_log_sources	{'name': 'WinEventLog:Application', 'channel': '81,3033'}

[DC0044] Firewall Enumeration

Current version: 2.0

	Old Description			New Description
t	1	Querying and extracting a list of available firewalls or the	t	1	Querying and extracting a list of available firewalls or the
	>	ir associated configurations and rules. This activity can oc		>	ir associated configurations and rules. This activity can oc
	>	cur across host systems and cloud control planes, providing		>	cur across host systems and cloud control planes, providing
	>	insight into the state and configuration of firewalls that p		>	insight into the state and configuration of firewalls that p
	>	rotect the environment. Examples: - Querying Host-Based Fi		>	rotect the environment. Examples: - Querying Host-Based Fi
	>	rewalls: Using Windows PowerShell commands like `Get-NetFire		>	rewalls: Using Windows PowerShell commands like `Get-NetFire
	>	wallRule` or Linux commands such as `iptables -L` or `firewa		>	wallRule` or Linux commands such as `iptables -L` or `firewa
	>	lld --list-all`. - Cloud Firewall Rule Listing: Running comm		>	lld --list-all`. - Cloud Firewall Rule Listing: Running comm
	>	ands like `az network firewall list` for Azure or `aws ec2 d		>	ands like `az network firewall list` for Azure or `aws ec2 d
	>	escribe-security-groups` for AWS. - Using Management APIs: L		>	escribe-security-groups` for AWS. - Using Management APIs: L
	>	everaging APIs like Google Cloud Firewall's `list` API metho		>	everaging APIs like Google Cloud Firewall's `list` API metho
	>	d or AWS's DescribeSecurityGroups API. Identifying Misconfig		>	d or AWS's DescribeSecurityGroups API. Identifying Misconfig
	>	urations: Extracting firewall rules to identify “allow all”		>	urations: Extracting firewall rules to identify “allow all”
	>	policies or rules that lack logging. - Enumerating with CLI		>	policies or rules that lack logging. - Enumerating with CLI
	>	Tools: Using CLI commands like `gcloud compute firewall-rule		>	Tools: Using CLI commands like `gcloud compute firewall-rule
	>	s list` to extract firewall settings in Google Cloud. This		>	s list` to extract firewall settings in Google Cloud.
	>	data component can be collected through the following measur
	>	es: Cloud Control Plane - Azure Activity Logs:Collect logs
	>	from Azure Firewall to monitor rule listing commands. Enabl
	>	e logging for `az network firewall` commands. - AWS CloudTra
	>	il: Monitor calls to `DescribeSecurityGroups` or `DescribeNe
	>	tworkAcls` APIs. Google Cloud Operations Suite: Collect logs
	>	for `gcloud compute firewall-rules list` or API calls to `f
	>	irewalls.list`. Host-Based Firewalls - Windows Event Logs:
	>	Use PowerShell transcription logs to capture commands like
	>	`Get-NetFirewallRule`. - Linux Auditd: Track executions of c
	>	ommands like `iptables -L` or `ufw status` using auditd: `au
	>	ditctl -a always,exit -F arch=b64 -S execve -k firewall_enum
	>	` - macOS: Monitor logs for firewall-related queries via the
	>	Console app or log monitoring tools. SIEM Integration - C
	>	ollect logs from endpoints and cloud platforms to centralize
	>	data and detect enumeration activity. Endpoint Detection a
	>	nd Response (EDR) - Use EDR tools to track enumeration comm
	>	ands or API calls performed on managed devices. CSPM Tools
	>	- Deploy Cloud Security Posture Management tools to monitor
	>	for unauthorized enumeration of firewall rules or configura
	>	tions.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
description	Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples: - Querying Host-Based Firewalls: Using Windows PowerShell commands like `Get-NetFirewallRule` or Linux commands such as `iptables -L` or `firewalld --list-all`. - Cloud Firewall Rule Listing: Running commands like `az network firewall list` for Azure or `aws ec2 describe-security-groups` for AWS. - Using Management APIs: Leveraging APIs like Google Cloud Firewall's `list` API method or AWS's DescribeSecurityGroups API. Identifying Misconfigurations: Extracting firewall rules to identify “allow all” policies or rules that lack logging. - Enumerating with CLI Tools: Using CLI commands like `gcloud compute firewall-rules list` to extract firewall settings in Google Cloud. This data component can be collected through the following measures: Cloud Control Plane - Azure Activity Logs:Collect logs from Azure Firewall to monitor rule listing commands. Enable logging for `az network firewall` commands. - AWS CloudTrail: Monitor calls to `DescribeSecurityGroups` or `DescribeNetworkAcls` APIs. Google Cloud Operations Suite: Collect logs for `gcloud compute firewall-rules list` or API calls to `firewalls.list`. Host-Based Firewalls - Windows Event Logs: Use PowerShell transcription logs to capture commands like `Get-NetFirewallRule`. - Linux Auditd: Track executions of commands like `iptables -L` or `ufw status` using auditd: `auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum` - macOS: Monitor logs for firewall-related queries via the Console app or log monitoring tools. SIEM Integration - Collect logs from endpoints and cloud platforms to centralize data and detect enumeration activity. Endpoint Detection and Response (EDR) - Use EDR tools to track enumeration commands or API calls performed on managed devices. CSPM Tools - Deploy Cloud Security Posture Management tools to monitor for unauthorized enumeration of firewall rules or configurations.	Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples: - Querying Host-Based Firewalls: Using Windows PowerShell commands like `Get-NetFirewallRule` or Linux commands such as `iptables -L` or `firewalld --list-all`. - Cloud Firewall Rule Listing: Running commands like `az network firewall list` for Azure or `aws ec2 describe-security-groups` for AWS. - Using Management APIs: Leveraging APIs like Google Cloud Firewall's `list` API method or AWS's DescribeSecurityGroups API. Identifying Misconfigurations: Extracting firewall rules to identify “allow all” policies or rules that lack logging. - Enumerating with CLI Tools: Using CLI commands like `gcloud compute firewall-rules list` to extract firewall settings in Google Cloud.

[DC0018] Host Status

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.544000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[13]['name']	CloudWatch:Metrics	AWS:CloudWatch
x_mitre_log_sources[17]['name']	CloudWatch:InstanceMetrics	AWS:CloudWatch
x_mitre_log_sources[30]['name']	CloudMetrics:InstanceHealth	AWS:CloudMetrics

[DC0015] Image Creation

Current version: 2.0

	Old Description			New Description
t	1	Initial construction of a virtual machine image within a clo	t	1	Initial construction of a virtual machine image within a clo
	>	ud environment. Virtual machine images are templates contain		>	ud environment. Virtual machine images are templates contain
	>	ing an operating system and installed applications, which ca		>	ing an operating system and installed applications, which ca
	>	n be deployed to create new virtual machines. Monitoring the		>	n be deployed to create new virtual machines. Monitoring the
	>	creation of these images is important because adversaries m		>	creation of these images is important because adversaries m
	>	ay create custom images to include malicious software or mis		>	ay create custom images to include malicious software or mis
	>	configurations for later exploitation. Examples: - Azure C		>	configurations for later exploitation. Examples: - Azure C
	>	ompute Service Image Creation - Example: Creating a virt		>	ompute Service Image Creation - Example: Creating a virt
	>	ual machine image in Azure using Azure CLI: `az image create		>	ual machine image in Azure using Azure CLI: `az image create
	>	--resource-group MyResourceGroup --name MyImage --source My		>	--resource-group MyResourceGroup --name MyImage --source My
	>	VM` - AWS EC2 AMI (Amazon Machine Image) Creation - Exam		>	VM` - AWS EC2 AMI (Amazon Machine Image) Creation - Exam
	>	ple: Creating an AMI from an EC2 instance: `aws ec2 create-i		>	ple: Creating an AMI from an EC2 instance: `aws ec2 create-i
	>	mage --instance-id i-1234567890abcdef0 --name "MyAMI" --desc		>	mage --instance-id i-1234567890abcdef0 --name "MyAMI" --desc
	>	ription "An AMI for my app"` - Google Cloud Compute Engine I		>	ription "An AMI for my app"` - Google Cloud Compute Engine I
	>	mage Creation - Example: Creating a custom image using g		>	mage Creation - Example: Creating a custom image using g
	>	cloud: `gcloud compute images create my-custom-image --sourc		>	cloud: `gcloud compute images create my-custom-image --sourc
	>	e-disk my-disk --source-disk-zone us-central1-a` - VMware vS		>	e-disk my-disk --source-disk-zone us-central1-a` - VMware vS
	>	phere - Example: Exporting a VM to create an OVF (Open V		>	phere - Example: Exporting a VM to create an OVF (Open V
	>	irtualization Format) template: This could later be imported		>	irtualization Format) template: This could later be imported
	>	into other environments with potential tampering. This dat		>	into other environments with potential tampering.
	>	a component can be collected through the following measures:
	>	Enable Cloud Platform Logging - Azure: Enable "Activity L
	>	ogs" to capture image-related events such as PUT requests to
	>	`Microsoft.Compute/images`. - AWS: Use AWS CloudTrail to mo
	>	nitor `CreateImage` API calls. - Google Cloud: Enable "Cloud
	>	Audit Logs" to track custom image creation events under `co
	>	mpute.googleapis.com/images`. API Monitoring - Monitor API
	>	activity to track the creation of new images using: - A
	>	WS SDK/CLI `CreateImage`. - Azure REST API for image cre
	>	ation. - Google Cloud Compute Engine APIs. Cloud SIEM I
	>	ntegration - Ingest cloud platform logs into a centralized
	>	SIEM for real-time monitoring and alerting.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:39.369000+00:00	2025-11-12 22:03:39.105000+00:00
description	Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples: - Azure Compute Service Image Creation - Example: Creating a virtual machine image in Azure using Azure CLI: `az image create --resource-group MyResourceGroup --name MyImage --source MyVM` - AWS EC2 AMI (Amazon Machine Image) Creation - Example: Creating an AMI from an EC2 instance: `aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"` - Google Cloud Compute Engine Image Creation - Example: Creating a custom image using gcloud: `gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a` - VMware vSphere - Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering. This data component can be collected through the following measures: Enable Cloud Platform Logging - Azure: Enable "Activity Logs" to capture image-related events such as PUT requests to `Microsoft.Compute/images`. - AWS: Use AWS CloudTrail to monitor `CreateImage` API calls. - Google Cloud: Enable "Cloud Audit Logs" to track custom image creation events under `compute.googleapis.com/images`. API Monitoring - Monitor API activity to track the creation of new images using: - AWS SDK/CLI `CreateImage`. - Azure REST API for image creation. - Google Cloud Compute Engine APIs. Cloud SIEM Integration - Ingest cloud platform logs into a centralized SIEM for real-time monitoring and alerting.	Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples: - Azure Compute Service Image Creation - Example: Creating a virtual machine image in Azure using Azure CLI: `az image create --resource-group MyResourceGroup --name MyImage --source MyVM` - AWS EC2 AMI (Amazon Machine Image) Creation - Example: Creating an AMI from an EC2 instance: `aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"` - Google Cloud Compute Engine Image Creation - Example: Creating a custom image using gcloud: `gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a` - VMware vSphere - Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering.

[DC0028] Image Metadata

Current version: 2.0

	Old Description			New Description
t	1	contextual information associated with a virtual machine ima	t	1	contextual information associated with a virtual machine ima
	>	ge, such as its name, resource group, status (active or inac		>	ge, such as its name, resource group, status (active or inac
	>	tive), type (custom or prebuilt), size, creation date, and p		>	tive), type (custom or prebuilt), size, creation date, and p
	>	ermissions. This metadata is critical for understanding the		>	ermissions. This metadata is critical for understanding the
	>	state and configuration of virtual machine images in cloud e		>	state and configuration of virtual machine images in cloud e
	>	nvironments. Examples: - Azure Compute Service Image Metad		>	nvironments. Examples: - Azure Compute Service Image Metad
	>	ata Example: - Name: MyCustomImage - Resource Group:		>	ata Example: - Name: MyCustomImage - Resource Group:
	>	MyResourceGroup - State: Available - Type: Managed		>	MyResourceGroup - State: Available - Type: Managed
	>	Image - AWS EC2 AMI Metadata Example: - Image ID: ami-12		>	Image - AWS EC2 AMI Metadata Example: - Image ID: ami-12
	>	34567890abcdef0 - Name: ProdImage - State: Available		>	34567890abcdef0 - Name: ProdImage - State: Available
	>	- Platform: Windows - Google Cloud Compute Engine Image		>	- Platform: Windows - Google Cloud Compute Engine Image
	>	Metadata Example: - Image Name: webserver-image - P		>	Metadata Example: - Image Name: webserver-image - P
	>	roject: my-project-id - Family: webserver - Source D		>	roject: my-project-id - Family: webserver - Source D
	>	isk: my-disk-id - VMware vSphere Template Metadata Example:		>	isk: my-disk-id - VMware vSphere Template Metadata Example:
	>	- Name: LinuxTemplate - Disk Size: 40GB - Networ		>	- Name: LinuxTemplate - Disk Size: 40GB - Networ
	>	k Adapter: VM Network This data component can be collected		>	k Adapter: VM Network
	>	through the following measures: Cloud Platform-Specific Too
	>	ls - Azure: - Use Azure CLI to query metadata: `az imag
	>	e show --name MyCustomImage --resource-group MyResourceGroup
	>	` - AWS: - Use AWS CLI to describe AMI metadata: `aws ec
	>	2 describe-images --image-ids ami-1234567890abcdef0` - Googl
	>	e Cloud: - Use Google Cloud SDK to retrieve image metada
	>	ta: `gcloud compute images describe webserver-image` APIs
	>	- Azure: `GET /subscriptions/{subscriptionId}/resourceGroup
	>	s/{resourceGroupName}/providers/Microsoft.Compute/images/{im
	>	ageName}` - AWS: `DescribeImages` API. - Google Cloud: `GET
	>	https://compute.googleapis.com/compute/v1/projects/{project}
	>	/global/images/{image}.` Cloud Management Portals - View m
	>	etadata directly from the cloud provider's management consol
	>	e or dashboard. SIEM Integration - Aggregate metadata into
	>	SIEM platforms for centralized monitoring:

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:38.423000+00:00	2025-11-12 22:03:39.105000+00:00
description	contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples: - Azure Compute Service Image Metadata Example: - Name: MyCustomImage - Resource Group: MyResourceGroup - State: Available - Type: Managed Image - AWS EC2 AMI Metadata Example: - Image ID: ami-1234567890abcdef0 - Name: ProdImage - State: Available - Platform: Windows - Google Cloud Compute Engine Image Metadata Example: - Image Name: webserver-image - Project: my-project-id - Family: webserver - Source Disk: my-disk-id - VMware vSphere Template Metadata Example: - Name: LinuxTemplate - Disk Size: 40GB - Network Adapter: VM Network This data component can be collected through the following measures: Cloud Platform-Specific Tools - Azure: - Use Azure CLI to query metadata: `az image show --name MyCustomImage --resource-group MyResourceGroup` - AWS: - Use AWS CLI to describe AMI metadata: `aws ec2 describe-images --image-ids ami-1234567890abcdef0` - Google Cloud: - Use Google Cloud SDK to retrieve image metadata: `gcloud compute images describe webserver-image` APIs - Azure: `GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/images/{imageName}` - AWS: `DescribeImages` API. - Google Cloud: `GET https://compute.googleapis.com/compute/v1/projects/{project}/global/images/{image}.` Cloud Management Portals - View metadata directly from the cloud provider's management console or dashboard. SIEM Integration - Aggregate metadata into SIEM platforms for centralized monitoring:	contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples: - Azure Compute Service Image Metadata Example: - Name: MyCustomImage - Resource Group: MyResourceGroup - State: Available - Type: Managed Image - AWS EC2 AMI Metadata Example: - Image ID: ami-1234567890abcdef0 - Name: ProdImage - State: Available - Platform: Windows - Google Cloud Compute Engine Image Metadata Example: - Image Name: webserver-image - Project: my-project-id - Family: webserver - Source Disk: my-disk-id - VMware vSphere Template Metadata Example: - Name: LinuxTemplate - Disk Size: 40GB - Network Adapter: VM Network

[DC0076] Instance Creation

Current version: 2.0

	Old Description			New Description
t	1	The initial provisioning and construction of a virtual machi	t	1	The initial provisioning and construction of a virtual machi
	>	ne (VM) or compute instance within a cloud infrastructure en		>	ne (VM) or compute instance within a cloud infrastructure en
	>	vironment. This activity involves defining and allocating re		>	vironment. This activity involves defining and allocating re
	>	sources such as CPU, memory, storage, and networking to spin		>	sources such as CPU, memory, storage, and networking to spin
	>	up a new compute instance. Examples: - AWS: creating an EC		>	up a new compute instance. Examples: - AWS: creating an EC
	>	2 instance using RunInstances API calls. - Azure, creating a		>	2 instance using RunInstances API calls. - Azure, creating a
	>	VM through the Azure Resource Manager (ARM). - GCP, an `ins		>	VM through the Azure Resource Manager (ARM). - GCP, an `ins
	>	tance.insert` action recorded. Data Collection Measures:		>	tance.insert` action recorded.
	>	- AWS CloudTrail: CloudTrail logs stored in S3 or accessibl
	>	e via CloudWatch. - Azure Activity Logs: Accessible in Azure
	>	Monitor or exported to a storage account. - GCP Audit Logs:
	>	Logs Explorer or BigQuery.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:39.434000+00:00	2025-11-12 22:03:39.105000+00:00
description	The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples: - AWS: creating an EC2 instance using RunInstances API calls. - Azure, creating a VM through the Azure Resource Manager (ARM). - GCP, an `instance.insert` action recorded. Data Collection Measures: - AWS CloudTrail: CloudTrail logs stored in S3 or accessible via CloudWatch. - Azure Activity Logs: Accessible in Azure Monitor or exported to a storage account. - GCP Audit Logs: Logs Explorer or BigQuery.	The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples: - AWS: creating an EC2 instance using RunInstances API calls. - Azure, creating a VM through the Azure Resource Manager (ARM). - GCP, an `instance.insert` action recorded.

[DC0081] Instance Deletion

Current version: 2.0

	Old Description			New Description
t	1	Removal of a virtual machine (VM) or compute instance within	t	1	Removal of a virtual machine (VM) or compute instance within
	>	a cloud infrastructure. This activity results in the termin		>	a cloud infrastructure. This activity results in the termin
	>	ation and deletion of the allocated resources (e.g., CPU, me		>	ation and deletion of the allocated resources (e.g., CPU, me
	>	mory, storage), making the instance unavailable for future u		>	mory, storage), making the instance unavailable for future u
	>	se. Examples: - AWS: instance deletion involves the `Termin		>	se. Examples: - AWS: instance deletion involves the `Termin
	>	ateInstances` API call, which is recorded in CloudTrail logs		>	ateInstances` API call, which is recorded in CloudTrail logs
	>	. - Azure: VM deletion can be monitored via Azure Activity L		>	. - Azure: VM deletion can be monitored via Azure Activity L
	>	ogs, showing the `Microsoft.Compute/virtualMachines/delete`		>	ogs, showing the `Microsoft.Compute/virtualMachines/delete`
	>	operation. - GCP: instance deletion is logged as an instance		>	operation. - GCP: instance deletion is logged as an instance
	>	.delete operation within GCP Audit Logs. *Data Collection M		>	.delete operation within GCP Audit Logs.
	>	easures: - AWS CloudTrail: CloudTrail logs stored in S3 or
	>	forwarded to CloudWatch. - Azure Activity Logs: Accessible
	>	via Azure Monitor or exported to a storage account. - GCP Au
	>	dit Logs: Logs Explorer or BigQuery.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.952000+00:00	2025-11-12 22:03:39.105000+00:00
description	Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples: - AWS: instance deletion involves the `TerminateInstances` API call, which is recorded in CloudTrail logs. - Azure: VM deletion can be monitored via Azure Activity Logs, showing the `Microsoft.Compute/virtualMachines/delete` operation. - GCP: instance deletion is logged as an instance.delete operation within GCP Audit Logs. *Data Collection Measures: - AWS CloudTrail: CloudTrail logs stored in S3 or forwarded to CloudWatch. - Azure Activity Logs: Accessible via Azure Monitor or exported to a storage account. - GCP Audit Logs: Logs Explorer or BigQuery.	Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples: - AWS: instance deletion involves the `TerminateInstances` API call, which is recorded in CloudTrail logs. - Azure: VM deletion can be monitored via Azure Activity Logs, showing the `Microsoft.Compute/virtualMachines/delete` operation. - GCP: instance deletion is logged as an instance.delete operation within GCP Audit Logs.

[DC0086] Instance Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.885000+00:00	2025-11-12 22:03:39.105000+00:00

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'CloudTrail:EC2', 'channel': 'DescribeInstances'}

[DC0080] Instance Start

Current version: 2.0

	Old Description			New Description
t	1	The initiation or activation of a virtual machine instance w	t	1	The initiation or activation of a virtual machine instance w
	>	ithin a cloud infrastructure. This action typically involves		>	ithin a cloud infrastructure. This action typically involves
	>	starting an existing instance that had been stopped or paus		>	starting an existing instance that had been stopped or paus
	>	ed, allowing it to resume operation. Examples: - Google Cl		>	ed, allowing it to resume operation. Examples: - Google Cl
	>	oud Platform (GCP): Starting an instance through `instance.s		>	oud Platform (GCP): Starting an instance through `instance.s
	>	tart` API activity. - AWS: Logging of `StartInstances` in AW		>	tart` API activity. - AWS: Logging of `StartInstances` in AW
	>	S CloudTrail for EC2 instances. - Azure: `Microsoft.Compute/		>	S CloudTrail for EC2 instances. - Azure: `Microsoft.Compute/
	>	virtualMachines/start` entries indicate a VM instance being		>	virtualMachines/start` entries indicate a VM instance being
	>	started. Data Collection Measures: - Google Cloud Platfo		>	started.
	>	rm: Enable GCP Audit Logs for Compute Engine. - Log Even
	>	t: Look for instance.start entries in Cloud Logging. - Amazo
	>	n Web Services (AWS): AWS CloudTrail. - Log Event: Searc
	>	h for StartInstances events associated with EC2. - Microsoft
	>	Azure: Azure Activity Logs. - Log Event: Filter for Mic
	>	rosoft.Compute/virtualMachines/start operations.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.515000+00:00	2025-11-12 22:03:39.105000+00:00
description	The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples: - Google Cloud Platform (GCP): Starting an instance through `instance.start` API activity. - AWS: Logging of `StartInstances` in AWS CloudTrail for EC2 instances. - Azure: `Microsoft.Compute/virtualMachines/start` entries indicate a VM instance being started. Data Collection Measures: - Google Cloud Platform: Enable GCP Audit Logs for Compute Engine. - Log Event: Look for instance.start entries in Cloud Logging. - Amazon Web Services (AWS): AWS CloudTrail. - Log Event: Search for StartInstances events associated with EC2. - Microsoft Azure: Azure Activity Logs. - Log Event: Filter for Microsoft.Compute/virtualMachines/start operations.	The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples: - Google Cloud Platform (GCP): Starting an instance through `instance.start` API activity. - AWS: Logging of `StartInstances` in AWS CloudTrail for EC2 instances. - Azure: `Microsoft.Compute/virtualMachines/start` entries indicate a VM instance being started.

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'CloudTrail:RunInstances', 'channel': 'RunInstances'}
x_mitre_log_sources	{'name': 'CloudTrail:RunInstances', 'channel': 'RunInstances: AMI not in allowlist OR AMI owner != enterprise owner/account'}
x_mitre_log_sources	{'name': 'AWS:CloudTrail', 'channel': 'StartInstances: Instance starts from suspicious AMI or with userData present'}
x_mitre_log_sources	{'name': 'CloudTrail:EC2', 'channel': 'RunInstances'}

[DC0067] Logon Session Creation

Current version: 2.0

	Old Description			New Description
t	1	The successful establishment of a new user session following	t	1	The successful establishment of a new user session following
	>	a successful authentication attempt. This typically signifi		>	a successful authentication attempt. This typically signifi
	>	es that a user has provided valid credentials or authenticat		>	es that a user has provided valid credentials or authenticat
	>	ion tokens, and the system has initiated a session associate		>	ion tokens, and the system has initiated a session associate
	>	d with that user account. This data is crucial for tracking		>	d with that user account. This data is crucial for tracking
	>	authentication events and identifying potential unauthorized		>	authentication events and identifying potential unauthorized
	>	access. Examples: - Windows Systems - Event ID: 4624		>	access. Examples: - Windows Systems - Event ID: 4624
	>	- Logon Type: 2 (Interactive) or 10 (Remote Interact		>	- Logon Type: 2 (Interactive) or 10 (Remote Interact
	>	ive via RDP). - Account Name: JohnDoe - Sour		>	ive via RDP). - Account Name: JohnDoe - Sour
	>	ce Network Address: 192.168.1.100 - Authentication P		>	ce Network Address: 192.168.1.100 - Authentication P
	>	ackage: NTLM - Linux Systems - /var/log/utmp or /var/log		>	ackage: NTLM - Linux Systems - /var/log/utmp or /var/log
	>	/wtmp: - Log format: login user [tty] from [source_i		>	/wtmp: - Log format: login user [tty] from [source_i
	>	p] - User: jane - IP: 10.0.0.5 - Tim		>	p] - User: jane - IP: 10.0.0.5 - Tim
	>	estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a		>	estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a
	>	sl.log or unified logging framework: - Log: com.appl		>	sl.log or unified logging framework: - Log: com.appl
	>	e.securityd: Authentication succeeded for user 'admin' - Clo		>	e.securityd: Authentication succeeded for user 'admin' - Clo
	>	ud Environments - Azure Sign-In Logs: - Activity		>	ud Environments - Azure Sign-In Logs: - Activity
	>	: Sign-in successful - Client App: Browser -		>	: Sign-in successful - Client App: Browser -
	>	Location: Unknown (Country: X) - Google Workspace - Act		>	Location: Unknown (Country: X) - Google Workspace - Act
	>	ivity: Login - Event Type: successful_login		>	ivity: Login - Event Type: successful_login
	>	- Source IP: 203.0.113.55 This data component can be collec		>	- Source IP: 203.0.113.55
	>	ted through the following measures: - Windows Systems -
	>	Event Logs: Monitor Security Event Logs using Event ID 4624
	>	for successful logons. - PowerShell Example: `Get-Event
	>	Log -LogName Security -InstanceId 4624` - Linux Systems
	>	- Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/
	>	var/log/auth.log` for logon events. - Tools: Use `last`
	>	or `who` commands to parse login records. - macOS Systems
	>	- Log Sources: Monitor `/var/log/asl.log` or Apple Unified
	>	Logs using the `log show` command. - Command Example: `
	>	log show --predicate 'eventMessage contains "Authentication
	>	succeeded"' --info` - Cloud Environments - Azure AD: Use
	>	Azure Monitor to analyze sign-in logs. Example CLI Query: `
	>	az monitor log-analytics query -w <workspace_id> --analytics
	>	-query "AzureActivity \| where ActivityStatus == 'Success' an
	>	d OperationName == 'Sign-in'"` - Google Workspace: Enabl
	>	e and monitor Login Audit logs from the Admin Console. -
	>	Office 365: Use Audit Log Search in Microsoft 365 Security
	>	& Compliance Center for login-related events. - Network Logs
	>	- Sources: Network authentication mechanisms (e.g., RAD
	>	IUS or TACACS logs). - Enable EDR Monitoring: - EDR too
	>	ls monitor logon session activity, including the creation of
	>	new sessions. - Configure alerts for: Suspicious logon
	>	types (e.g., Logon Type 10 for RDP or Type 5 for Service). L
	>	ogons from unusual locations, accounts, or devices. - Le
	>	verage EDR telemetry for session attributes like source IP,
	>	session duration, and originating process.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.022000+00:00	2025-11-12 22:03:39.105000+00:00
description	The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: - Windows Systems - Event ID: 4624 - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP). - Account Name: JohnDoe - Source Network Address: 192.168.1.100 - Authentication Package: NTLM - Linux Systems - /var/log/utmp or /var/log/wtmp: - Log format: login user [tty] from [source_ip] - User: jane - IP: 10.0.0.5 - Timestamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/asl.log or unified logging framework: - Log: com.apple.securityd: Authentication succeeded for user 'admin' - Cloud Environments - Azure Sign-In Logs: - Activity: Sign-in successful - Client App: Browser - Location: Unknown (Country: X) - Google Workspace - Activity: Login - Event Type: successful_login - Source IP: 203.0.113.55 This data component can be collected through the following measures: - Windows Systems - Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons. - PowerShell Example: `Get-EventLog -LogName Security -InstanceId 4624` - Linux Systems - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/var/log/auth.log` for logon events. - Tools: Use `last` or `who` commands to parse login records. - macOS Systems - Log Sources: Monitor `/var/log/asl.log` or Apple Unified Logs using the `log show` command. - Command Example: `log show --predicate 'eventMessage contains "Authentication succeeded"' --info` - Cloud Environments - Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: `az monitor log-analytics query -w --analytics-query "AzureActivity \| where ActivityStatus == 'Success' and OperationName == 'Sign-in'"` - Google Workspace: Enable and monitor Login Audit logs from the Admin Console. - Office 365: Use Audit Log Search in Microsoft 365 Security & Compliance Center for login-related events. - Network Logs - Sources: Network authentication mechanisms (e.g., RADIUS or TACACS logs). - Enable EDR Monitoring: - EDR tools monitor logon session activity, including the creation of new sessions. - Configure alerts for: Suspicious logon types (e.g., Logon Type 10 for RDP or Type 5 for Service). Logons from unusual locations, accounts, or devices. - Leverage EDR telemetry for session attributes like source IP, session duration, and originating process.	The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: - Windows Systems - Event ID: 4624 - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP). - Account Name: JohnDoe - Source Network Address: 192.168.1.100 - Authentication Package: NTLM - Linux Systems - /var/log/utmp or /var/log/wtmp: - Log format: login user [tty] from [source_ip] - User: jane - IP: 10.0.0.5 - Timestamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/asl.log or unified logging framework: - Log: com.apple.securityd: Authentication succeeded for user 'admin' - Cloud Environments - Azure Sign-In Logs: - Activity: Sign-in successful - Client App: Browser - Location: Unknown (Country: X) - Google Workspace - Activity: Login - Event Type: successful_login - Source IP: 203.0.113.55
x_mitre_log_sources[5]['name']	m365:signin	m365:signinlogs
x_mitre_log_sources[31]['name']	m365:signin	m365:signinlogs

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 with LogonType=9 or smartcard logon'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=10 or 3), EventCode=4648'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=3)'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=10), EventCode=4648'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672, 4648'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': '4624'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648, 4672'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648,4672,4769'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventID=4624'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4634'}

[DC0088] Logon Session Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.246000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[4]['name']	azure:signinLogs	azure:signinlogs
x_mitre_log_sources[3]['channel']	EventCode=4624, 4634, 4672, 4768, 4769	EventCode=4776, 4771, 4770
x_mitre_log_sources[32]['name']	m365:signin	m365:signinlogs

iterable_item_added
STIX Field	Old value	New Value
x_mitre_log_sources		{'name': 'WinEventLog:Security', 'channel': 'EventCode=4672, 4634'}

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4634, 4672, 4769'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4776,4771,4770'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4672'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672, 4634, 4768, 4769'}

[DC0016] Module Load

Current version: 2.0

+When a process or program dynamically attaches a shared libr
->
+ary, module, or plugin into its memory space. This action is
->
+ typically performed to extend the functionality of an appli
->
+cation, access shared system resources, or interact with ker
->
+nel-mode components.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.471000+00:00	2025-11-12 22:03:39.105000+00:00
description	When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components. Data Collection Measures: - Event Logging (Windows): - Sysmon Event ID 7: Logs when a DLL is loaded into a process. - Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads. - Windows Defender ATP: Can provide visibility into suspicious module loads. - Event Logging (Linux/macOS): - AuditD (`execve` and `open` syscalls): Captures when shared libraries (`.so` files) are loaded. - Ltrace/Strace: Monitors process behavior, including library calls (`dlopen`, `execve`). - MacOS Endpoint Security Framework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES`). - Endpoint Detection & Response (EDR): - Provide real-time telemetry on module loads and process injections. - Sysinternals Process Monitor (`procmon`): Captures loaded modules and their execution context. - Memory Forensics: - Volatility Framework (`malfind`, `ldrmodules`): Detects injected DLLs and anomalous module loads. - Rekall Framework: Useful for kernel-mode module detection. - SIEM and Log Analysis: - Centralized log aggregation to correlate suspicious module loads across the environment. - Detection rules using correlation searches and behavioral analytics.	When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.

[DC0082] Network Connection Creation

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.190000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[19]['channel']	EventCode=22	EventCode=3, 22
x_mitre_log_sources[27]['channel']	EventCode=5156	EventCode=5156, 5157
x_mitre_log_sources[90]['channel']	8001, 8002, 8003	EventCode=8001, 8002, 8003

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'}
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'}
x_mitre_log_sources	{'name': 'auditd:SYSCALL', 'channel': 'netconnect'}
x_mitre_log_sources	{'name': 'auditd:SYSCALL', 'channel': 'open or connect'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=5156,5157'}
x_mitre_log_sources	{'name': 'linux:Sysmon', 'channel': 'EventCode=3'}

[DC0102] Network Share Access

Current version: 2.0

+Opening a network share, which makes the contents available
->
+to the requestor (ex: Windows EID 5140 or 5145)
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.412000+00:00	2025-11-12 22:03:39.105000+00:00
description	Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) Data Collection Measures: - Windows: - Event ID 5140 – Network Share Object Access Logs every access attempt to a network share. - Event ID 5145 – Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions. - Sysmon Event ID 3 – Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares. - Enable Audit Policy for Network Share Access: `auditpol /set /subcategory:"File Share" /success:enable /failure:enable` - Enable PowerShell Logging to Detect Unauthorized SMB Access: `Set-ExecutionPolicy RemoteSigned` - Restrict Network Share Access with Group Policy (GPO): `Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment` Set "Access this computer from the network" to restrict unauthorized accounts. - Linux/macOS: - AuditD (`open`, `read`, `write`, `connect` syscalls) Detects access to NFS, CIFS, and SMB network shares. - Lsof (`lsof \| grep nfs` or `lsof \| grep smb`) Identifies active network share connections. - Mount (`mount \| grep nfs` or `mount \| grep cifs`) Lists currently mounted network shares. - Enable AuditD for SMB/NFS Access: `auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access` - Monitor Active Network Shares Using Netstat: `netstat -an \| grep :445` - Endpoint Detection & Response (EDR): - Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity.	Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
x_mitre_log_sources[1]['channel']	EventID=31001	EventCode=31001

[DC0078] Network Traffic Flow

Current version: 2.0

	Old Description			New Description
t	1	Summarized network packet data that captures session-level d	t	1	Summarized network packet data that captures session-level d
	>	etails such as source/destination IPs, ports, protocol types		>	etails such as source/destination IPs, ports, protocol types
	>	, timestamps, and data volume, without storing full packet p		>	, timestamps, and data volume, without storing full packet p
	>	ayloads. This is commonly used for traffic analysis, anomaly		>	ayloads. This is commonly used for traffic analysis, anomaly
	>	detection, and network performance monitoring. *Data Colle		>	detection, and network performance monitoring.
	>	ction Measures:* - Network Flow Logs (Metadata Collection)
	>	- NetFlow - Summarized metadata for network con
	>	versations (no packet payloads). - sFlow (Sampled Flow L
	>	ogging) - Captures sampled packets from switches and
	>	routers. - Used for real-time traffic monitoring an
	>	d anomaly detection. - Zeek (Bro) Flow Logs - Ze
	>	ek logs session-level details in logs like conn.log, http.lo
	>	g, dns.log, etc. - Host-Based Collection - Sysmon Event
	>	ID 3 – Network Connection Initiated - Logs process-l
	>	evel network activity, useful for detecting malicious outbou
	>	nd connections. - AuditD (Linux) – syscall=connect
	>	- Monitors system calls for network connections. `auditct
	>	l -a always,exit -F arch=b64 -S connect -k network_activity`
	>	- Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs
	>	- Captures metadata for traffic between EC2 instances, s
	>	ecurity groups, and internet gateways. - Azure NSG Flow
	>	Logs / Google VPC Flow Logs - Logs ingress/egress tr
	>	affic for cloud-based resources.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.703000+00:00	2025-11-12 22:03:39.105000+00:00
description	Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. Data Collection Measures: - Network Flow Logs (Metadata Collection) - NetFlow - Summarized metadata for network conversations (no packet payloads). - sFlow (Sampled Flow Logging) - Captures sampled packets from switches and routers. - Used for real-time traffic monitoring and anomaly detection. - Zeek (Bro) Flow Logs - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc. - Host-Based Collection - Sysmon Event ID 3 – Network Connection Initiated - Logs process-level network activity, useful for detecting malicious outbound connections. - AuditD (Linux) – syscall=connect - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity` - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs - Captures metadata for traffic between EC2 instances, security groups, and internet gateways. - Azure NSG Flow Logs / Google VPC Flow Logs - Logs ingress/egress traffic for cloud-based resources.	Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.
x_mitre_log_sources[72]['channel']	EventCode=2004,2005,2006	EventCode=2004, 2005, 2006

[DC0021] OS API Execution

Current version: 2.0

	Old Description			New Description
t	1	Calls made by a process to operating system-provided Applica	t	1	Calls made by a process to operating system-provided Applica
	>	tion Programming Interfaces (APIs). These calls are essentia		>	tion Programming Interfaces (APIs). These calls are essentia
	>	l for interacting with system resources such as memory, file		>	l for interacting with system resources such as memory, file
	>	s, and hardware, or for performing system-level tasks. Monit		>	s, and hardware, or for performing system-level tasks. Monit
	>	oring these calls can provide insight into a process's inten		>	oring these calls can provide insight into a process's inten
	>	t, especially if the process is malicious. *Data Collection		>	t, especially if the process is malicious.
	>	Measures:* - Endpoint Detection and Response (EDR) Tools:
	>	- Leverage tools to monitor API execution behaviors at t
	>	he process level. - Example: Sysmon Event ID 10 captures
	>	API call traces for process access and memory allocation. -
	>	Process Monitor (ProcMon): - Use ProcMon to collect det
	>	ailed logs of process and API activity. ProcMon can provide
	>	granular details on API usage and identify malicious behavio
	>	r during analysis. - Windows Event Logs: - Use Event IDs
	>	from Windows logs for specific API-related activities:
	>	- Event ID 4688: A new process has been created (can ind
	>	irectly infer API use). - Event ID 4657: A registry
	>	value has been modified (to monitor registry-altering APIs).
	>	- Dynamic Analysis Tools: - Tools like Cuckoo Sandbox,
	>	Flare VM, or Hybrid Analysis monitor API execution during ma
	>	lware detonation. - Host-Based Logs: - On Linux/macOS sy
	>	stems, leverage audit frameworks (e.g., `auditd`, `strace`)
	>	to capture and analyze system call usage that APIs map to. -
	>	Runtime Monitors: - Runtime security tools like Falco c
	>	an monitor system-level calls for API execution. - Debugging
	>	and Tracing: - Use debugging tools like gdb (Linux) or
	>	WinDbg (Windows) for deep tracing of API executions in real
	>	time.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.999000+00:00	2025-11-12 22:03:39.105000+00:00
description	Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - Leverage tools to monitor API execution behaviors at the process level. - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation. - Process Monitor (ProcMon): - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis. - Windows Event Logs: - Use Event IDs from Windows logs for specific API-related activities: - Event ID 4688: A new process has been created (can indirectly infer API use). - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs). - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation. - Host-Based Logs: - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to. - Runtime Monitors: - Runtime security tools like Falco can monitor system-level calls for API execution. - Debugging and Tracing: - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.	Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.
x_mitre_log_sources[19]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[DC0035] Process Access

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.539000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[13]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=10, 7'}

[DC0032] Process Creation

Current version: 2.0

	Old Description			New Description
t	1	Refers to the event in which a new process (executable) is i	t	1	Refers to the event in which a new process (executable) is i
	>	nitialized by an operating system. This can involve parent-c		>	nitialized by an operating system. This can involve parent-c
	>	hild process relationships, process arguments, and environme		>	hild process relationships, process arguments, and environme
	>	ntal variables. Monitoring process creation is crucial for d		>	ntal variables. Monitoring process creation is crucial for d
	>	etecting malicious behaviors, such as execution of unauthori		>	etecting malicious behaviors, such as execution of unauthori
	>	zed binaries, scripting abuse, or privilege escalation attem		>	zed binaries, scripting abuse, or privilege escalation attem
	>	pts. Data Collection Measures: - Endpoint Detection and		>	pts..
	>	Response (EDR) Tools: - EDRs provide process telemetry,
	>	tracking execution flows and arguments. - Windows Event Logs
	>	: - Event ID 4688 (Audit Process Creation): Captures pro
	>	cess creation with associated parent process. - Sysmon (Wind
	>	ows): - Event ID 1 (Process Creation): Provides detailed
	>	logging - Linux/macOS Monitoring: - AuditD (execve sysc
	>	all): Logs process creation. - eBPF/XDP: Used for low-le
	>	vel monitoring of system calls related to process execution.
	>	- OSQuery: Allows SQL-like queries to track process eve
	>	nts (process_events table). - Apple Endpoint Security Fr
	>	amework (ESF): Monitors process creation on macOS. - Network
	>	-Based Monitoring: - Zeek (Bro) Logs: Captures network-b
	>	ased process execution related to remote shells. - Syslo
	>	g/OSSEC: Tracks execution of processes on distributed system
	>	s. - Behavioral SIEM Rules: - Monitor process creation f
	>	or uncommon binaries in user directories. - Detect proce
	>	sses with suspicious command-line arguments.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 19:28:39.339000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0032	https://attack.mitre.org/datacomponents/DC0032
description	Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - EDRs provide process telemetry, tracking execution flows and arguments. - Windows Event Logs: - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process. - Sysmon (Windows): - Event ID 1 (Process Creation): Provides detailed logging - Linux/macOS Monitoring: - AuditD (execve syscall): Logs process creation. - eBPF/XDP: Used for low-level monitoring of system calls related to process execution. - OSQuery: Allows SQL-like queries to track process events (process_events table). - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS. - Network-Based Monitoring: - Zeek (Bro) Logs: Captures network-based process execution related to remote shells. - Syslog/OSSEC: Tracks execution of processes on distributed systems. - Behavioral SIEM Rules: - Monitor process creation for uncommon binaries in user directories. - Detect processes with suspicious command-line arguments.	Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts..
x_mitre_log_sources[293]['channel']	EventCode=8003,8004	EventCode=8003, 8004

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventlog:Security', 'channel': 'EventCode=4688'}
x_mitre_log_sources	{'name': 'WinEventLog:Microsoft-Windows-Security-Auditing', 'channel': 'EventCode=4688'}
x_mitre_log_sources	{'name': 'WinEventLog:security', 'channel': 'EventCode=4688'}

[DC0034] Process Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.331000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[36]['channel']	EventCode=400,403	EventCode=400, 403

[DC0020] Process Modification

Current version: 2.0

	Old Description			New Description
t	1	Changes made to a running process, such as writing data into	t	1	Changes made to a running process, such as writing data into
	>	memory, modifying execution behavior, or injecting code int		>	memory, modifying execution behavior, or injecting code int
	>	o an existing process. Adversaries frequently modify process		>	o an existing process. Adversaries frequently modify process
	>	es to execute malicious payloads, evade detection, or gain e		>	es to execute malicious payloads, evade detection, or gain e
	>	scalated privileges. Data Collection Measures: - Endpoi		>	scalated privileges.
	>	nt Detection and Response (EDR) Tools: - EDRs can monito
	>	r memory modifications and API-level calls. - Sysmon (Window
	>	s): - Event ID 8 (CreateRemoteThread) – Detects cross-pr
	>	ocess thread injection, commonly used in process hollowing.
	>	- Event ID 10 (Process Access) – Detects access attempts
	>	to another process, often preceding injection attempts. - L
	>	inux/macOS Monitoring: - AuditD (ptrace, mmap, mprotect
	>	syscalls): Detects memory modifications and debugging attemp
	>	ts. - eBPF/XDP: Monitors low-level system calls related
	>	to process modifications. - OSQuery: The processes table
	>	can be queried for unusual modifications. - Network-Based M
	>	onitoring: - Zeek (Bro) Logs: Captures lateral movement
	>	attempts where adversaries remotely modify a process. -
	>	Syslog/OSSEC: Monitors logs for suspicious modifications.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.747000+00:00	2025-11-12 22:03:39.105000+00:00
description	Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - EDRs can monitor memory modifications and API-level calls. - Sysmon (Windows): - Event ID 8 (CreateRemoteThread) – Detects cross-process thread injection, commonly used in process hollowing. - Event ID 10 (Process Access) – Detects access attempts to another process, often preceding injection attempts. - Linux/macOS Monitoring: - AuditD (ptrace, mmap, mprotect syscalls): Detects memory modifications and debugging attempts. - eBPF/XDP: Monitors low-level system calls related to process modifications. - OSQuery: The processes table can be queried for unusual modifications. - Network-Based Monitoring: - Zeek (Bro) Logs: Captures lateral movement attempts where adversaries remotely modify a process. - Syslog/OSSEC: Monitors logs for suspicious modifications.	Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges.

[DC0033] Process Termination

Current version: 2.0

	Old Description			New Description
t	1	The exit or termination of a running process on a system. Th	t	1	The exit or termination of a running process on a system. Th
	>	is can occur due to normal operations, user-initiated comman		>	is can occur due to normal operations, user-initiated comman
	>	ds, or malicious actions such as process termination by malw		>	ds, or malicious actions such as process termination by malw
	>	are to disable security controls. *Data Collection Measures		>	are to disable security controls.
	>	:* - Endpoint Detection and Response (EDR) Tools: - Mon
	>	itor process termination events. - Windows Event Logs: -
	>	Event ID 4689 (Process Termination) – Captures when a proce
	>	ss exits, including process ID and parent process. - Eve
	>	nt ID 7036 (Service Control Manager) – Monitors system servi
	>	ce stops. - Sysmon (Windows): - Event ID 5 (Process Term
	>	ination) – Detects when a process exits, including parent-ch
	>	ild relationships. - Linux/macOS Monitoring: - AuditD (`
	>	execve`, `exit_group`, `kill` syscalls) – Captures process t
	>	ermination via command-line interactions. - eBPF/XDP: Mo
	>	nitors low-level system calls related to process termination
	>	. - OSQuery: The processes table can be queried for abno
	>	rmal exits.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.181000+00:00	2025-11-12 22:03:39.105000+00:00
description	The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - Monitor process termination events. - Windows Event Logs: - Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process. - Event ID 7036 (Service Control Manager) – Monitors system service stops. - Sysmon (Windows): - Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships. - Linux/macOS Monitoring: - AuditD (`execve`, `exit_group`, `kill` syscalls) – Captures process termination via command-line interactions. - eBPF/XDP: Monitors low-level system calls related to process termination. - OSQuery: The processes table can be queried for abnormal exits.	The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.

[DC0104] Response Content

Current version: 2.0

	Old Description			New Description
t	1	Captured network traffic that provides details about respons	t	1	Captured network traffic that provides details about respons
	>	es received during an internet scan. This data includes both		>	es received during an internet scan. This data includes both
	>	protocol header values (e.g., HTTP status codes, IP headers		>	protocol header values (e.g., HTTP status codes, IP headers
	>	, or DNS response codes) and response body content (e.g., HT		>	, or DNS response codes) and response body content (e.g., HT
	>	ML, JSON, or raw data). Examples: - HTTP Scan: A web server		>	ML, JSON, or raw data). Examples: - HTTP Scan: A web server
	>	responds to a probe with an HTTP 200 status code and an HTM		>	responds to a probe with an HTTP 200 status code and an HTM
	>	L body indicating the default page is accessible. - DNS Scan		>	L body indicating the default page is accessible. - DNS Scan
	>	: A DNS server replies to a query with a resolved IP address		>	: A DNS server replies to a query with a resolved IP address
	>	for a domain, along with details like Time-To-Live (TTL) an		>	for a domain, along with details like Time-To-Live (TTL) an
	>	d authoritative information. - TCP Banner Grab: A service li		>	d authoritative information. - TCP Banner Grab: A service li
	>	stening on a port (e.g., SSH or FTP) responds with a banner		>	stening on a port (e.g., SSH or FTP) responds with a banner
	>	containing service name, version, or other metadata. *Data		>	containing service name, version, or other metadata.
	>	Collection Measures:* - Network Traffic Monitoring: - D
	>	eploy packet capture tools like Wireshark, tcpdump, or Suric
	>	ata to log both headers and body content of response traffic
	>	. - Use network appliances like firewalls, intrusion det
	>	ection systems (IDS), or intrusion prevention systems (IPS)
	>	with logging enabled to capture scan responses. - Cloud Logg
	>	ing Services: - AWS VPC Flow Logs: Capture metadata abou
	>	t network flows, including source and destination, protocol,
	>	and response codes. - GCP Packet Mirroring: Use mirrore
	>	d packets to analyze responses. - Azure NSG Flow Logs: R
	>	ecord network traffic flow information for analysis. - Speci
	>	fic Tools: - Zmap or Masscan: Can perform internet-wide
	>	scans and collect response content for analysis. - Nmap:
	>	Use custom scripts to capture and log detailed response dat
	>	a during scans.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:40.412000+00:00	2025-11-12 22:03:39.105000+00:00
description	Captured network traffic that provides details about responses received during an internet scan. This data includes both protocol header values (e.g., HTTP status codes, IP headers, or DNS response codes) and response body content (e.g., HTML, JSON, or raw data). Examples: - HTTP Scan: A web server responds to a probe with an HTTP 200 status code and an HTML body indicating the default page is accessible. - DNS Scan: A DNS server replies to a query with a resolved IP address for a domain, along with details like Time-To-Live (TTL) and authoritative information. - TCP Banner Grab: A service listening on a port (e.g., SSH or FTP) responds with a banner containing service name, version, or other metadata. Data Collection Measures: - Network Traffic Monitoring: - Deploy packet capture tools like Wireshark, tcpdump, or Suricata to log both headers and body content of response traffic. - Use network appliances like firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS) with logging enabled to capture scan responses. - Cloud Logging Services: - AWS VPC Flow Logs: Capture metadata about network flows, including source and destination, protocol, and response codes. - GCP Packet Mirroring: Use mirrored packets to analyze responses. - Azure NSG Flow Logs: Record network traffic flow information for analysis. - Specific Tools: - Zmap or Masscan: Can perform internet-wide scans and collect response content for analysis. - Nmap: Use custom scripts to capture and log detailed response data during scans.	Captured network traffic that provides details about responses received during an internet scan. This data includes both protocol header values (e.g., HTTP status codes, IP headers, or DNS response codes) and response body content (e.g., HTML, JSON, or raw data). Examples: - HTTP Scan: A web server responds to a probe with an HTTP 200 status code and an HTML body indicating the default page is accessible. - DNS Scan: A DNS server replies to a query with a resolved IP address for a domain, along with details like Time-To-Live (TTL) and authoritative information. - TCP Banner Grab: A service listening on a port (e.g., SSH or FTP) responds with a banner containing service name, version, or other metadata.

[DC0001] Scheduled Job Creation

Current version: 2.0

+The establishment of a task or job that will execute at a pr
->
+edefined time or based on specific triggers.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.814000+00:00	2025-11-12 22:03:39.105000+00:00
description	The establishment of a task or job that will execute at a predefined time or based on specific triggers. Data Collection Measures: - Windows Event Logs: - Event ID 4698 (Scheduled Task Created) – Detects the creation of new scheduled tasks. - Event ID 4702 (Scheduled Task Updated) – Identifies modifications to existing scheduled jobs. - Event ID 106 (TaskScheduler Operational Log) – Provides details about scheduled task execution. - Sysmon (Windows): - Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by `schtasks.exe`, `at.exe`, or `taskeng.exe`. - Linux/macOS Monitoring: - AuditD: Monitor modifications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` files. - Syslog: Capture cron job execution logs from `/var/log/cron`. - OSQuery: Query the `crontab` and `launchd` tables for scheduled job configurations. - Endpoint Detection and Response (EDR) Tools: - Track scheduled task creation and modification events. - SIEM & XDR Detection Rules: - Monitor for scheduled jobs created by unusual users. - Detect tasks executing scripts from non-standard directories.	The establishment of a task or job that will execute at a predefined time or based on specific triggers.

[DC0005] Scheduled Job Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 19:03:38.549000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0005	https://attack.mitre.org/datacomponents/DC0005

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'linux:cron', 'channel': '/var/log/syslog or journalctl'}
x_mitre_log_sources	{'name': 'linux::cron', 'channel': 'crontab or at job created within TimeWindow post time discovery'}

[DC0029] Script Execution

Current version: 2.0

+The execution of a text file that contains code via the inte
->
+rpreter.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.018000+00:00	2025-11-12 22:03:39.105000+00:00
description	The execution of a text file that contains code via the interpreter. Data Collection Measures: - Windows Event Logs: - Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts. - Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (`powershell.exe`, `wscript.exe`, `cscript.exe`). - Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging. - Sysmon (Windows): - Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines. - Event ID 11 (File Creation) – Detects new script files written to disk before execution. - Endpoint Detection and Response (EDR) Tools: - Track script execution behavior, detect obfuscated commands, and prevent malicious scripts. - PowerShell Logging: - Enable Module Logging: Logs all loaded modules and cmdlets. - Enable Script Block Logging: Captures complete PowerShell script execution history. - SIEM Detection Rules: - Detect script execution with obfuscated, encoded, or remote URLs. - Alert on script executions using `-EncodedCommand` or `iex(iwr)`.	The execution of a text file that contains code via the interpreter.
x_mitre_log_sources[11]['channel']	EventCode=4103, 4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_sources[22]['channel']	EventCode=4016,5312	EventCode=4016, 5312

[DC0060] Service Creation

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.315000+00:00	2025-11-12 22:03:39.105000+00:00

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=7045'}

[DC0041] Service Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.382000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[1]['name']	WinEventLog:sysmon	WinEventLog:Sysmon

[DC0065] Service Modification

Current version: 2.0

+Changes made to an existing service or daemon, such as modif
->
+ying the service name, start type, execution parameters, or
->
+security configurations.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.211000+00:00	2025-11-12 22:03:39.105000+00:00
description	Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations. Data Collection Measures: - Windows Event Logs - Event ID 7040 - Detects modifications to the startup behavior of a service. - Event ID 7045 - Can capture changes made to existing services. - Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering. - Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters. - Sysmon Logs - Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., `HKLM\SYSTEM\CurrentControlSet\Services\`). - Sysmon Event ID 1 - Can track execution of `sc.exe` or `PowerShell Set-Service`. - PowerShell Logging - Event ID 4104 (Script Block Logging) - Captures execution of commands like `Set-Service`, `New-Service`, or `sc config`. - Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands: - `sc config start= auto` - `sc qc ` - Linux/macOS Collection Methods - Systemd Journals (`journalctl -u `) Tracks modifications to systemd service configurations. - Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`) Captures changes to service state and execution parameters. - AuditD Rules for Service Modification - Monitor modifications to `/etc/systemd/system/` for new or altered service unit files: `auditctl -w /etc/systemd/system/ -p wa -k service_modification` - Track execution of `systemctl` or `service` commands: `auditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl -F key=service_mod` - OSQuery for Linux/macOS Monitoring - Query modified services using OSQuery’s `processes` or `system_info` tables: `SELECT * FROM systemd_units WHERE state != 'running';` - macOS Launch Daemon/Agent Modification - Monitor for changes in: - `/Library/LaunchDaemons/` - `/Library/LaunchAgents/` - Track modifications to `.plist` files indicating persistence attempts.	Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.

[DC0057] Snapshot Creation

Current version: 2.0

	Old Description			New Description
t	1	The process of taking a point-in-time copy of a cloud storag	t	1	The process of taking a point-in-time copy of a cloud storag
	>	e volume (files, settings, configurations, etc.), virtual ma		>	e volume (files, settings, configurations, etc.), virtual ma
	>	chine (VM), or database that can be created and deployed in		>	chine (VM), or database that can be created and deployed in
	>	cloud environments. Data Collection Measures: - Cloud Pl		>	cloud environments.
	>	atform Logs (IaaS) - AWS CloudTrail Logs: Monitor API ca
	>	lls related to snapshot creation (`CreateSnapshot`). - A
	>	zure Monitor Logs: Track snapshot creation (`Microsoft.Compu
	>	te/snapshots/write`). - Google Cloud Logging: Detect `co
	>	mpute.disks.createSnapshot`.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:39.640000+00:00	2025-11-12 22:03:39.105000+00:00
description	The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments. Data Collection Measures: - Cloud Platform Logs (IaaS) - AWS CloudTrail Logs: Monitor API calls related to snapshot creation (`CreateSnapshot`). - Azure Monitor Logs: Track snapshot creation (`Microsoft.Compute/snapshots/write`). - Google Cloud Logging: Detect `compute.disks.createSnapshot`.	The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments.

[DC0002] User Account Authentication

Current version: 2.0

+An attempt (successful and failed login attempts) by a user,
->
+ service, or application to gain access to a network, system
->
+, or cloud-based resource. This typically involves credentia
->
+ls such as passwords, tokens, multi-factor authentication (M
->
+FA), or biometric validation.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.948000+00:00	2025-11-12 22:03:39.105000+00:00
description	An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation. Data Collection Measures: - Host-Based Authentication Logs - Windows Event Logs - Event ID 4776 – NTLM authentication attempt. - Event ID 4624 – Successful user logon. - Event ID 4625 – Failed authentication attempt. - Event ID 4648 – Explicit logon with alternate credentials. - Linux/macOS Authentication Logs - `/var/log/auth.log`, `/var/log/secure` – Logs SSH, sudo, and other authentication attempts. - AuditD – Tracks authentication events via PAM modules. - macOS Unified Logs – `/var/db/diagnostics` captures authentication failures. - Cloud Authentication Logs - Azure AD Logs - Sign-in Logs – Tracks authentication attempts, MFA challenges, and conditional access failures. - Audit Logs – Captures authentication-related configuration changes. - Microsoft Graph API – Provides real-time sign-in analytics. - Google Workspace & Office 365 - Google Admin Console – `User Login Report` tracks login attempts and failures. - Office 365 Unified Audit Logs – Captures logins across Exchange, SharePoint, and Teams. - AWS CloudTrail & IAM - Tracks authentication via `AWS IAM AuthenticateUser` and `sts:GetSessionToken`. - Logs failed authentications to AWS Management Console and API requests. - Container Authentication Monitoring - Kubernetes Authentication Logs - kubectl audit logs – Captures authentication attempts for service accounts and admin users. - Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) – Logs IAM authentication events.	An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.
x_mitre_log_sources[12]['name']	m365:signin	m365:signinlogs
x_mitre_log_sources[15]['channel']	EventCode=4769,1200,1202	EventCode=4776, 4625

iterable_item_added
STIX Field	Old value	New Value
x_mitre_log_sources		{'name': 'WinEventLog:Security', 'channel': 'EventCode=4769, 1200, 1202'}

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4625'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4625, 4624'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': '4624, 4625'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventID=4625'}

[DC0014] User Account Creation

Current version: 2.0

+The initial establishment of a new user, service, or machine
->
+ account within an operating system, cloud environment, or i
->
+dentity management system.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.784000+00:00	2025-11-12 22:03:39.105000+00:00
description	The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system. Data Collection Measures: - Host-Based Logging - Windows Event Logs - Event ID 4720 – A new user account was created. - Event ID 4732/4735 – A user was added to a privileged group. - Event ID 4798 – Enumeration of user accounts. - Linux/macOS Authentication Logs - `/var/log/auth.log`, `/var/log/secure` – Logs `useradd`, `adduser`, `passwd`, and `groupmod` activities. - AuditD – Detects new account creation via PAM (`useradd`, `usermod`). - OSQuery – The `users` table tracks newly created accounts. - Cloud-Based Logging - Azure AD Logs - Azure AD Audit Logs – Tracks new user and service account creation. - Azure Graph API – Provides logs on new account provisioning. - AWS IAM & CloudTrail Logs - CreateUser, CreateRole – Tracks new IAM user creation. - AttachRolePolicy – Identifies privilege escalation via account creation. - Google Workspace & Office 365 Logs - Google Admin Console – Logs user creation in User Accounts API. - Microsoft 365 Unified Audit Log – Tracks new account provisioning. - Container & Network Account Creation Logs - Kubernetes Account Creation Logs - kubectl audit logs – Detects new service account provisioning. - GKE/Azure AKS Logs – Track new container service accounts.	The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system.

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4720, EventCode=4781'}

[DC0009] User Account Deletion

Current version: 2.0

+The removal of a user, service, or machine account from an o
->
+perating system, cloud identity management system, or direct
->
+ory service.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.864000+00:00	2025-11-12 22:03:39.105000+00:00
description	The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service. Data Collection Measures: - Host-Based Logging - Windows Event Logs - Event ID 4726 – A user account was deleted. - Event ID 4733/4735 – A user was removed from a privileged group. - Event ID 1102 – Security log was cleared (potential cover-up). - Linux/macOS Authentication Logs - `/var/log/auth.log`, `/var/log/secure` – Logs `userdel`, `deluser`, `passwd -l`. - AuditD – Tracks account deletions via PAM events (`userdel`). - OSQuery – The `users` table can detect account removal. - Cloud-Based Logging - Azure AD Logs - Azure AD Audit Logs – Tracks user and service account deletions. - Azure Graph API – Monitors identity changes. - AWS IAM & CloudTrail Logs - `DeleteUser`, `DeleteRole` – Tracks IAM user deletion. - DetachRolePolicy – Identifies privilege revocation before deletion. - Google Workspace & Office 365 Logs - Google Admin Console – Logs user removal activities. - Microsoft 365 Unified Audit Log – Captures deleted accounts in Active Directory. - Container & Network Account Deletion Logs - Kubernetes Service Account Deletion - kubectl audit logs – Detects when service accounts are removed from pods. - GKE/Azure AKS Logs – Track containerized identity removals.	The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service.

[DC0010] User Account Modification

Current version: 2.0

+Changes made to an existing user, service, or machine accoun
->
+t, including alterations to attributes, permissions, roles,
->
+authentication methods, or group memberships.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.735000+00:00	2025-11-12 22:03:39.105000+00:00
description	Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships. Data Collection Measures: - Host-Based Logging - Windows Event Logs - Event ID 4738 – A user account was changed. - Event ID 4725 – A user account was disabled. - Event ID 4724 – An attempt was made to reset an account's password. - Event ID 4767 – A user account was unlocked. - Linux/macOS Authentication Logs - `/var/log/auth.log`, `/var/log/secure` – Tracks account modifications (`usermod`, `chage`, `passwd`). - AuditD – Monitors account changes (`useradd`, `usermod`, `gpasswd`). - OSQuery – Queries the `users` table for recent modifications. - Cloud-Based Logging - Azure AD Logs - Azure AD Audit Logs – Tracks modifications to users and security groups. - Azure Graph API – Captures changes to authentication policies and MFA settings. - AWS IAM & CloudTrail Logs - `ModifyUser`, `UpdateLoginProfile` – Captures changes to IAM user attributes. - `AttachUserPolicy`, `AddUserToGroup` – Detects policy and group modifications. - Google Workspace & Office 365 Logs - Google Admin Console – Logs account changes, role modifications, and group membership updates. - Microsoft 365 Unified Audit Log – Captures modifications to security settings and privileged account changes. - Container & Network Account Modification Logs - Kubernetes Service Account Changes - kubectl audit logs – Detects service account modifications in Kubernetes clusters. - GKE/Azure AKS Logs – Monitors role and permission changes.	Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships.
x_mitre_log_sources[11]['channel']	EventCode=4723, 4724, 4726, 4740	EventCode=4723, 4724, 4740
x_mitre_log_sources[30]['name']	azure:signinLogs	azure:signinlogs

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:DirectoryService', 'channel': 'EventID 5136'}

[DC0097] Volume Creation

Current version: 2.0

+The initial provisioning of block storage volumes in cloud o
->
+r on-prem environments, typically used for data storage, bac
->
+kup, or workload scaling.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:39.832000+00:00	2025-11-12 22:03:39.105000+00:00
description	The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling. Data Collection Measures: - Cloud-Based Logging & Monitoring - AWS CloudTrail - `CreateVolume` – Logs the creation of new Amazon Elastic Block Store (EBS) volumes. - `RunInstances` – Can be correlated to detect automatic volume provisioning. - Azure Monitor & Log Analytics - `Microsoft.Compute/disks/write` – Captures creation of new managed/unmanaged disks. - `Microsoft.Storage/storageAccounts/write` – Detects creation of new Azure Blob Storage volumes. - Google Cloud Logging (GCP) - `compute.disks.insert` – Tracks new persistent disk creation. - `compute.instances.attachDisk` – Logs attachment of a volume to a running VM. - OpenStack Logs - `volume.create` – Captures new storage volume provisioning. - `cinder.volume.create` – Logs OpenStack Cinder block storage creation. - Host-Based & SIEM Detection - Linux/macOS System Logs - `/var/log/syslog` & `/var/log/messages` – Detects new mount points or attached storage. - `dmesg \| grep "new disk"` – Identifies kernel messages for volume attachment. - AuditD: Tracks `mkfs` (filesystem creation) for new volume provisioning. - Windows Event Logs - Event ID 1006 (Storage Management Events) – Captures disk volume creation. - Event ID 5145 (Object Access: File Share) – Detects access to newly created storage shares.	The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.

[DC0098] Volume Deletion

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:38.711000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[1]['channel']	DeleteVolume, ModifyVolume	DeleteVolume

[DC0100] Volume Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:38.841000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[0]['name']	WinEventLog:Security	Metadata
x_mitre_log_sources[0]['channel']	4673, 4674	None

[DC0008] WMI Creation

Current version: 2.0

+Initial construction of a WMI object, such as a filter, cons
->
+umer, subscription, binding, or providers.
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.880000+00:00	2025-11-12 22:03:39.105000+00:00
description	Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers. Data Collection Measures: - Windows Security Event Logs: - Event ID 5861 (WMI Permanent Event Subscription) - Event ID 5860 (WMI Event Filter Activity) - Event ID 5857 (WMI Event Consumer Activity) - Sysmon Logs: - Sysmon Event ID 19 – WMI Event Filter Created - Sysmon Event ID 20 – WMI Event Consumer Created - Sysmon Event ID 21 – WMI Event Binding Created - Endpoint Detection & Response (EDR) - Detects WMI-based persistence techniques.	Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers.
x_mitre_log_sources[3]['channel']	EventCode=5857, 5858	EventCode=5857, 5858, 5860, 5861

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational', 'channel': 'EventCode=5861'}
x_mitre_log_sources	{'name': 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational', 'channel': 'EventCode=5857, 5860, 5861'}
x_mitre_log_sources	{'name': 'WinEventLog:WMI', 'channel': 'EventCode=5857, 5860, 5861'}

[DC0006] Web Credential Creation

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:38.777000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[2]['name']	azure:signinLogs	azure:signinlogs

[DC0007] Web Credential Usage

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.480000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[16]['name']	azure:signinLogs	azure:signinlogs

[DC0050] Windows Registry Key Access

Current version: 2.0

	Old Description			New Description
t	1	The action of opening a specific Windows Registry key, typic	t	1	The action of opening a specific Windows Registry key, typic
	>	ally to read its associated value. This activity can be used		>	ally to read its associated value. This activity can be used
	>	for system configuration, application settings retrieval, a		>	for system configuration, application settings retrieval, a
	>	nd security policies. Data Collection Measures: - Window		>	nd security policies.
	>	s Event Logs - Event ID 4656 - Handle to an Object was R
	>	equested: Logs attempts to open registry keys. - Event I
	>	D 4663 - An Object was Accessed: Captures read/write operati
	>	ons on registry keys. - Event ID 4657 - Registry Value M
	>	odification: Useful for detecting changes to registry keys a
	>	fter being accessed. - Sysmon - Sysmon Event ID 13 - Reg
	>	istry Value Set: Captures modifications to existing registry
	>	keys. - Endpoint Detection and Response (EDR) Solutions
	>	- Provide telemetry on registry key access activities, espe
	>	cially when linked to suspicious processes.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:39.242000+00:00	2025-11-12 22:03:39.105000+00:00
description	The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies. Data Collection Measures: - Windows Event Logs - Event ID 4656 - Handle to an Object was Requested: Logs attempts to open registry keys. - Event ID 4663 - An Object was Accessed: Captures read/write operations on registry keys. - Event ID 4657 - Registry Value Modification: Useful for detecting changes to registry keys after being accessed. - Sysmon - Sysmon Event ID 13 - Registry Value Set: Captures modifications to existing registry keys. - Endpoint Detection and Response (EDR) Solutions - Provide telemetry on registry key access activities, especially when linked to suspicious processes.	The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies.
x_mitre_log_sources[0]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[DC0056] Windows Registry Key Creation

Current version: 2.0

	Old Description			New Description
t	1	Initial construction of a new registry key within the Window	t	1	Initial construction of a new registry key within the Window
	>	s operating system. Data Collection Measures: - Window		>	s operating system.
	>	s Event Logs - Event ID 4656 - Registry Object Handle Re
	>	quested: Tracks registry key access, including newly created
	>	keys. - Event ID 4657 - Registry Value Modification: De
	>	tects modifications to an existing registry key after creati
	>	on. - Sysmon (System Monitor) for Windows - Sysmon Event
	>	ID 12 - Registry Key Created: Logs when a new registry key
	>	is created.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.143000+00:00	2025-11-12 22:03:39.105000+00:00
description	Initial construction of a new registry key within the Windows operating system. Data Collection Measures: - Windows Event Logs - Event ID 4656 - Registry Object Handle Requested: Tracks registry key access, including newly created keys. - Event ID 4657 - Registry Value Modification: Detects modifications to an existing registry key after creation. - Sysmon (System Monitor) for Windows - Sysmon Event ID 12 - Registry Key Created: Logs when a new registry key is created.	Initial construction of a new registry key within the Windows operating system.

[DC0063] Windows Registry Key Modification

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 18:34:46.572000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0063	https://attack.mitre.org/datacomponents/DC0063
x_mitre_log_sources[3]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=13'}
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=14'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'}

mobile-attack

Patches

[DC0064] Command Execution

Current version: 2.0

	Old Description			New Description
t	1	Command Execution involves monitoring and capturing the exec	t	1	Command Execution involves monitoring and capturing the exec
	>	ution of textual commands (including shell commands, cmdlets		>	ution of textual commands (including shell commands, cmdlets
	>	, and scripts) within an operating system or application. Th		>	, and scripts) within an operating system or application. Th
	>	ese commands may include arguments or parameters and are typ		>	ese commands may include arguments or parameters and are typ
	>	ically executed through interpreters such as `cmd.exe`, `bas		>	ically executed through interpreters such as `cmd.exe`, `bas
	>	h`, `zsh`, `PowerShell`, or programmatic execution. Examples		>	h`, `zsh`, `PowerShell`, or programmatic execution. Examples
	>	: - Windows Command Prompt - dir – Lists directory con		>	: - Windows Command Prompt - dir – Lists directory con
	>	tents. - net user – Queries or manipulates user accounts		>	tents. - net user – Queries or manipulates user accounts
	>	. - tasklist – Lists running processes. - PowerShell		>	. - tasklist – Lists running processes. - PowerShell
	>	- Get-Process – Retrieves processes running on a system.		>	- Get-Process – Retrieves processes running on a system.
	>	- Set-ExecutionPolicy – Changes PowerShell script executio		>	- Set-ExecutionPolicy – Changes PowerShell script executio
	>	n policies. - Invoke-WebRequest – Downloads remote resou		>	n policies. - Invoke-WebRequest – Downloads remote resou
	>	rces. - Linux Shell - ls – Lists files in a directory.		>	rces. - Linux Shell - ls – Lists files in a directory.
	>	- cat /etc/passwd – Reads the user accounts file. - c		>	- cat /etc/passwd – Reads the user accounts file. - c
	>	url http://malicious-site.com – Retrieves content from a mal		>	url http://malicious-site.com – Retrieves content from a mal
	>	icious URL. - Container Environments - docker exec – Exe		>	icious URL. - Container Environments - docker exec – Exe
	>	cutes a command inside a running container. - kubectl ex		>	cutes a command inside a running container. - kubectl ex
	>	ec – Runs commands in Kubernetes pods. - macOS Terminal		>	ec – Runs commands in Kubernetes pods. - macOS Terminal
	>	- open – Opens files or URLs. - dscl . -list /Users – Li		>	- open – Opens files or URLs. - dscl . -list /Users – Li
	>	sts all users on the system. - osascript -e – Executes A		>	sts all users on the system. - osascript -e – Executes A
	>	ppleScript commands. This data component can be collected t		>	ppleScript commands.
	>	hrough the following measures: Enable Command Logging - Wi
	>	ndows: - Enable PowerShell logging: `Set-ExecutionPolicy
	>	Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\M
	>	icrosoft\Windows\PowerShell\ScriptBlockLogging" -Name Enable
	>	ScriptBlockLogging -Value 1` - Enable Windows Event Logg
	>	ing: - Event ID 4688: Tracks process creation, inclu
	>	ding command-line arguments. - Event ID 4104: Logs P
	>	owerShell script block execution. - Linux/macOS: - Enabl
	>	e shell history logging in `.bashrc` or `.zshrc`: `export HI
	>	STTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='histor
	>	y -a; history -w'` - Use audit frameworks (e.g., `auditd
	>	`) to log command executions. Example rule to log all `execv
	>	e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex
	>	ec` - Containers: - Use runtime-specific tools like Dock
	>	er’s --log-driver or Kubernetes Audit Logs to capture exec c
	>	ommands. Integrate with Centralized Logging - Collect logs
	>	using a SIEM (e.g., Splunk) or cloud-based log aggregation
	>	tools like AWS CloudWatch or Azure Monitor. Example Splunk S
	>	earch for Windows Event 4688: `index=windows EventID=4688 Co
	>	mmandLine=*` Use Endpoint Detection and Response (EDR) Tool
	>	s - Monitor command executions via EDR solutions Deploy S
	>	ysmon for Advanced Logging (Windows) - Use Sysmon's Event I
	>	D 1 to log process creation with command-line arguments

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.849000+00:00	2025-11-12 22:03:39.105000+00:00
description	Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: - Windows Command Prompt - dir – Lists directory contents. - net user – Queries or manipulates user accounts. - tasklist – Lists running processes. - PowerShell - Get-Process – Retrieves processes running on a system. - Set-ExecutionPolicy – Changes PowerShell script execution policies. - Invoke-WebRequest – Downloads remote resources. - Linux Shell - ls – Lists files in a directory. - cat /etc/passwd – Reads the user accounts file. - curl http://malicious-site.com – Retrieves content from a malicious URL. - Container Environments - docker exec – Executes a command inside a running container. - kubectl exec – Runs commands in Kubernetes pods. - macOS Terminal - open – Opens files or URLs. - dscl . -list /Users – Lists all users on the system. - osascript -e – Executes AppleScript commands. This data component can be collected through the following measures: Enable Command Logging - Windows: - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1` - Enable Windows Event Logging: - Event ID 4688: Tracks process creation, including command-line arguments. - Event ID 4104: Logs PowerShell script block execution. - Linux/macOS: - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='history -a; history -w'` - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec` - Containers: - Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands. Integrate with Centralized Logging - Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688: `index=windows EventID=4688 CommandLine=*` Use Endpoint Detection and Response (EDR) Tools - Monitor command executions via EDR solutions Deploy Sysmon for Advanced Logging (Windows) - Use Sysmon's Event ID 1 to log process creation with command-line arguments	Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: - Windows Command Prompt - dir – Lists directory contents. - net user – Queries or manipulates user accounts. - tasklist – Lists running processes. - PowerShell - Get-Process – Retrieves processes running on a system. - Set-ExecutionPolicy – Changes PowerShell script execution policies. - Invoke-WebRequest – Downloads remote resources. - Linux Shell - ls – Lists files in a directory. - cat /etc/passwd – Reads the user accounts file. - curl http://malicious-site.com – Retrieves content from a malicious URL. - Container Environments - docker exec – Executes a command inside a running container. - kubectl exec – Runs commands in Kubernetes pods. - macOS Terminal - open – Opens files or URLs. - dscl . -list /Users – Lists all users on the system. - osascript -e – Executes AppleScript commands.
x_mitre_log_sources[4]['channel']	/var/log/syslog or journalctl	cron activity
x_mitre_log_sources[10]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_sources[35]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_sources[226]['name']	azure:signinLogs	azure:signinlogs

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Powershell', 'channel': 'EventCode=4104'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104,4105, 4106'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4105'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4106'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103, 4104'}

[DC0018] Host Status

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.544000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[13]['name']	CloudWatch:Metrics	AWS:CloudWatch
x_mitre_log_sources[17]['name']	CloudWatch:InstanceMetrics	AWS:CloudWatch
x_mitre_log_sources[30]['name']	CloudMetrics:InstanceHealth	AWS:CloudMetrics

[DC0082] Network Connection Creation

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.190000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[19]['channel']	EventCode=22	EventCode=3, 22
x_mitre_log_sources[27]['channel']	EventCode=5156	EventCode=5156, 5157
x_mitre_log_sources[90]['channel']	8001, 8002, 8003	EventCode=8001, 8002, 8003

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'}
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'}
x_mitre_log_sources	{'name': 'auditd:SYSCALL', 'channel': 'netconnect'}
x_mitre_log_sources	{'name': 'auditd:SYSCALL', 'channel': 'open or connect'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=5156,5157'}
x_mitre_log_sources	{'name': 'linux:Sysmon', 'channel': 'EventCode=3'}

[DC0078] Network Traffic Flow

Current version: 2.0

	Old Description			New Description
t	1	Summarized network packet data that captures session-level d	t	1	Summarized network packet data that captures session-level d
	>	etails such as source/destination IPs, ports, protocol types		>	etails such as source/destination IPs, ports, protocol types
	>	, timestamps, and data volume, without storing full packet p		>	, timestamps, and data volume, without storing full packet p
	>	ayloads. This is commonly used for traffic analysis, anomaly		>	ayloads. This is commonly used for traffic analysis, anomaly
	>	detection, and network performance monitoring. *Data Colle		>	detection, and network performance monitoring.
	>	ction Measures:* - Network Flow Logs (Metadata Collection)
	>	- NetFlow - Summarized metadata for network con
	>	versations (no packet payloads). - sFlow (Sampled Flow L
	>	ogging) - Captures sampled packets from switches and
	>	routers. - Used for real-time traffic monitoring an
	>	d anomaly detection. - Zeek (Bro) Flow Logs - Ze
	>	ek logs session-level details in logs like conn.log, http.lo
	>	g, dns.log, etc. - Host-Based Collection - Sysmon Event
	>	ID 3 – Network Connection Initiated - Logs process-l
	>	evel network activity, useful for detecting malicious outbou
	>	nd connections. - AuditD (Linux) – syscall=connect
	>	- Monitors system calls for network connections. `auditct
	>	l -a always,exit -F arch=b64 -S connect -k network_activity`
	>	- Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs
	>	- Captures metadata for traffic between EC2 instances, s
	>	ecurity groups, and internet gateways. - Azure NSG Flow
	>	Logs / Google VPC Flow Logs - Logs ingress/egress tr
	>	affic for cloud-based resources.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.703000+00:00	2025-11-12 22:03:39.105000+00:00
description	Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. Data Collection Measures: - Network Flow Logs (Metadata Collection) - NetFlow - Summarized metadata for network conversations (no packet payloads). - sFlow (Sampled Flow Logging) - Captures sampled packets from switches and routers. - Used for real-time traffic monitoring and anomaly detection. - Zeek (Bro) Flow Logs - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc. - Host-Based Collection - Sysmon Event ID 3 – Network Connection Initiated - Logs process-level network activity, useful for detecting malicious outbound connections. - AuditD (Linux) – syscall=connect - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity` - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs - Captures metadata for traffic between EC2 instances, security groups, and internet gateways. - Azure NSG Flow Logs / Google VPC Flow Logs - Logs ingress/egress traffic for cloud-based resources.	Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.
x_mitre_log_sources[72]['channel']	EventCode=2004,2005,2006	EventCode=2004, 2005, 2006

[DC0021] OS API Execution

Current version: 2.0

	Old Description			New Description
t	1	Calls made by a process to operating system-provided Applica	t	1	Calls made by a process to operating system-provided Applica
	>	tion Programming Interfaces (APIs). These calls are essentia		>	tion Programming Interfaces (APIs). These calls are essentia
	>	l for interacting with system resources such as memory, file		>	l for interacting with system resources such as memory, file
	>	s, and hardware, or for performing system-level tasks. Monit		>	s, and hardware, or for performing system-level tasks. Monit
	>	oring these calls can provide insight into a process's inten		>	oring these calls can provide insight into a process's inten
	>	t, especially if the process is malicious. *Data Collection		>	t, especially if the process is malicious.
	>	Measures:* - Endpoint Detection and Response (EDR) Tools:
	>	- Leverage tools to monitor API execution behaviors at t
	>	he process level. - Example: Sysmon Event ID 10 captures
	>	API call traces for process access and memory allocation. -
	>	Process Monitor (ProcMon): - Use ProcMon to collect det
	>	ailed logs of process and API activity. ProcMon can provide
	>	granular details on API usage and identify malicious behavio
	>	r during analysis. - Windows Event Logs: - Use Event IDs
	>	from Windows logs for specific API-related activities:
	>	- Event ID 4688: A new process has been created (can ind
	>	irectly infer API use). - Event ID 4657: A registry
	>	value has been modified (to monitor registry-altering APIs).
	>	- Dynamic Analysis Tools: - Tools like Cuckoo Sandbox,
	>	Flare VM, or Hybrid Analysis monitor API execution during ma
	>	lware detonation. - Host-Based Logs: - On Linux/macOS sy
	>	stems, leverage audit frameworks (e.g., `auditd`, `strace`)
	>	to capture and analyze system call usage that APIs map to. -
	>	Runtime Monitors: - Runtime security tools like Falco c
	>	an monitor system-level calls for API execution. - Debugging
	>	and Tracing: - Use debugging tools like gdb (Linux) or
	>	WinDbg (Windows) for deep tracing of API executions in real
	>	time.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.999000+00:00	2025-11-12 22:03:39.105000+00:00
description	Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - Leverage tools to monitor API execution behaviors at the process level. - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation. - Process Monitor (ProcMon): - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis. - Windows Event Logs: - Use Event IDs from Windows logs for specific API-related activities: - Event ID 4688: A new process has been created (can indirectly infer API use). - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs). - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation. - Host-Based Logs: - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to. - Runtime Monitors: - Runtime security tools like Falco can monitor system-level calls for API execution. - Debugging and Tracing: - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.	Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.
x_mitre_log_sources[19]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[DC0032] Process Creation

Current version: 2.0

	Old Description			New Description
t	1	Refers to the event in which a new process (executable) is i	t	1	Refers to the event in which a new process (executable) is i
	>	nitialized by an operating system. This can involve parent-c		>	nitialized by an operating system. This can involve parent-c
	>	hild process relationships, process arguments, and environme		>	hild process relationships, process arguments, and environme
	>	ntal variables. Monitoring process creation is crucial for d		>	ntal variables. Monitoring process creation is crucial for d
	>	etecting malicious behaviors, such as execution of unauthori		>	etecting malicious behaviors, such as execution of unauthori
	>	zed binaries, scripting abuse, or privilege escalation attem		>	zed binaries, scripting abuse, or privilege escalation attem
	>	pts. Data Collection Measures: - Endpoint Detection and		>	pts..
	>	Response (EDR) Tools: - EDRs provide process telemetry,
	>	tracking execution flows and arguments. - Windows Event Logs
	>	: - Event ID 4688 (Audit Process Creation): Captures pro
	>	cess creation with associated parent process. - Sysmon (Wind
	>	ows): - Event ID 1 (Process Creation): Provides detailed
	>	logging - Linux/macOS Monitoring: - AuditD (execve sysc
	>	all): Logs process creation. - eBPF/XDP: Used for low-le
	>	vel monitoring of system calls related to process execution.
	>	- OSQuery: Allows SQL-like queries to track process eve
	>	nts (process_events table). - Apple Endpoint Security Fr
	>	amework (ESF): Monitors process creation on macOS. - Network
	>	-Based Monitoring: - Zeek (Bro) Logs: Captures network-b
	>	ased process execution related to remote shells. - Syslo
	>	g/OSSEC: Tracks execution of processes on distributed system
	>	s. - Behavioral SIEM Rules: - Monitor process creation f
	>	or uncommon binaries in user directories. - Detect proce
	>	sses with suspicious command-line arguments.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 19:28:39.339000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0032	https://attack.mitre.org/datacomponents/DC0032
description	Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - EDRs provide process telemetry, tracking execution flows and arguments. - Windows Event Logs: - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process. - Sysmon (Windows): - Event ID 1 (Process Creation): Provides detailed logging - Linux/macOS Monitoring: - AuditD (execve syscall): Logs process creation. - eBPF/XDP: Used for low-level monitoring of system calls related to process execution. - OSQuery: Allows SQL-like queries to track process events (process_events table). - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS. - Network-Based Monitoring: - Zeek (Bro) Logs: Captures network-based process execution related to remote shells. - Syslog/OSSEC: Tracks execution of processes on distributed systems. - Behavioral SIEM Rules: - Monitor process creation for uncommon binaries in user directories. - Detect processes with suspicious command-line arguments.	Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts..
x_mitre_log_sources[293]['channel']	EventCode=8003,8004	EventCode=8003, 8004

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventlog:Security', 'channel': 'EventCode=4688'}
x_mitre_log_sources	{'name': 'WinEventLog:Microsoft-Windows-Security-Auditing', 'channel': 'EventCode=4688'}
x_mitre_log_sources	{'name': 'WinEventLog:security', 'channel': 'EventCode=4688'}

[DC0034] Process Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.331000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[36]['channel']	EventCode=400,403	EventCode=400, 403

[DC0033] Process Termination

Current version: 2.0

	Old Description			New Description
t	1	The exit or termination of a running process on a system. Th	t	1	The exit or termination of a running process on a system. Th
	>	is can occur due to normal operations, user-initiated comman		>	is can occur due to normal operations, user-initiated comman
	>	ds, or malicious actions such as process termination by malw		>	ds, or malicious actions such as process termination by malw
	>	are to disable security controls. *Data Collection Measures		>	are to disable security controls.
	>	:* - Endpoint Detection and Response (EDR) Tools: - Mon
	>	itor process termination events. - Windows Event Logs: -
	>	Event ID 4689 (Process Termination) – Captures when a proce
	>	ss exits, including process ID and parent process. - Eve
	>	nt ID 7036 (Service Control Manager) – Monitors system servi
	>	ce stops. - Sysmon (Windows): - Event ID 5 (Process Term
	>	ination) – Detects when a process exits, including parent-ch
	>	ild relationships. - Linux/macOS Monitoring: - AuditD (`
	>	execve`, `exit_group`, `kill` syscalls) – Captures process t
	>	ermination via command-line interactions. - eBPF/XDP: Mo
	>	nitors low-level system calls related to process termination
	>	. - OSQuery: The processes table can be queried for abno
	>	rmal exits.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.181000+00:00	2025-11-12 22:03:39.105000+00:00
description	The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - Monitor process termination events. - Windows Event Logs: - Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process. - Event ID 7036 (Service Control Manager) – Monitors system service stops. - Sysmon (Windows): - Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships. - Linux/macOS Monitoring: - AuditD (`execve`, `exit_group`, `kill` syscalls) – Captures process termination via command-line interactions. - eBPF/XDP: Monitors low-level system calls related to process termination. - OSQuery: The processes table can be queried for abnormal exits.	The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.

ics-attack

Patches

[DC0038] Application Log Content

Current version: 2.0

	Old Description			New Description
t	1	Application Log Content refers to logs generated by applicat	t	1	Application Log Content refers to logs generated by applicat
	>	ions or services, providing a record of their activity. Thes		>	ions or services, providing a record of their activity. Thes
	>	e logs may include metrics, errors, performance data, and op		>	e logs may include metrics, errors, performance data, and op
	>	erational alerts from web, mail, or other applications. Thes		>	erational alerts from web, mail, or other applications. Thes
	>	e logs are vital for monitoring application behavior and det		>	e logs are vital for monitoring application behavior and det
	>	ecting malicious activities or anomalies. Examples: - Web		>	ecting malicious activities or anomalies. Examples: - Web
	>	Application Logs: These logs include information about reque		>	Application Logs: These logs include information about reque
	>	sts, responses, errors, and security events (e.g., unauthori		>	sts, responses, errors, and security events (e.g., unauthori
	>	zed access attempts). - Email Application Logs: Logs contain		>	zed access attempts). - Email Application Logs: Logs contain
	>	metadata about emails sent, received, or blocked (e.g., sen		>	metadata about emails sent, received, or blocked (e.g., sen
	>	der/receiver addresses, message IDs). - SaaS Application Log		>	der/receiver addresses, message IDs). - SaaS Application Log
	>	s: Activity logs include user logins, configuration changes,		>	s: Activity logs include user logins, configuration changes,
	>	and access to sensitive resources. - Cloud Application Logs		>	and access to sensitive resources. - Cloud Application Logs
	>	: Logs detail control plane activities, including API calls,		>	: Logs detail control plane activities, including API calls,
	>	instance modifications, and network changes. - System/Appli		>	instance modifications, and network changes. - System/Appli
	>	cation Monitoring Logs: Logs provide insights into applicati		>	cation Monitoring Logs: Logs provide insights into applicati
	>	on performance, errors, and anomalies. This data component		>	on performance, errors, and anomalies.
	>	can be collected through the following measures: Configure
	>	Application Logging - Enable logging within the application
	>	or service. - Examples: - Web Servers: Enable access an
	>	d error logs in NGINX or Apache. - Email Systems: Enable
	>	audit logging in Microsoft Exchange or Gmail. Centralized
	>	Log Management - Use log management solutions like Splunk,
	>	or a cloud-native logging solution. - Configure the applicat
	>	ion to send logs to a centralized system for analysis. Clou
	>	d-Specific Collection - Use services like AWS CloudWatch, A
	>	zure Monitor, or Google Cloud Operations Suite for cloud-bas
	>	ed applications. - Ensure logging is enabled for all critica
	>	l resources (e.g., API calls, IAM changes). SIEM Integratio
	>	n - Integrate application logs with a SIEM platform (e.g.,
	>	Splunk, QRadar) for real-time correlation and analysis. - Us
	>	e parsers to standardize log formats and extract key fields
	>	like timestamps, user IDs, and error codes.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.580000+00:00	2025-11-12 22:03:39.105000+00:00
description	Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: - Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts). - Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs). - SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources. - Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes. - System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies. This data component can be collected through the following measures: Configure Application Logging - Enable logging within the application or service. - Examples: - Web Servers: Enable access and error logs in NGINX or Apache. - Email Systems: Enable audit logging in Microsoft Exchange or Gmail. Centralized Log Management - Use log management solutions like Splunk, or a cloud-native logging solution. - Configure the application to send logs to a centralized system for analysis. Cloud-Specific Collection - Use services like AWS CloudWatch, Azure Monitor, or Google Cloud Operations Suite for cloud-based applications. - Ensure logging is enabled for all critical resources (e.g., API calls, IAM changes). SIEM Integration - Integrate application logs with a SIEM platform (e.g., Splunk, QRadar) for real-time correlation and analysis. - Use parsers to standardize log formats and extract key fields like timestamps, user IDs, and error codes.	Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: - Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts). - Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs). - SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources. - Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes. - System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.
x_mitre_log_sources[17]['name']	WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational	WinEventLog:System
x_mitre_log_sources[37]['name']	azure:signinLogs	azure:signinlogs
x_mitre_log_sources[75]['name']	WinEventLog:Application	WinEventLog:System
x_mitre_log_sources[75]['channel']	EventCode=1000-1026	EventCode=1000
x_mitre_log_sources[44]['channel']	EventCode=7031,7034,1000,1001	EventCode=1341, 1342, 1020, 1063
x_mitre_log_sources[172]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Application', 'channel': 'EventCode=1000, 1001, 1002'}
x_mitre_log_sources	{'name': 'WinEventLog:System', 'channel': 'EventCode=1341,1342,1020,1063'}
x_mitre_log_sources	{'name': 'WinEventLog:Application', 'channel': 'EventCode=1000,1001'}

[DC0064] Command Execution

Current version: 2.0

	Old Description			New Description
t	1	Command Execution involves monitoring and capturing the exec	t	1	Command Execution involves monitoring and capturing the exec
	>	ution of textual commands (including shell commands, cmdlets		>	ution of textual commands (including shell commands, cmdlets
	>	, and scripts) within an operating system or application. Th		>	, and scripts) within an operating system or application. Th
	>	ese commands may include arguments or parameters and are typ		>	ese commands may include arguments or parameters and are typ
	>	ically executed through interpreters such as `cmd.exe`, `bas		>	ically executed through interpreters such as `cmd.exe`, `bas
	>	h`, `zsh`, `PowerShell`, or programmatic execution. Examples		>	h`, `zsh`, `PowerShell`, or programmatic execution. Examples
	>	: - Windows Command Prompt - dir – Lists directory con		>	: - Windows Command Prompt - dir – Lists directory con
	>	tents. - net user – Queries or manipulates user accounts		>	tents. - net user – Queries or manipulates user accounts
	>	. - tasklist – Lists running processes. - PowerShell		>	. - tasklist – Lists running processes. - PowerShell
	>	- Get-Process – Retrieves processes running on a system.		>	- Get-Process – Retrieves processes running on a system.
	>	- Set-ExecutionPolicy – Changes PowerShell script executio		>	- Set-ExecutionPolicy – Changes PowerShell script executio
	>	n policies. - Invoke-WebRequest – Downloads remote resou		>	n policies. - Invoke-WebRequest – Downloads remote resou
	>	rces. - Linux Shell - ls – Lists files in a directory.		>	rces. - Linux Shell - ls – Lists files in a directory.
	>	- cat /etc/passwd – Reads the user accounts file. - c		>	- cat /etc/passwd – Reads the user accounts file. - c
	>	url http://malicious-site.com – Retrieves content from a mal		>	url http://malicious-site.com – Retrieves content from a mal
	>	icious URL. - Container Environments - docker exec – Exe		>	icious URL. - Container Environments - docker exec – Exe
	>	cutes a command inside a running container. - kubectl ex		>	cutes a command inside a running container. - kubectl ex
	>	ec – Runs commands in Kubernetes pods. - macOS Terminal		>	ec – Runs commands in Kubernetes pods. - macOS Terminal
	>	- open – Opens files or URLs. - dscl . -list /Users – Li		>	- open – Opens files or URLs. - dscl . -list /Users – Li
	>	sts all users on the system. - osascript -e – Executes A		>	sts all users on the system. - osascript -e – Executes A
	>	ppleScript commands. This data component can be collected t		>	ppleScript commands.
	>	hrough the following measures: Enable Command Logging - Wi
	>	ndows: - Enable PowerShell logging: `Set-ExecutionPolicy
	>	Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\M
	>	icrosoft\Windows\PowerShell\ScriptBlockLogging" -Name Enable
	>	ScriptBlockLogging -Value 1` - Enable Windows Event Logg
	>	ing: - Event ID 4688: Tracks process creation, inclu
	>	ding command-line arguments. - Event ID 4104: Logs P
	>	owerShell script block execution. - Linux/macOS: - Enabl
	>	e shell history logging in `.bashrc` or `.zshrc`: `export HI
	>	STTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='histor
	>	y -a; history -w'` - Use audit frameworks (e.g., `auditd
	>	`) to log command executions. Example rule to log all `execv
	>	e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex
	>	ec` - Containers: - Use runtime-specific tools like Dock
	>	er’s --log-driver or Kubernetes Audit Logs to capture exec c
	>	ommands. Integrate with Centralized Logging - Collect logs
	>	using a SIEM (e.g., Splunk) or cloud-based log aggregation
	>	tools like AWS CloudWatch or Azure Monitor. Example Splunk S
	>	earch for Windows Event 4688: `index=windows EventID=4688 Co
	>	mmandLine=*` Use Endpoint Detection and Response (EDR) Tool
	>	s - Monitor command executions via EDR solutions Deploy S
	>	ysmon for Advanced Logging (Windows) - Use Sysmon's Event I
	>	D 1 to log process creation with command-line arguments

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.849000+00:00	2025-11-12 22:03:39.105000+00:00
description	Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: - Windows Command Prompt - dir – Lists directory contents. - net user – Queries or manipulates user accounts. - tasklist – Lists running processes. - PowerShell - Get-Process – Retrieves processes running on a system. - Set-ExecutionPolicy – Changes PowerShell script execution policies. - Invoke-WebRequest – Downloads remote resources. - Linux Shell - ls – Lists files in a directory. - cat /etc/passwd – Reads the user accounts file. - curl http://malicious-site.com – Retrieves content from a malicious URL. - Container Environments - docker exec – Executes a command inside a running container. - kubectl exec – Runs commands in Kubernetes pods. - macOS Terminal - open – Opens files or URLs. - dscl . -list /Users – Lists all users on the system. - osascript -e – Executes AppleScript commands. This data component can be collected through the following measures: Enable Command Logging - Windows: - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1` - Enable Windows Event Logging: - Event ID 4688: Tracks process creation, including command-line arguments. - Event ID 4104: Logs PowerShell script block execution. - Linux/macOS: - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='history -a; history -w'` - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec` - Containers: - Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands. Integrate with Centralized Logging - Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688: `index=windows EventID=4688 CommandLine=*` Use Endpoint Detection and Response (EDR) Tools - Monitor command executions via EDR solutions Deploy Sysmon for Advanced Logging (Windows) - Use Sysmon's Event ID 1 to log process creation with command-line arguments	Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: - Windows Command Prompt - dir – Lists directory contents. - net user – Queries or manipulates user accounts. - tasklist – Lists running processes. - PowerShell - Get-Process – Retrieves processes running on a system. - Set-ExecutionPolicy – Changes PowerShell script execution policies. - Invoke-WebRequest – Downloads remote resources. - Linux Shell - ls – Lists files in a directory. - cat /etc/passwd – Reads the user accounts file. - curl http://malicious-site.com – Retrieves content from a malicious URL. - Container Environments - docker exec – Executes a command inside a running container. - kubectl exec – Runs commands in Kubernetes pods. - macOS Terminal - open – Opens files or URLs. - dscl . -list /Users – Lists all users on the system. - osascript -e – Executes AppleScript commands.
x_mitre_log_sources[4]['channel']	/var/log/syslog or journalctl	cron activity
x_mitre_log_sources[10]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_sources[35]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_sources[226]['name']	azure:signinLogs	azure:signinlogs

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Powershell', 'channel': 'EventCode=4104'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103,4104,4105, 4106'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4105'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4106'}
x_mitre_log_sources	{'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103, 4104'}

[DC0042] Drive Creation

Current version: 2.0

	Old Description			New Description
t	1	The activity of assigning a new drive letter or creating a m	t	1	The activity of assigning a new drive letter or creating a m
	>	ount point for a data storage device, such as a USB, network		>	ount point for a data storage device, such as a USB, network
	>	share, or external hard drive, enabling access to its conte		>	share, or external hard drive, enabling access to its conte
	>	nt on a host system. Examples: - USB Drive Insertion: A US		>	nt on a host system. Examples: - USB Drive Insertion: A US
	>	B drive is plugged in and automatically assigned the letter		>	B drive is plugged in and automatically assigned the letter
	>	`E:\` on a Windows machine. - Network Drive Mapping: A netwo		>	`E:\` on a Windows machine. - Network Drive Mapping: A netwo
	>	rk share `\\server\share` is mapped to the drive `Z:\`. - Vi		>	rk share `\\server\share` is mapped to the drive `Z:\`. - Vi
	>	rtual Drive Creation: A virtual disk is mounted on `/mnt/vir		>	rtual Drive Creation: A virtual disk is mounted on `/mnt/vir
	>	tualdrive` using an ISO image or a virtual hard disk (VHD).		>	tualdrive` using an ISO image or a virtual hard disk (VHD).
	>	- Cloud Storage Mounting: Google Drive is mounted as `G:\` o		>	- Cloud Storage Mounting: Google Drive is mounted as `G:\` o
	>	n a Windows machine using a cloud sync tool. - External Stor		>	n a Windows machine using a cloud sync tool. - External Stor
	>	age Integration: An external HDD or SSD is connected and ass		>	age Integration: An external HDD or SSD is connected and ass
	>	igned `/mnt/external` on a Linux system. This data componen		>	igned `/mnt/external` on a Linux system..
	>	t can be collected through the following measures: Windows
	>	Event Logs - Relevant Events: - Event ID 98: Logs the c
	>	reation of a volume (mount or new drive letter assignment).
	>	- Event ID 1006: Logs removable storage device insertion
	>	s. - Configuration: Enable "Removable Storage Events" in the
	>	Group Policy settings: `Computer Configuration > Administra
	>	tive Templates > System > Removable Storage Access` Linux S
	>	ystem Logs - Command-Line Monitoring: Use `dmesg` or `journ
	>	alctl` to monitor mount events. - Auditd Configuration: Add
	>	audit rules to track mount points. - Logs can be reviewed i
	>	n /var/log/audit/audit.log. macOS System Logs - Unified Lo
	>	gs: Monitor system logs for mount activity: - Command-Line T
	>	ools: Use `diskutil list` to verify newly created or mounted
	>	drives. Endpoint Detection and Response (EDR) Tools - EDR
	>	solutions can log removable drive usage and network-mounted
	>	drives. Configure EDR policies to alert on suspicious drive
	>	creation events. SIEM Tools - Centralize logs from multip
	>	le platforms into a SIEM (e.g., Splunk) to correlate and ale
	>	rt on suspicious drive creation activities.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.342000+00:00	2025-11-12 22:03:39.105000+00:00
description	The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: - USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine. - Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`. - Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD). - Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool. - External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system. This data component can be collected through the following measures: Windows Event Logs - Relevant Events: - Event ID 98: Logs the creation of a volume (mount or new drive letter assignment). - Event ID 1006: Logs removable storage device insertions. - Configuration: Enable "Removable Storage Events" in the Group Policy settings: `Computer Configuration > Administrative Templates > System > Removable Storage Access` Linux System Logs - Command-Line Monitoring: Use `dmesg` or `journalctl` to monitor mount events. - Auditd Configuration: Add audit rules to track mount points. - Logs can be reviewed in /var/log/audit/audit.log. macOS System Logs - Unified Logs: Monitor system logs for mount activity: - Command-Line Tools: Use `diskutil list` to verify newly created or mounted drives. Endpoint Detection and Response (EDR) Tools - EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events. SIEM Tools - Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities.	The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: - USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine. - Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`. - Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD). - Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool. - External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system..
x_mitre_log_sources[4]['name']	WinEventLog:Microsoft-Windows-Partition/Diagnostic	WinEventLog:System
x_mitre_log_sources[7]['channel']	EventCode=1006,10001	EventCode=1006, 10001

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational', 'channel': 'EventCode=2003'}
x_mitre_log_sources	{'name': 'WinEventLog:System', 'channel': 'EventCode=20001/20003'}
x_mitre_log_sources	{'name': 'WinEventLog:System', 'channel': '20001-20003'}

[DC0046] Drive Modification

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 19:03:17.198000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0046	https://attack.mitre.org/datacomponents/DC0046

[DC0055] File Access

Current version: 2.0

	Old Description			New Description
t	1	To events where a file is opened or accessed, making its con	t	1	To events where a file is opened or accessed, making its con
	>	tents available to the requester. This includes reading, exe		>	tents available to the requester. This includes reading, exe
	>	cuting, or interacting with files by authorized or unauthori		>	cuting, or interacting with files by authorized or unauthori
	>	zed entities. Examples include logging file access events (e		>	zed entities. Examples include logging file access events (e
	>	.g., Windows Event ID 4663), monitoring file reads, and dete		>	.g., Windows Event ID 4663), monitoring file reads, and dete
	>	cting unusual file access patterns. Examples: - File Read		>	cting unusual file access patterns. Examples: - File Read
	>	Operations: A user opens a sensitive document (e.g., financi		>	Operations: A user opens a sensitive document (e.g., financi
	>	al_report.xlsx) on a shared drive. - File Execution: A scrip		>	al_report.xlsx) on a shared drive. - File Execution: A scrip
	>	t or executable file is accessed and executed (e.g., malware		>	t or executable file is accessed and executed (e.g., malware
	>	.exe is run from a temporary directory). - Unauthorized File		>	.exe is run from a temporary directory). - Unauthorized File
	>	Access: An unauthorized user attempts to access a protected		>	Access: An unauthorized user attempts to access a protected
	>	configuration file (e.g., `/etc/passwd` on Linux or `System		>	configuration file (e.g., `/etc/passwd` on Linux or `System
	>	32` files on Windows). - File Access Patterns: Bulk access t		>	32` files on Windows). - File Access Patterns: Bulk access t
	>	o multiple files in a short time (e.g., mass access to docum		>	o multiple files in a short time (e.g., mass access to docum
	>	ents on a file server). - File Access via Network: Files on		>	ents on a file server). - File Access via Network: Files on
	>	a network share are accessed remotely (e.g., logs of SMB fil		>	a network share are accessed remotely (e.g., logs of SMB fil
	>	e access). This data component can be collected through the		>	e access).
	>	following measures: Windows - Windows Event Logs: Event I
	>	D 4663: Captures file system auditing details, including who
	>	accessed the file, access type, and file name. - Sysmon:
	>	- Event ID 11: Logs file creation time changes. - Even
	>	t ID 1 (process creation): Can provide insight into files ex
	>	ecuted. - PowerShell: Commands to monitor file access in rea
	>	l-time: `Get-WinEvent -FilterHashtable @{LogName='Security';
	>	ID=4663}` Linux - Auditd: Monitor file access events usin
	>	g audit rules: `auditctl -w /path/to/file -p rwxa -k file_ac
	>	cess` - View logs: `ausearch -k file_access` - Inotify: Use
	>	inotify to track file access on Linux: `inotifywait -m /path
	>	/to/watch -e access` macOS - Unified Logs: Monitor file ac
	>	cess using the macOS Unified Logging System. - FSEvents: Fil
	>	e System Events can track file accesses: `fs_usage \| grep op
	>	en` Network Devices - SMB/CIFS Logs: Monitor file access o
	>	ver network shares using logs from SMB or CIFS protocol. - N
	>	AS Logs: Collect logs from network-attached storage systems
	>	for file access events. SIEM Integration - Collect file ac
	>	cess logs from all platforms (Windows, Linux, macOS) and cen
	>	tralize in a SIEM for correlation and analysis.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.674000+00:00	2025-11-12 22:03:39.105000+00:00
description	To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: - File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive. - File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory). - Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows). - File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server). - File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access). This data component can be collected through the following measures: Windows - Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name. - Sysmon: - Event ID 11: Logs file creation time changes. - Event ID 1 (process creation): Can provide insight into files executed. - PowerShell: Commands to monitor file access in real-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}` Linux - Auditd: Monitor file access events using audit rules: `auditctl -w /path/to/file -p rwxa -k file_access` - View logs: `ausearch -k file_access` - Inotify: Use inotify to track file access on Linux: `inotifywait -m /path/to/watch -e access` macOS - Unified Logs: Monitor file access using the macOS Unified Logging System. - FSEvents: File System Events can track file accesses: `fs_usage \| grep open` Network Devices - SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol. - NAS Logs: Collect logs from network-attached storage systems for file access events. SIEM Integration - Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis.	To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: - File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive. - File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory). - Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows). - File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server). - File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).
x_mitre_log_sources[4]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4656, 4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4656,4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4670, 4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4656'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=5145, 4663'}
x_mitre_log_sources	{'name': 'auditd:PATH', 'channel': 'path'}

[DC0039] File Creation

Current version: 2.0

	Old Description			New Description
t	1	A new file is created on a system or network storage. This a	t	1	A new file is created on a system or network storage. This a
	>	ction often signifies an operation such as saving a document		>	ction often signifies an operation such as saving a document
	>	, writing data, or deploying a file. Logging these events he		>	, writing data, or deploying a file. Logging these events he
	>	lps identify legitimate or potentially malicious file creati		>	lps identify legitimate or potentially malicious file creati
	>	on activities. Examples include logging file creation events		>	on activities. Examples include logging file creation events
	>	(e.g., Sysmon Event ID 11 or Linux auditd logs). This dat		>	(e.g., Sysmon Event ID 11 or Linux auditd logs).
	>	a component can be collected through the following measures:
	>	Windows - Sysmon: Event ID 11: Logs file creation events,
	>	capturing details like the file path, hash, and creation ti
	>	me. - Windows Event Log: Enable "Object Access" auditing in
	>	Group Policy to track file creation under Event ID 4663. - P
	>	owerShell: Real-time monitoring of file creation:`Get-WinEve
	>	nt -FilterHashtable @{LogName='Security'; ID=4663}` Linux
	>	- Auditd: Use audit rules to monitor file creation: `auditct
	>	l -w /path/to/directory -p w -k file_creation` - View logs:
	>	`ausearch -k file_creation` - Inotify: Monitor file creation
	>	with inotifywait: `inotifywait -m /path/to/watch -e create`
	>	macOS - Unified Logs: Use the macOS Unified Logging Syste
	>	m to capture file creation events. - FSEvents: Use File Syst
	>	em Events to monitor file creation: `fs_usage \| grep create`
	>	Network Devices - NAS Logs: Monitor file creation events
	>	on network-attached storage devices. - SMB Logs: Collect log
	>	s of file creation activities over SMB/CIFS protocols. SIEM
	>	Integration - Forward logs from all platforms (Windows, Li
	>	nux, macOS) to a SIEM for central analysis and alerting.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 19:32:14.744000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0039	https://attack.mitre.org/datacomponents/DC0039
description	A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). This data component can be collected through the following measures: Windows - Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time. - Windows Event Log: Enable "Object Access" auditing in Group Policy to track file creation under Event ID 4663. - PowerShell: Real-time monitoring of file creation:`Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}` Linux - Auditd: Use audit rules to monitor file creation: `auditctl -w /path/to/directory -p w -k file_creation` - View logs: `ausearch -k file_creation` - Inotify: Monitor file creation with inotifywait: `inotifywait -m /path/to/watch -e create` macOS - Unified Logs: Use the macOS Unified Logging System to capture file creation events. - FSEvents: Use File System Events to monitor file creation: `fs_usage \| grep create` Network Devices - NAS Logs: Monitor file creation events on network-attached storage devices. - SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols. SIEM Integration - Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting.	A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).
x_mitre_log_sources[37]['name']	macos:unified	macos:unifiedlog

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'Modification of .asar in /opt or ~/.config directories'}

[DC0040] File Deletion

Current version: 2.0

	Old Description			New Description
t	1	Refers to events where files are removed from a system or st	t	1	Refers to events where files are removed from a system or st
	>	orage device. These events can indicate legitimate housekeep		>	orage device. These events can indicate legitimate housekeep
	>	ing activities or malicious actions such as attackers attemp		>	ing activities or malicious actions such as attackers attemp
	>	ting to cover their tracks. Monitoring file deletions helps		>	ting to cover their tracks. Monitoring file deletions helps
	>	organizations identify unauthorized or suspicious activities		>	organizations identify unauthorized or suspicious activities
	>	. This data component can be collected through the followin		>	.
	>	g measures: Windows - Sysmon: Event ID 23: Logs file delet
	>	ion events, including details such as file paths and respons
	>	ible processes. - Windows Event Log: Enable "Object Access"
	>	auditing to monitor file deletions. - PowerShell: `Get-WinEv
	>	ent -FilterHashtable @{LogName='Security'; ID=4663} \| Where-
	>	Object {$_.Message -like 'DELETE'}` Linux - Auditd: Use
	>	audit rules to capture file deletion events: `auditctl -a al
	>	ways,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_d
	>	eletion` - Query logs: `ausearch -k file_deletion` - Inotify
	>	: Use inotifywait to monitor file deletions: `inotifywait -m
	>	/path/to/watch -e delete` macOS - Endpoint Security Frame
	>	work (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to
	>	capture file deletion activities. - FSEvents: Track file de
	>	letion activities in real-time: `fs_usage \| grep unlink` SI
	>	EM Integration - Forward file deletion logs to a SIEM for c
	>	entralized monitoring and correlation with other events.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.450000+00:00	2025-11-12 22:03:39.105000+00:00
description	Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities. This data component can be collected through the following measures: Windows - Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes. - Windows Event Log: Enable "Object Access" auditing to monitor file deletions. - PowerShell: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} \| Where-Object {$_.Message -like 'DELETE'}` Linux - Auditd: Use audit rules to capture file deletion events: `auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion` - Query logs: `ausearch -k file_deletion` - Inotify: Use inotifywait to monitor file deletions: `inotifywait -m /path/to/watch -e delete` macOS - Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities. - FSEvents: Track file deletion activities in real-time: `fs_usage \| grep unlink` SIEM Integration - Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events.	Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.

[DC0059] File Metadata

Current version: 2.0

	Old Description			New Description
t	1	contextual information about a file, including attributes su	t	1	contextual information about a file, including attributes su
	>	ch as the file's name, size, type, content (e.g., signatures		>	ch as the file's name, size, type, content (e.g., signatures
	>	, headers, media), user/owner, permissions, timestamps, and		>	, headers, media), user/owner, permissions, timestamps, and
	>	other related properties. File metadata provides insights in		>	other related properties. File metadata provides insights in
	>	to a file's characteristics and can be used to detect malici		>	to a file's characteristics and can be used to detect malici
	>	ous activity, unauthorized modifications, or other anomalies		>	ous activity, unauthorized modifications, or other anomalies
	>	. Examples: - File Ownership and Permissions: Checking the		>	. Examples: - File Ownership and Permissions: Checking the
	>	owner and permissions of a critical configuration file like		>	owner and permissions of a critical configuration file like
	>	/etc/passwd on Linux or C:\Windows\System32\config\SAM on W		>	/etc/passwd on Linux or C:\Windows\System32\config\SAM on W
	>	indows. - Timestamps: Analyzing the creation, modification,		>	indows. - Timestamps: Analyzing the creation, modification,
	>	and access timestamps of a file. - File Content and Signatur		>	and access timestamps of a file. - File Content and Signatur
	>	es: Extracting the headers of an executable file to verify i		>	es: Extracting the headers of an executable file to verify i
	>	ts signature or detect packing/obfuscation. - File Attribute		>	ts signature or detect packing/obfuscation. - File Attribute
	>	s: Analyzing attributes like hidden, system, or read-only fl		>	s: Analyzing attributes like hidden, system, or read-only fl
	>	ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA		>	ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA
	>	-256 hashes of files to compare against threat intelligence		>	-256 hashes of files to compare against threat intelligence
	>	feeds. - File Location: Monitoring files located in unusual		>	feeds. - File Location: Monitoring files located in unusual
	>	directories or paths, such as temporary or user folders. Th		>	directories or paths, such as temporary or user folders.
	>	is data component can be collected through the following mea
	>	sures: Windows - Sysinternals Tools: Use `AccessEnum` or `
	>	PSFile` to retrieve metadata about file access and permissio
	>	ns. - Windows Event Logs: Enable object access auditing and
	>	monitor events like 4663 (Object Access) and 5140 (A network
	>	share object was accessed). - PowerShell: Use Get-Item or G
	>	et-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Direc
	>	tory" -Recurse \| Select-Object Name, Length, LastWriteTime,
	>	Attributes` Linux - File System Commands: Use `ls -l` or s
	>	tat to retrieve file metadata: `stat /path/to/file` - Auditd
	>	: Configure audit rules to log metadata access: `auditctl -w
	>	/path/to/file -p wa -k file_metadata` - Filesystem Integrit
	>	y Tools: Tools like tripwire or AIDE (Advanced Intrusion Det
	>	ection Environment) can monitor file metadata changes. macO
	>	S - FSEvents: Use FSEvents to track file metadata changes.
	>	- Endpoint Security Framework (ESF): Capture metadata-relate
	>	d events via ESF APIs. - Command-Line Tools: Use ls -l or xa
	>	ttr for file attributes: `ls -l@ /path/to/file` SIEM Integr
	>	ation - Forward file metadata logs from endpoint or network
	>	devices to a SIEM for centralized analysis.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.397000+00:00	2025-11-12 22:03:39.105000+00:00
description	contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: - File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows. - Timestamps: Analyzing the creation, modification, and access timestamps of a file. - File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation. - File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds. - File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders. This data component can be collected through the following measures: Windows - Sysinternals Tools: Use `AccessEnum` or `PSFile` to retrieve metadata about file access and permissions. - Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed). - PowerShell: Use Get-Item or Get-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Directory" -Recurse \| Select-Object Name, Length, LastWriteTime, Attributes` Linux - File System Commands: Use `ls -l` or stat to retrieve file metadata: `stat /path/to/file` - Auditd: Configure audit rules to log metadata access: `auditctl -w /path/to/file -p wa -k file_metadata` - Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes. macOS - FSEvents: Use FSEvents to track file metadata changes. - Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs. - Command-Line Tools: Use ls -l or xattr for file attributes: `ls -l@ /path/to/file` SIEM Integration - Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis.	contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: - File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows. - Timestamps: Analyzing the creation, modification, and access timestamps of a file. - File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation. - File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds. - File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.
x_mitre_log_sources[18]['channel']	path	PATH
x_mitre_log_sources[42]['channel']	EventCode=4670	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=15 '}

[DC0061] File Modification

Current version: 2.0

	Old Description			New Description
t	1	Changes made to a file, including updates to its contents, m	t	1	Changes made to a file, including updates to its contents, m
	>	etadata, access permissions, or attributes. These modificati		>	etadata, access permissions, or attributes. These modificati
	>	ons may indicate legitimate activity (e.g., software updates		>	ons may indicate legitimate activity (e.g., software updates
	>	) or unauthorized changes (e.g., tampering, ransomware, or a		>	) or unauthorized changes (e.g., tampering, ransomware, or a
	>	dversarial modifications). Examples: - Content Modificatio		>	dversarial modifications). Examples: - Content Modificatio
	>	ns: Changes to the content of a configuration file, such as		>	ns: Changes to the content of a configuration file, such as
	>	modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys		>	modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys
	>	tem32\drivers\etc\hosts` on Windows. - Permission Changes: A		>	tem32\drivers\etc\hosts` on Windows. - Permission Changes: A
	>	ltering file permissions to allow broader access, such as ch		>	ltering file permissions to allow broader access, such as ch
	>	anging a file from `644` to `777` on Linux or modifying NTFS		>	anging a file from `644` to `777` on Linux or modifying NTFS
	>	permissions on Windows. - Attribute Modifications: Changing		>	permissions on Windows. - Attribute Modifications: Changing
	>	a file's attributes to hidden, read-only, or system on Wind		>	a file's attributes to hidden, read-only, or system on Wind
	>	ows. - Timestamp Manipulation: Adjusting a file's creation o		>	ows. - Timestamp Manipulation: Adjusting a file's creation o
	>	r modification timestamp using tools like `touch` in Linux o		>	r modification timestamp using tools like `touch` in Linux o
	>	r timestomping tools on Windows. - Software or System File C		>	r timestomping tools on Windows. - Software or System File C
	>	hanges: Modifying system files such as `boot.ini`, kernel mo		>	hanges: Modifying system files such as `boot.ini`, kernel mo
	>	dules, or application binaries. This data component can be		>	dules, or application binaries.
	>	collected through the following measures: Windows - Event
	>	Logs: Enable file system auditing to monitor file modificati
	>	ons using Security Event ID 4670 (File System Audit) or Sysm
	>	on Event ID 2 (File creation time changed). - PowerShell: Us
	>	e Get-ItemProperty or Get-Acl cmdlets to monitor file proper
	>	ties: `Get-Item -Path "C:\path\to\file" \| Select-Object Name
	>	, Attributes, LastWriteTime` Linux - File System Monitorin
	>	g: Use tools like auditd with rules to monitor file modifica
	>	tions: `auditctl -w /path/to/file -p wa -k file_modification
	>	` - Inotify: Use inotifywait to watch for real-time changes
	>	to files or directories: `inotifywait -m /path/to/file` mac
	>	OS - Endpoint Security Framework (ESF): Monitor file modifi
	>	cation events using ESF APIs. - Audit Framework: Configure a
	>	udit rules to track file changes. - Command-Line Tools: Use
	>	fs_usage to monitor file activities: `fs_usage -w /path/to/f
	>	ile` SIEM Tools - Collect logs from endpoint agents (e.g.,
	>	Sysmon, Auditd) and file servers to centralize file modific
	>	ation event data.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.239000+00:00	2025-11-12 22:03:39.105000+00:00
description	Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: - Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows. - Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows. - Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows. - Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows. - Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries. This data component can be collected through the following measures: Windows - Event Logs: Enable file system auditing to monitor file modifications using Security Event ID 4670 (File System Audit) or Sysmon Event ID 2 (File creation time changed). - PowerShell: Use Get-ItemProperty or Get-Acl cmdlets to monitor file properties: `Get-Item -Path "C:\path\to\file" \| Select-Object Name, Attributes, LastWriteTime` Linux - File System Monitoring: Use tools like auditd with rules to monitor file modifications: `auditctl -w /path/to/file -p wa -k file_modification` - Inotify: Use inotifywait to watch for real-time changes to files or directories: `inotifywait -m /path/to/file` macOS - Endpoint Security Framework (ESF): Monitor file modification events using ESF APIs. - Audit Framework: Configure audit rules to track file changes. - Command-Line Tools: Use fs_usage to monitor file activities: `fs_usage -w /path/to/file` SIEM Tools - Collect logs from endpoint agents (e.g., Sysmon, Auditd) and file servers to centralize file modification event data.	Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: - Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows. - Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows. - Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows. - Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows. - Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.
x_mitre_log_sources[8]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_sources[59]['name']	WinEventLog:Sysmon	WinEventLog:CodeIntegrity
x_mitre_log_sources[59]['channel']	EvenCode=2	EventCode=3033

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4656,4663'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'}
x_mitre_log_sources	{'name': 'WinEventLog:Application', 'channel': '81,3033'}

[DC0067] Logon Session Creation

Current version: 2.0

	Old Description			New Description
t	1	The successful establishment of a new user session following	t	1	The successful establishment of a new user session following
	>	a successful authentication attempt. This typically signifi		>	a successful authentication attempt. This typically signifi
	>	es that a user has provided valid credentials or authenticat		>	es that a user has provided valid credentials or authenticat
	>	ion tokens, and the system has initiated a session associate		>	ion tokens, and the system has initiated a session associate
	>	d with that user account. This data is crucial for tracking		>	d with that user account. This data is crucial for tracking
	>	authentication events and identifying potential unauthorized		>	authentication events and identifying potential unauthorized
	>	access. Examples: - Windows Systems - Event ID: 4624		>	access. Examples: - Windows Systems - Event ID: 4624
	>	- Logon Type: 2 (Interactive) or 10 (Remote Interact		>	- Logon Type: 2 (Interactive) or 10 (Remote Interact
	>	ive via RDP). - Account Name: JohnDoe - Sour		>	ive via RDP). - Account Name: JohnDoe - Sour
	>	ce Network Address: 192.168.1.100 - Authentication P		>	ce Network Address: 192.168.1.100 - Authentication P
	>	ackage: NTLM - Linux Systems - /var/log/utmp or /var/log		>	ackage: NTLM - Linux Systems - /var/log/utmp or /var/log
	>	/wtmp: - Log format: login user [tty] from [source_i		>	/wtmp: - Log format: login user [tty] from [source_i
	>	p] - User: jane - IP: 10.0.0.5 - Tim		>	p] - User: jane - IP: 10.0.0.5 - Tim
	>	estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a		>	estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a
	>	sl.log or unified logging framework: - Log: com.appl		>	sl.log or unified logging framework: - Log: com.appl
	>	e.securityd: Authentication succeeded for user 'admin' - Clo		>	e.securityd: Authentication succeeded for user 'admin' - Clo
	>	ud Environments - Azure Sign-In Logs: - Activity		>	ud Environments - Azure Sign-In Logs: - Activity
	>	: Sign-in successful - Client App: Browser -		>	: Sign-in successful - Client App: Browser -
	>	Location: Unknown (Country: X) - Google Workspace - Act		>	Location: Unknown (Country: X) - Google Workspace - Act
	>	ivity: Login - Event Type: successful_login		>	ivity: Login - Event Type: successful_login
	>	- Source IP: 203.0.113.55 This data component can be collec		>	- Source IP: 203.0.113.55
	>	ted through the following measures: - Windows Systems -
	>	Event Logs: Monitor Security Event Logs using Event ID 4624
	>	for successful logons. - PowerShell Example: `Get-Event
	>	Log -LogName Security -InstanceId 4624` - Linux Systems
	>	- Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/
	>	var/log/auth.log` for logon events. - Tools: Use `last`
	>	or `who` commands to parse login records. - macOS Systems
	>	- Log Sources: Monitor `/var/log/asl.log` or Apple Unified
	>	Logs using the `log show` command. - Command Example: `
	>	log show --predicate 'eventMessage contains "Authentication
	>	succeeded"' --info` - Cloud Environments - Azure AD: Use
	>	Azure Monitor to analyze sign-in logs. Example CLI Query: `
	>	az monitor log-analytics query -w <workspace_id> --analytics
	>	-query "AzureActivity \| where ActivityStatus == 'Success' an
	>	d OperationName == 'Sign-in'"` - Google Workspace: Enabl
	>	e and monitor Login Audit logs from the Admin Console. -
	>	Office 365: Use Audit Log Search in Microsoft 365 Security
	>	& Compliance Center for login-related events. - Network Logs
	>	- Sources: Network authentication mechanisms (e.g., RAD
	>	IUS or TACACS logs). - Enable EDR Monitoring: - EDR too
	>	ls monitor logon session activity, including the creation of
	>	new sessions. - Configure alerts for: Suspicious logon
	>	types (e.g., Logon Type 10 for RDP or Type 5 for Service). L
	>	ogons from unusual locations, accounts, or devices. - Le
	>	verage EDR telemetry for session attributes like source IP,
	>	session duration, and originating process.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.022000+00:00	2025-11-12 22:03:39.105000+00:00
description	The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: - Windows Systems - Event ID: 4624 - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP). - Account Name: JohnDoe - Source Network Address: 192.168.1.100 - Authentication Package: NTLM - Linux Systems - /var/log/utmp or /var/log/wtmp: - Log format: login user [tty] from [source_ip] - User: jane - IP: 10.0.0.5 - Timestamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/asl.log or unified logging framework: - Log: com.apple.securityd: Authentication succeeded for user 'admin' - Cloud Environments - Azure Sign-In Logs: - Activity: Sign-in successful - Client App: Browser - Location: Unknown (Country: X) - Google Workspace - Activity: Login - Event Type: successful_login - Source IP: 203.0.113.55 This data component can be collected through the following measures: - Windows Systems - Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons. - PowerShell Example: `Get-EventLog -LogName Security -InstanceId 4624` - Linux Systems - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/var/log/auth.log` for logon events. - Tools: Use `last` or `who` commands to parse login records. - macOS Systems - Log Sources: Monitor `/var/log/asl.log` or Apple Unified Logs using the `log show` command. - Command Example: `log show --predicate 'eventMessage contains "Authentication succeeded"' --info` - Cloud Environments - Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: `az monitor log-analytics query -w --analytics-query "AzureActivity \| where ActivityStatus == 'Success' and OperationName == 'Sign-in'"` - Google Workspace: Enable and monitor Login Audit logs from the Admin Console. - Office 365: Use Audit Log Search in Microsoft 365 Security & Compliance Center for login-related events. - Network Logs - Sources: Network authentication mechanisms (e.g., RADIUS or TACACS logs). - Enable EDR Monitoring: - EDR tools monitor logon session activity, including the creation of new sessions. - Configure alerts for: Suspicious logon types (e.g., Logon Type 10 for RDP or Type 5 for Service). Logons from unusual locations, accounts, or devices. - Leverage EDR telemetry for session attributes like source IP, session duration, and originating process.	The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: - Windows Systems - Event ID: 4624 - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP). - Account Name: JohnDoe - Source Network Address: 192.168.1.100 - Authentication Package: NTLM - Linux Systems - /var/log/utmp or /var/log/wtmp: - Log format: login user [tty] from [source_ip] - User: jane - IP: 10.0.0.5 - Timestamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/asl.log or unified logging framework: - Log: com.apple.securityd: Authentication succeeded for user 'admin' - Cloud Environments - Azure Sign-In Logs: - Activity: Sign-in successful - Client App: Browser - Location: Unknown (Country: X) - Google Workspace - Activity: Login - Event Type: successful_login - Source IP: 203.0.113.55
x_mitre_log_sources[5]['name']	m365:signin	m365:signinlogs
x_mitre_log_sources[31]['name']	m365:signin	m365:signinlogs

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 with LogonType=9 or smartcard logon'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=10 or 3), EventCode=4648'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=3)'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 (LogonType=10), EventCode=4648'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672, 4648'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': '4624'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648, 4672'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648,4672,4769'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventID=4624'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4634'}

[DC0088] Logon Session Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.246000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[4]['name']	azure:signinLogs	azure:signinlogs
x_mitre_log_sources[3]['channel']	EventCode=4624, 4634, 4672, 4768, 4769	EventCode=4776, 4771, 4770
x_mitre_log_sources[32]['name']	m365:signin	m365:signinlogs

iterable_item_added
STIX Field	Old value	New Value
x_mitre_log_sources		{'name': 'WinEventLog:Security', 'channel': 'EventCode=4672, 4634'}

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4634, 4672, 4769'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4776,4771,4770'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4672'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4672, 4634, 4768, 4769'}

[DC0016] Module Load

Current version: 2.0

+When a process or program dynamically attaches a shared libr
->
+ary, module, or plugin into its memory space. This action is
->
+ typically performed to extend the functionality of an appli
->
+cation, access shared system resources, or interact with ker
->
+nel-mode components.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.471000+00:00	2025-11-12 22:03:39.105000+00:00
description	When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components. Data Collection Measures: - Event Logging (Windows): - Sysmon Event ID 7: Logs when a DLL is loaded into a process. - Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads. - Windows Defender ATP: Can provide visibility into suspicious module loads. - Event Logging (Linux/macOS): - AuditD (`execve` and `open` syscalls): Captures when shared libraries (`.so` files) are loaded. - Ltrace/Strace: Monitors process behavior, including library calls (`dlopen`, `execve`). - MacOS Endpoint Security Framework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES`). - Endpoint Detection & Response (EDR): - Provide real-time telemetry on module loads and process injections. - Sysinternals Process Monitor (`procmon`): Captures loaded modules and their execution context. - Memory Forensics: - Volatility Framework (`malfind`, `ldrmodules`): Detects injected DLLs and anomalous module loads. - Rekall Framework: Useful for kernel-mode module detection. - SIEM and Log Analysis: - Centralized log aggregation to correlate suspicious module loads across the environment. - Detection rules using correlation searches and behavioral analytics.	When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.

[DC0082] Network Connection Creation

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.190000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[19]['channel']	EventCode=22	EventCode=3, 22
x_mitre_log_sources[27]['channel']	EventCode=5156	EventCode=5156, 5157
x_mitre_log_sources[90]['channel']	8001, 8002, 8003	EventCode=8001, 8002, 8003

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'}
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'}
x_mitre_log_sources	{'name': 'auditd:SYSCALL', 'channel': 'netconnect'}
x_mitre_log_sources	{'name': 'auditd:SYSCALL', 'channel': 'open or connect'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=5156,5157'}
x_mitre_log_sources	{'name': 'linux:Sysmon', 'channel': 'EventCode=3'}

[DC0102] Network Share Access

Current version: 2.0

+Opening a network share, which makes the contents available
->
+to the requestor (ex: Windows EID 5140 or 5145)
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.412000+00:00	2025-11-12 22:03:39.105000+00:00
description	Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) Data Collection Measures: - Windows: - Event ID 5140 – Network Share Object Access Logs every access attempt to a network share. - Event ID 5145 – Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions. - Sysmon Event ID 3 – Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares. - Enable Audit Policy for Network Share Access: `auditpol /set /subcategory:"File Share" /success:enable /failure:enable` - Enable PowerShell Logging to Detect Unauthorized SMB Access: `Set-ExecutionPolicy RemoteSigned` - Restrict Network Share Access with Group Policy (GPO): `Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment` Set "Access this computer from the network" to restrict unauthorized accounts. - Linux/macOS: - AuditD (`open`, `read`, `write`, `connect` syscalls) Detects access to NFS, CIFS, and SMB network shares. - Lsof (`lsof \| grep nfs` or `lsof \| grep smb`) Identifies active network share connections. - Mount (`mount \| grep nfs` or `mount \| grep cifs`) Lists currently mounted network shares. - Enable AuditD for SMB/NFS Access: `auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access` - Monitor Active Network Shares Using Netstat: `netstat -an \| grep :445` - Endpoint Detection & Response (EDR): - Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity.	Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
x_mitre_log_sources[1]['channel']	EventID=31001	EventCode=31001

[DC0078] Network Traffic Flow

Current version: 2.0

	Old Description			New Description
t	1	Summarized network packet data that captures session-level d	t	1	Summarized network packet data that captures session-level d
	>	etails such as source/destination IPs, ports, protocol types		>	etails such as source/destination IPs, ports, protocol types
	>	, timestamps, and data volume, without storing full packet p		>	, timestamps, and data volume, without storing full packet p
	>	ayloads. This is commonly used for traffic analysis, anomaly		>	ayloads. This is commonly used for traffic analysis, anomaly
	>	detection, and network performance monitoring. *Data Colle		>	detection, and network performance monitoring.
	>	ction Measures:* - Network Flow Logs (Metadata Collection)
	>	- NetFlow - Summarized metadata for network con
	>	versations (no packet payloads). - sFlow (Sampled Flow L
	>	ogging) - Captures sampled packets from switches and
	>	routers. - Used for real-time traffic monitoring an
	>	d anomaly detection. - Zeek (Bro) Flow Logs - Ze
	>	ek logs session-level details in logs like conn.log, http.lo
	>	g, dns.log, etc. - Host-Based Collection - Sysmon Event
	>	ID 3 – Network Connection Initiated - Logs process-l
	>	evel network activity, useful for detecting malicious outbou
	>	nd connections. - AuditD (Linux) – syscall=connect
	>	- Monitors system calls for network connections. `auditct
	>	l -a always,exit -F arch=b64 -S connect -k network_activity`
	>	- Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs
	>	- Captures metadata for traffic between EC2 instances, s
	>	ecurity groups, and internet gateways. - Azure NSG Flow
	>	Logs / Google VPC Flow Logs - Logs ingress/egress tr
	>	affic for cloud-based resources.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.703000+00:00	2025-11-12 22:03:39.105000+00:00
description	Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. Data Collection Measures: - Network Flow Logs (Metadata Collection) - NetFlow - Summarized metadata for network conversations (no packet payloads). - sFlow (Sampled Flow Logging) - Captures sampled packets from switches and routers. - Used for real-time traffic monitoring and anomaly detection. - Zeek (Bro) Flow Logs - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc. - Host-Based Collection - Sysmon Event ID 3 – Network Connection Initiated - Logs process-level network activity, useful for detecting malicious outbound connections. - AuditD (Linux) – syscall=connect - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity` - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs - Captures metadata for traffic between EC2 instances, security groups, and internet gateways. - Azure NSG Flow Logs / Google VPC Flow Logs - Logs ingress/egress traffic for cloud-based resources.	Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.
x_mitre_log_sources[72]['channel']	EventCode=2004,2005,2006	EventCode=2004, 2005, 2006

[DC0021] OS API Execution

Current version: 2.0

	Old Description			New Description
t	1	Calls made by a process to operating system-provided Applica	t	1	Calls made by a process to operating system-provided Applica
	>	tion Programming Interfaces (APIs). These calls are essentia		>	tion Programming Interfaces (APIs). These calls are essentia
	>	l for interacting with system resources such as memory, file		>	l for interacting with system resources such as memory, file
	>	s, and hardware, or for performing system-level tasks. Monit		>	s, and hardware, or for performing system-level tasks. Monit
	>	oring these calls can provide insight into a process's inten		>	oring these calls can provide insight into a process's inten
	>	t, especially if the process is malicious. *Data Collection		>	t, especially if the process is malicious.
	>	Measures:* - Endpoint Detection and Response (EDR) Tools:
	>	- Leverage tools to monitor API execution behaviors at t
	>	he process level. - Example: Sysmon Event ID 10 captures
	>	API call traces for process access and memory allocation. -
	>	Process Monitor (ProcMon): - Use ProcMon to collect det
	>	ailed logs of process and API activity. ProcMon can provide
	>	granular details on API usage and identify malicious behavio
	>	r during analysis. - Windows Event Logs: - Use Event IDs
	>	from Windows logs for specific API-related activities:
	>	- Event ID 4688: A new process has been created (can ind
	>	irectly infer API use). - Event ID 4657: A registry
	>	value has been modified (to monitor registry-altering APIs).
	>	- Dynamic Analysis Tools: - Tools like Cuckoo Sandbox,
	>	Flare VM, or Hybrid Analysis monitor API execution during ma
	>	lware detonation. - Host-Based Logs: - On Linux/macOS sy
	>	stems, leverage audit frameworks (e.g., `auditd`, `strace`)
	>	to capture and analyze system call usage that APIs map to. -
	>	Runtime Monitors: - Runtime security tools like Falco c
	>	an monitor system-level calls for API execution. - Debugging
	>	and Tracing: - Use debugging tools like gdb (Linux) or
	>	WinDbg (Windows) for deep tracing of API executions in real
	>	time.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.999000+00:00	2025-11-12 22:03:39.105000+00:00
description	Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - Leverage tools to monitor API execution behaviors at the process level. - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation. - Process Monitor (ProcMon): - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis. - Windows Event Logs: - Use Event IDs from Windows logs for specific API-related activities: - Event ID 4688: A new process has been created (can indirectly infer API use). - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs). - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation. - Host-Based Logs: - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to. - Runtime Monitors: - Runtime security tools like Falco can monitor system-level calls for API execution. - Debugging and Tracing: - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.	Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.
x_mitre_log_sources[19]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[DC0032] Process Creation

Current version: 2.0

	Old Description			New Description
t	1	Refers to the event in which a new process (executable) is i	t	1	Refers to the event in which a new process (executable) is i
	>	nitialized by an operating system. This can involve parent-c		>	nitialized by an operating system. This can involve parent-c
	>	hild process relationships, process arguments, and environme		>	hild process relationships, process arguments, and environme
	>	ntal variables. Monitoring process creation is crucial for d		>	ntal variables. Monitoring process creation is crucial for d
	>	etecting malicious behaviors, such as execution of unauthori		>	etecting malicious behaviors, such as execution of unauthori
	>	zed binaries, scripting abuse, or privilege escalation attem		>	zed binaries, scripting abuse, or privilege escalation attem
	>	pts. Data Collection Measures: - Endpoint Detection and		>	pts..
	>	Response (EDR) Tools: - EDRs provide process telemetry,
	>	tracking execution flows and arguments. - Windows Event Logs
	>	: - Event ID 4688 (Audit Process Creation): Captures pro
	>	cess creation with associated parent process. - Sysmon (Wind
	>	ows): - Event ID 1 (Process Creation): Provides detailed
	>	logging - Linux/macOS Monitoring: - AuditD (execve sysc
	>	all): Logs process creation. - eBPF/XDP: Used for low-le
	>	vel monitoring of system calls related to process execution.
	>	- OSQuery: Allows SQL-like queries to track process eve
	>	nts (process_events table). - Apple Endpoint Security Fr
	>	amework (ESF): Monitors process creation on macOS. - Network
	>	-Based Monitoring: - Zeek (Bro) Logs: Captures network-b
	>	ased process execution related to remote shells. - Syslo
	>	g/OSSEC: Tracks execution of processes on distributed system
	>	s. - Behavioral SIEM Rules: - Monitor process creation f
	>	or uncommon binaries in user directories. - Detect proce
	>	sses with suspicious command-line arguments.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 19:28:39.339000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0032	https://attack.mitre.org/datacomponents/DC0032
description	Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - EDRs provide process telemetry, tracking execution flows and arguments. - Windows Event Logs: - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process. - Sysmon (Windows): - Event ID 1 (Process Creation): Provides detailed logging - Linux/macOS Monitoring: - AuditD (execve syscall): Logs process creation. - eBPF/XDP: Used for low-level monitoring of system calls related to process execution. - OSQuery: Allows SQL-like queries to track process events (process_events table). - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS. - Network-Based Monitoring: - Zeek (Bro) Logs: Captures network-based process execution related to remote shells. - Syslog/OSSEC: Tracks execution of processes on distributed systems. - Behavioral SIEM Rules: - Monitor process creation for uncommon binaries in user directories. - Detect processes with suspicious command-line arguments.	Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts..
x_mitre_log_sources[293]['channel']	EventCode=8003,8004	EventCode=8003, 8004

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventlog:Security', 'channel': 'EventCode=4688'}
x_mitre_log_sources	{'name': 'WinEventLog:Microsoft-Windows-Security-Auditing', 'channel': 'EventCode=4688'}
x_mitre_log_sources	{'name': 'WinEventLog:security', 'channel': 'EventCode=4688'}

[DC0034] Process Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.331000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[36]['channel']	EventCode=400,403	EventCode=400, 403

[DC0033] Process Termination

Current version: 2.0

	Old Description			New Description
t	1	The exit or termination of a running process on a system. Th	t	1	The exit or termination of a running process on a system. Th
	>	is can occur due to normal operations, user-initiated comman		>	is can occur due to normal operations, user-initiated comman
	>	ds, or malicious actions such as process termination by malw		>	ds, or malicious actions such as process termination by malw
	>	are to disable security controls. *Data Collection Measures		>	are to disable security controls.
	>	:* - Endpoint Detection and Response (EDR) Tools: - Mon
	>	itor process termination events. - Windows Event Logs: -
	>	Event ID 4689 (Process Termination) – Captures when a proce
	>	ss exits, including process ID and parent process. - Eve
	>	nt ID 7036 (Service Control Manager) – Monitors system servi
	>	ce stops. - Sysmon (Windows): - Event ID 5 (Process Term
	>	ination) – Detects when a process exits, including parent-ch
	>	ild relationships. - Linux/macOS Monitoring: - AuditD (`
	>	execve`, `exit_group`, `kill` syscalls) – Captures process t
	>	ermination via command-line interactions. - eBPF/XDP: Mo
	>	nitors low-level system calls related to process termination
	>	. - OSQuery: The processes table can be queried for abno
	>	rmal exits.

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.181000+00:00	2025-11-12 22:03:39.105000+00:00
description	The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - Monitor process termination events. - Windows Event Logs: - Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process. - Event ID 7036 (Service Control Manager) – Monitors system service stops. - Sysmon (Windows): - Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships. - Linux/macOS Monitoring: - AuditD (`execve`, `exit_group`, `kill` syscalls) – Captures process termination via command-line interactions. - eBPF/XDP: Monitors low-level system calls related to process termination. - OSQuery: The processes table can be queried for abnormal exits.	The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.

[DC0001] Scheduled Job Creation

Current version: 2.0

+The establishment of a task or job that will execute at a pr
->
+edefined time or based on specific triggers.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:35.814000+00:00	2025-11-12 22:03:39.105000+00:00
description	The establishment of a task or job that will execute at a predefined time or based on specific triggers. Data Collection Measures: - Windows Event Logs: - Event ID 4698 (Scheduled Task Created) – Detects the creation of new scheduled tasks. - Event ID 4702 (Scheduled Task Updated) – Identifies modifications to existing scheduled jobs. - Event ID 106 (TaskScheduler Operational Log) – Provides details about scheduled task execution. - Sysmon (Windows): - Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by `schtasks.exe`, `at.exe`, or `taskeng.exe`. - Linux/macOS Monitoring: - AuditD: Monitor modifications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` files. - Syslog: Capture cron job execution logs from `/var/log/cron`. - OSQuery: Query the `crontab` and `launchd` tables for scheduled job configurations. - Endpoint Detection and Response (EDR) Tools: - Track scheduled task creation and modification events. - SIEM & XDR Detection Rules: - Monitor for scheduled jobs created by unusual users. - Detect tasks executing scripts from non-standard directories.	The establishment of a task or job that will execute at a predefined time or based on specific triggers.

[DC0005] Scheduled Job Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 19:03:38.549000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0005	https://attack.mitre.org/datacomponents/DC0005

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'linux:cron', 'channel': '/var/log/syslog or journalctl'}
x_mitre_log_sources	{'name': 'linux::cron', 'channel': 'crontab or at job created within TimeWindow post time discovery'}

[DC0029] Script Execution

Current version: 2.0

+The execution of a text file that contains code via the inte
->
+rpreter.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.018000+00:00	2025-11-12 22:03:39.105000+00:00
description	The execution of a text file that contains code via the interpreter. Data Collection Measures: - Windows Event Logs: - Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts. - Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (`powershell.exe`, `wscript.exe`, `cscript.exe`). - Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging. - Sysmon (Windows): - Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines. - Event ID 11 (File Creation) – Detects new script files written to disk before execution. - Endpoint Detection and Response (EDR) Tools: - Track script execution behavior, detect obfuscated commands, and prevent malicious scripts. - PowerShell Logging: - Enable Module Logging: Logs all loaded modules and cmdlets. - Enable Script Block Logging: Captures complete PowerShell script execution history. - SIEM Detection Rules: - Detect script execution with obfuscated, encoded, or remote URLs. - Alert on script executions using `-EncodedCommand` or `iex(iwr)`.	The execution of a text file that contains code via the interpreter.
x_mitre_log_sources[11]['channel']	EventCode=4103, 4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_sources[22]['channel']	EventCode=4016,5312	EventCode=4016, 5312

[DC0060] Service Creation

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.315000+00:00	2025-11-12 22:03:39.105000+00:00

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=7045'}

[DC0041] Service Metadata

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:36.382000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_sources[1]['name']	WinEventLog:sysmon	WinEventLog:Sysmon

[DC0065] Service Modification

Current version: 2.0

+Changes made to an existing service or daemon, such as modif
->
+ying the service name, start type, execution parameters, or
->
+security configurations.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:37.211000+00:00	2025-11-12 22:03:39.105000+00:00
description	Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations. Data Collection Measures: - Windows Event Logs - Event ID 7040 - Detects modifications to the startup behavior of a service. - Event ID 7045 - Can capture changes made to existing services. - Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering. - Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters. - Sysmon Logs - Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., `HKLM\SYSTEM\CurrentControlSet\Services\`). - Sysmon Event ID 1 - Can track execution of `sc.exe` or `PowerShell Set-Service`. - PowerShell Logging - Event ID 4104 (Script Block Logging) - Captures execution of commands like `Set-Service`, `New-Service`, or `sc config`. - Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands: - `sc config start= auto` - `sc qc ` - Linux/macOS Collection Methods - Systemd Journals (`journalctl -u `) Tracks modifications to systemd service configurations. - Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`) Captures changes to service state and execution parameters. - AuditD Rules for Service Modification - Monitor modifications to `/etc/systemd/system/` for new or altered service unit files: `auditctl -w /etc/systemd/system/ -p wa -k service_modification` - Track execution of `systemctl` or `service` commands: `auditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl -F key=service_mod` - OSQuery for Linux/macOS Monitoring - Query modified services using OSQuery’s `processes` or `system_info` tables: `SELECT * FROM systemd_units WHERE state != 'running';` - macOS Launch Daemon/Agent Modification - Monitor for changes in: - `/Library/LaunchDaemons/` - `/Library/LaunchAgents/` - Track modifications to `.plist` files indicating persistence attempts.	Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.

[DC0002] User Account Authentication

Current version: 2.0

+An attempt (successful and failed login attempts) by a user,
->
+ service, or application to gain access to a network, system
->
+, or cloud-based resource. This typically involves credentia
->
+ls such as passwords, tokens, multi-factor authentication (M
->
+FA), or biometric validation.
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:14:34.948000+00:00	2025-11-12 22:03:39.105000+00:00
description	An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation. Data Collection Measures: - Host-Based Authentication Logs - Windows Event Logs - Event ID 4776 – NTLM authentication attempt. - Event ID 4624 – Successful user logon. - Event ID 4625 – Failed authentication attempt. - Event ID 4648 – Explicit logon with alternate credentials. - Linux/macOS Authentication Logs - `/var/log/auth.log`, `/var/log/secure` – Logs SSH, sudo, and other authentication attempts. - AuditD – Tracks authentication events via PAM modules. - macOS Unified Logs – `/var/db/diagnostics` captures authentication failures. - Cloud Authentication Logs - Azure AD Logs - Sign-in Logs – Tracks authentication attempts, MFA challenges, and conditional access failures. - Audit Logs – Captures authentication-related configuration changes. - Microsoft Graph API – Provides real-time sign-in analytics. - Google Workspace & Office 365 - Google Admin Console – `User Login Report` tracks login attempts and failures. - Office 365 Unified Audit Logs – Captures logins across Exchange, SharePoint, and Teams. - AWS CloudTrail & IAM - Tracks authentication via `AWS IAM AuthenticateUser` and `sts:GetSessionToken`. - Logs failed authentications to AWS Management Console and API requests. - Container Authentication Monitoring - Kubernetes Authentication Logs - kubectl audit logs – Captures authentication attempts for service accounts and admin users. - Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) – Logs IAM authentication events.	An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.
x_mitre_log_sources[12]['name']	m365:signin	m365:signinlogs
x_mitre_log_sources[15]['channel']	EventCode=4769,1200,1202	EventCode=4776, 4625

iterable_item_added
STIX Field	Old value	New Value
x_mitre_log_sources		{'name': 'WinEventLog:Security', 'channel': 'EventCode=4769, 1200, 1202'}

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4625'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4625, 4624'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': '4624, 4625'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventID=4625'}

[DC0063] Windows Registry Key Modification

Current version: 2.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 18:34:46.572000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/data-components/DC0063	https://attack.mitre.org/datacomponents/DC0063
x_mitre_log_sources[3]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=13'}
x_mitre_log_sources	{'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=14'}
x_mitre_log_sources	{'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'}

Detection Strategies

enterprise-attack

Patches

[DET0897] Detection of Selective Exclusion

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-23 20:53:44.184000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/detection-strategies/DET0897	https://attack.mitre.org/detectionstrategies/DET0897

[DET0898] Detection of Spoofed User-Agent

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-23 19:55:18.990000+00:00	2025-11-12 22:03:39.105000+00:00
external_references[0]['url']	https://attack.mitre.org/detection-strategies/DET0898	https://attack.mitre.org/detectionstrategies/DET0898

Analytics

enterprise-attack

Patches

[AN0001] Analytic 0001

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	CloudTrail:GetInstanceIdentityDocument	AWS:CloudTrail

[AN0002] Analytic 0002

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0009] Analytic 0009

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 18:36:42.025000+00:00	2025-11-12 17:36:06.423000+00:00
x_mitre_log_source_references[0]['channel']	EvenCode=4657	EventCode=4657

[AN0014] Analytic 0014

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	/var/log/syslog or journalctl	cron activity

[AN0021] Analytic 0021

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=13	EventCode=13, 14

[AN0030] Analytic 0030

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0037] Analytic 0037

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0040] Analytic 0040

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0043] Analytic 0043

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	PutObject, CopyObject	GetObject, CopyObject

[AN0061] Analytic 0061

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['name']	WinEventLog:sysmon	WinEventLog:Sysmon

[AN0065] Analytic 0065

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0071] Analytic 0071

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0072] Analytic 0072

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	Modification of .asar in /opt or ~/.config directories	EventCode=11

[AN0074] Analytic 0074

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=13	EventCode=13, 14

[AN0075] Analytic 0075

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0080] Analytic 0080

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0089] Analytic 0089

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0094] Analytic 0094

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN0100] Analytic 0100

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[1]['channel']	Event ID 1	EventCode=1

[AN0105] Analytic 0105

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4656, 4663	EventCode=4663, 4670, 4656

[AN0109] Analytic 0109

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'}
x_mitre_log_source_references[1]	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': 'EventCode=1'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=1'}

[AN0118] Analytic 0118

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-22 18:38:17.503000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0123] Analytic 0123

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=22	EventCode=3, 22
x_mitre_log_source_references[3]['channel']	EventCode=13	EventCode=13, 14

[AN0130] Analytic 0130

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0131] Analytic 0131

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0133] Analytic 0133

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0137] Analytic 0137

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=13	EventCode=13, 14

[AN0139] Analytic 0139

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0147] Analytic 0147

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624	EventCode=4624, 4648

[AN0151] Analytic 0151

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0152] Analytic 0152

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['name']	WinEventLog:Powershell	WinEventLog:PowerShell
x_mitre_log_source_references[2]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0158] Analytic 0158

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0159] Analytic 0159

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	netconnect	connect

[AN0162] Analytic 0162

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=4656,4663	EventCode=4663, 4670, 4656

[AN0165] Analytic 0165

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0170] Analytic 0170

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=13,14	EventCode=13, 14

[AN0178] Analytic 0178

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0182] Analytic 0182

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0184] Analytic 0184

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0185] Analytic 0185

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[5]['channel']	EventCode=22	EventCode=3, 22

[AN0194] Analytic 0194

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventID=31001	EventCode=31001

[AN0198] Analytic 0198

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	PutObject, CopyObject	GetObject, CopyObject

[AN0199] Analytic 0199

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4670, 4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[2]['channel']	EventCode=4624	EventCode=4624, 4648

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_source_references	{'x_mitre_data_component_ref': 'x-mitre-data-component--d27b0089-2c39-4b6c-84ff-303e48657e77', 'name': 'WinEventLog:DirectoryService', 'channel': 'EventID 5136'}

[AN0204] Analytic 0204

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0212] Analytic 0212

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0216] Analytic 0216

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0219] Analytic 0219

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0226] Analytic 0226

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0227] Analytic 0227

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	open or connect	connect

[AN0229] Analytic 0229

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4670, 4663	EventCode=4663, 4670, 4656

[AN0235] Analytic 0235

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN0236] Analytic 0236

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	WinEventLog:Microsoft-Windows-WMI-Activity/Operational	WinEventLog:WMI
x_mitre_log_source_references[0]['channel']	EventCode=5861	EventCode=5857, 5858, 5860, 5861

[AN0238] Analytic 0238

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=22	EventCode=3, 22

[AN0240] Analytic 0240

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN0243] Analytic 0243

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4656	EventCode=4663, 4670, 4656
x_mitre_log_source_references[3]['channel']	EventCode=13	EventCode=13, 14

[AN0247] Analytic 0247

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-27 15:59:01.140000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	WinEventLog:Microsoft-Windows-Partition/Diagnostic	WinEventLog:System

[AN0251] Analytic 0251

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0254] Analytic 0254

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0271] Analytic 0271

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0274] Analytic 0274

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=4103,4104	EventCode=4103, 4104, 4105, 4106

[AN0279] Analytic 0279

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	path	PATH

[AN0282] Analytic 0282

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[AN0286] Analytic 0286

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624	EventCode=4624, 4648
x_mitre_log_source_references[2]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0292] Analytic 0292

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-27 15:59:35.823000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=5145, 4663	EventCode=4663, 4670, 4656

[AN0298] Analytic 0298

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0301] Analytic 0301

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	azure:signinLogs	azure:signinlogs

[AN0302] Analytic 0302

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0320] Analytic 0320

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0323] Analytic 0323

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN0325] Analytic 0325

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	/var/log/syslog or journalctl	cron activity

[AN0327] Analytic 0327

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=7031,7034,1000,1001	EventCode=1000
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0331] Analytic 0331

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0334] Analytic 0334

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4723, 4724, 4726, 4740	EventCode=4723, 4724, 4740

[AN0338] Analytic 0338

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	m365:signin	m365:signinlogs

[AN0341] Analytic 0341

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=13	EventCode=13, 14

[AN0342] Analytic 0342

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[3]['channel']	EventCode=1006,10001	EventCode=1006, 10001

[AN0345] Analytic 0345

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=4103, 4104	EventCode=4103, 4104, 4105, 4106

[AN0346] Analytic 0346

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0355] Analytic 0355

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	WinEventLog:Security	WinEventLog:System

[AN0360] Analytic 0360

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN0363] Analytic 0363

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0367] Analytic 0367

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0370] Analytic 0370

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	PutObject, GetObject, CopyObject, DeleteObject	GetObject, CopyObject

[AN0379] Analytic 0379

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0388] Analytic 0388

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0392] Analytic 0392

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[2]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0400] Analytic 0400

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0405] Analytic 0405

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624, 4634, 4672, 4768, 4769	EventCode=4672, 4634
x_mitre_log_source_references[1]['name']	WinEventLog:Kerberos	WinEventLog:Security
x_mitre_log_source_references[1]['channel']	EventCode=4769, 4768	EventCode=4769

[AN0406] Analytic 0406

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN0418] Analytic 0418

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]	{'x_mitre_data_component_ref': 'x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b', 'name': 'azure:signinLogs', 'channel': 'SAML-based login with anomalous issuer or NotOnOrAfter lifetime'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b', 'name': 'azure:signinlogs', 'channel': 'SAML-based login with anomalous issuer or NotOnOrAfter lifetime'}
x_mitre_log_source_references[1]	{'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4769,1200,1202'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4769, 1200, 1202'}

[AN0420] Analytic 0420

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624	EventCode=4624, 4648

[AN0423] Analytic 0423

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0428] Analytic 0428

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 17:35:05.178000+00:00

iterable_item_removed
STIX Field	Old value	New Value
x_mitre_log_source_references	{'x_mitre_data_component_ref': 'x-mitre-data-component--0f72bf50-35b3-419d-ab95-70f9b6a818dd', 'name': 'WinEventLog:Security', 'channel': '4673, 4674'}

[AN0430] Analytic 0430

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[4]['channel']	EventCode=4103	EventCode=4103, 4104, 4105, 4106

[AN0431] Analytic 0431

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['name']	linux::cron	linux:cron
x_mitre_log_source_references[3]['channel']	crontab or at job created within TimeWindow post time discovery	cron activity

[AN0436] Analytic 0436

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0441] Analytic 0441

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN0444] Analytic 0444

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4624	EventCode=4624, 4648

[AN0445] Analytic 0445

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0446] Analytic 0446

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational	WinEventLog:System

[AN0455] Analytic 0455

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0462] Analytic 0462

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0469] Analytic 0469

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0472] Analytic 0472

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0484] Analytic 0484

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4624	EventCode=4624, 4648

[AN0485] Analytic 0485

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0489] Analytic 0489

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0498] Analytic 0498

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624	EventCode=4624, 4648
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0504] Analytic 0504

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4624	EventCode=4624, 4648

[AN0507] Analytic 0507

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0513] Analytic 0513

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[3]['channel']	EventCode=4103	EventCode=4103, 4104, 4105, 4106

[AN0520] Analytic 0520

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN0535] Analytic 0535

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN0540] Analytic 0540

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=1000-1026	EventCode=1000

[AN0551] Analytic 0551

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0555] Analytic 0555

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=4656,4663	EventCode=4663, 4670, 4656

[AN0559] Analytic 0559

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0564] Analytic 0564

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0568] Analytic 0568

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[4]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[AN0576] Analytic 0576

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0580] Analytic 0580

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-27 16:01:17.493000+00:00	2025-11-12 17:13:52.357000+00:00
x_mitre_log_source_references[2]['channel']	13	EventCode=13

[AN0589] Analytic 0589

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14
x_mitre_log_source_references[2]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0590] Analytic 0590

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0596] Analytic 0596

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0602] Analytic 0602

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EvenCode=2	EventCode=2

[AN0616] Analytic 0616

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0619] Analytic 0619

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['name']	WinEventlog:Security	WinEventLog:Security

[AN0622] Analytic 0622

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[4]['channel']	EventCode=13	EventCode=13, 14
x_mitre_log_source_references[6]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[7]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0628] Analytic 0628

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[AN0629] Analytic 0629

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	WinEventLog:System	WinEventLog:Sysmon
x_mitre_log_source_references[5]['channel']	EventCode=13	EventCode=13, 14

[AN0633] Analytic 0633

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=5156	EventCode=5156, 5157

[AN0637] Analytic 0637

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0641] Analytic 0641

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0648] Analytic 0648

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0651] Analytic 0651

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0653] Analytic 0653

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	macos:unified	macos:unifiedlog

[AN0655] Analytic 0655

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0662] Analytic 0662

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0666] Analytic 0666

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	GetObject	GetObject, CopyObject

[AN0671] Analytic 0671

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 18:12:53.100000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4886, 4887, 4899, 4900, 4768, 4624	EventCode=4768

[AN0674] Analytic 0674

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	azure:SigninLogs	azure:signinlogs

[AN0675] Analytic 0675

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624, 4634, 4672, 4769	EventCode=4672, 4634

[AN0677] Analytic 0677

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0687] Analytic 0687

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]	{'x_mitre_data_component_ref': 'x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=13'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=13, 14'}
x_mitre_log_source_references[0]	{'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=10, 7'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=10'}
x_mitre_log_source_references[1]	{'x_mitre_data_component_ref': 'x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4624 with LogonType=9 or smartcard logon'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4648'}

[AN0690] Analytic 0690

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	CloudTrail:RunInstances	AWS:CloudTrail

[AN0692] Analytic 0692

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	CloudTrail:RunInstances	AWS:CloudTrail
x_mitre_log_source_references[0]['channel']	RunInstances: AMI not in allowlist OR AMI owner != enterprise owner/account	RunInstances

[AN0694] Analytic 0694

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN0702] Analytic 0702

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0705] Analytic 0705

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[AN0712] Analytic 0712

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0714] Analytic 0714

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0718] Analytic 0718

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	azure:signinLogs	azure:signinlogs

[AN0719] Analytic 0719

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4624	EventCode=4624, 4648

[AN0723] Analytic 0723

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	m365:signin	m365:signinlogs

[AN0724] Analytic 0724

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0728] Analytic 0728

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=22'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'}
x_mitre_log_source_references[1]	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': 'EventCode=1'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=1'}

[AN0737] Analytic 0737

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN0741] Analytic 0741

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0744] Analytic 0744

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	CloudWatch:Metrics	AWS:CloudWatch

[AN0750] Analytic 0750

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624 (LogonType=10 or 3), EventCode=4648	EventCode=4624, 4648
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0755] Analytic 0755

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=5136,5137,5138,5139,5141	EventCode=5136
x_mitre_log_source_references[1]['channel']	EventCode=4670	EventCode=4663, 4670, 4656

[AN0757] Analytic 0757

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4624	EventCode=4624, 4648

[AN0759] Analytic 0759

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0764] Analytic 0764

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN0778] Analytic 0778

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN0785] Analytic 0785

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0786] Analytic 0786

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624, 4672	EventCode=4672, 4634
x_mitre_log_source_references[4]['name']	WinEventLog:DirectoryService	WinEventLog:Security

[AN0787] Analytic 0787

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0791] Analytic 0791

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624 (LogonType=3)	EventCode=4624, 4648
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0792] Analytic 0792

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624	EventCode=4624, 4648

[AN0797] Analytic 0797

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0814] Analytic 0814

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 17:10:37.357000+00:00
x_mitre_log_source_references[1]['name']	WinEventLog:Directory Service	WinEventLog:Security

[AN0816] Analytic 0816

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	CloudTrail:UpdatePolicy	AWS:CloudTrail

[AN0823] Analytic 0823

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]	{'x_mitre_data_component_ref': 'x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4670'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4663, 4670, 4656'}
x_mitre_log_source_references[1]	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'}

[AN0834] Analytic 0834

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4670	EventCode=4663, 4670, 4656
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[4]['channel']	EventCode=4103,4104	EventCode=4103, 4104, 4105, 4106

[AN0841] Analytic 0841

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	WinEventLog:Microsoft-Windows-Partition/Diagnostic	WinEventLog:System

[AN0842] Analytic 0842

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=2004,2005,2006	EventCode=2004, 2005, 2006

[AN0847] Analytic 0847

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	path	PATH

[AN0850] Analytic 0850

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=1000, 1001, 1002	EventCode=1000

[AN0854] Analytic 0854

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=5136,5137,5138,5139,5141	EventCode=5136
x_mitre_log_source_references[1]['channel']	EventCode=4670	EventCode=4663, 4670, 4656

[AN0856] Analytic 0856

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4624	EventCode=4624, 4648

[AN0861] Analytic 0861

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 18:16:01.708000+00:00

[AN0862] Analytic 0862

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[4]['channel']	EventCode=13	EventCode=13, 14
x_mitre_log_source_references[5]['channel']	EventCode=22	EventCode=3, 22

[AN0871] Analytic 0871

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	WinEventLog:Microsoft-Windows-Security-Auditing	WinEventLog:Security
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN0880] Analytic 0880

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=13	EventCode=13, 14

[AN0895] Analytic 0895

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0903] Analytic 0903

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN0922] Analytic 0922

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0927] Analytic 0927

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=4103, 4104	EventCode=4103, 4104, 4105, 4106

[AN0928] Analytic 0928

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN0931] Analytic 0931

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624 (LogonType=10), EventCode=4648	EventCode=4624, 4648
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN0932] Analytic 0932

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[5]['channel']	EventCode=13	EventCode=13, 14

[AN0933] Analytic 0933

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=13	EventCode=13, 14

[AN0937] Analytic 0937

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 18:17:38.273000+00:00
x_mitre_log_source_references[1]['channel']	PutBackupVaultAccessPolicy	DeleteBucket, DeleteDBCluster, DeleteSnapshot, TerminateInstances

[AN0954] Analytic 0954

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624, 4672, 4648	EventCode=4624, 4648

[AN0956] Analytic 0956

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	azure:signinLogs	azure:signinlogs

[AN0962] Analytic 0962

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0968] Analytic 0968

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN0969] Analytic 0969

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN0972] Analytic 0972

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	CloudWatch:InstanceMetrics	AWS:CloudWatch

[AN0975] Analytic 0975

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN0978] Analytic 0978

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	azure:signinLogs	azure:signinlogs

[AN0988] Analytic 0988

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[3]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN1000] Analytic 1000

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4624	EventCode=4624, 4648

[AN1001] Analytic 1001

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN1004] Analytic 1004

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624, 4625	EventCode=4776, 4625
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN1015] Analytic 1015

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[2]['channel']	EventCode=5156	EventCode=5156, 5157

[AN1020] Analytic 1020

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1025] Analytic 1025

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1028] Analytic 1028

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=13	EventCode=13, 14
x_mitre_log_source_references[5]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[6]['channel']	EventCode=3	EventCode=3, 22

[AN1030] Analytic 1030

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[4]['channel']	EventCode=13	EventCode=13, 14

[AN1031] Analytic 1031

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=5857, 5858	EventCode=5857, 5858, 5860, 5861

[AN1032] Analytic 1032

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN1034] Analytic 1034

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4016,5312	EventCode=4016, 5312

[AN1057] Analytic 1057

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1061] Analytic 1061

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	WinEventLog:Security	WinEventLog:System

[AN1064] Analytic 1064

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-10-29 17:10:15.891000+00:00

iterable_item_added
STIX Field	Old value	New Value
x_mitre_log_source_references		{'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=1'}

[AN1077] Analytic 1077

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4720, EventCode=4781	EventCode=4720

[AN1091] Analytic 1091

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1094] Analytic 1094

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN1108] Analytic 1108

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4624	EventCode=4624, 4648

[AN1113] Analytic 1113

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:security', 'channel': 'EventCode=4688'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4688'}
x_mitre_log_source_references[1]	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'}

[AN1118] Analytic 1118

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1121] Analytic 1121

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=22	EventCode=3, 22

[AN1134] Analytic 1134

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN1137] Analytic 1137

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624	EventCode=4624, 4648

[AN1140] Analytic 1140

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1144] Analytic 1144

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	4624	EventCode=4624, 4648
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN1148] Analytic 1148

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=5156	EventCode=5156, 5157

[AN1153] Analytic 1153

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN1157] Analytic 1157

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	CloudTrail:GetSecretValue	AWS:CloudTrail
x_mitre_log_source_references[1]['channel']	API call to retrieve secret or access key	GetSecretValue

[AN1161] Analytic 1161

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1168] Analytic 1168

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	CloudTrail:InvokeFunction	AWS:CloudTrail
x_mitre_log_source_references[2]['name']	CloudMetrics:InstanceHealth	AWS:CloudMetrics

[AN1169] Analytic 1169

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1177] Analytic 1177

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4670	EventCode=4663, 4670, 4656
x_mitre_log_source_references[4]['channel']	EventCode=4103,4104,4105, 4106	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[5]['name']	WinEventLog:Microsoft-Windows-WMI-Activity/Operational	WinEventLog:WMI
x_mitre_log_source_references[5]['channel']	EventCode=5857, 5860, 5861	EventCode=5857, 5858, 5860, 5861

[AN1178] Analytic 1178

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=22	EventCode=3, 22

[AN1185] Analytic 1185

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN1189] Analytic 1189

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1198] Analytic 1198

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[AN1207] Analytic 1207

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[4]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[5]['channel']	EventCode=3	EventCode=3, 22

[AN1212] Analytic 1212

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN1220] Analytic 1220

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1221] Analytic 1221

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[4]['channel']	EventCode=13	EventCode=13, 14

[AN1222] Analytic 1222

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['name']	WinEventLog:Application	WinEventLog:CodeIntegrity
x_mitre_log_source_references[2]['channel']	81,3033	EventCode=3033

[AN1225] Analytic 1225

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1229] Analytic 1229

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1234] Analytic 1234

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_mutable_elements[2]['field']	path	PATH

[AN1242] Analytic 1242

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	CloudTrail:EC2	AWS:CloudTrail
x_mitre_log_source_references[1]['name']	CloudTrail:EC2	AWS:CloudTrail

[AN1252] Analytic 1252

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[2]['channel']	EventCode=400,403	EventCode=400, 403

[AN1253] Analytic 1253

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=4624, 4672	EventCode=4672, 4634
x_mitre_log_source_references[4]['name']	WinEventLog:DirectoryService	WinEventLog:Security

[AN1254] Analytic 1254

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1259] Analytic 1259

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 18:15:01.136000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=5136,5137,5141	EventCode=5136

[AN1260] Analytic 1260

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	azure:signinLogs	azure:signinlogs

[AN1271] Analytic 1271

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN1275] Analytic 1275

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4625, 4624	EventCode=4776, 4625

[AN1280] Analytic 1280

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1283] Analytic 1283

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624	EventCode=4624, 4648

[AN1288] Analytic 1288

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4103	EventCode=4103, 4104, 4105, 4106

[AN1290] Analytic 1290

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=1341,1342,1020,1063	EventCode=1341, 1342, 1020, 1063

[AN1294] Analytic 1294

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1305] Analytic 1305

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624,4648, 4672	EventCode=4624, 4648
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[5]['channel']	EventCode=5857, 5860, 5861	EventCode=5857, 5858, 5860, 5861
x_mitre_log_source_references[6]['channel']	EventCode=4103	EventCode=4103, 4104, 4105, 4106

[AN1308] Analytic 1308

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN1309] Analytic 1309

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN1313] Analytic 1313

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624	EventCode=4624, 4648

[AN1314] Analytic 1314

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=1000,1001	EventCode=1000
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22

[AN1325] Analytic 1325

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1328] Analytic 1328

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	GetObject	GetObject, CopyObject

[AN1331] Analytic 1331

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=22	EventCode=3, 22

[AN1335] Analytic 1335

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN1344] Analytic 1344

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Sysmon', 'channel': 'EventCode=3, 22'}
x_mitre_log_source_references[0]	{'x_mitre_data_component_ref': 'x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4624,4648,4672,4769'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4624, 4648'}
x_mitre_log_source_references[1]	{'x_mitre_data_component_ref': 'x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4776,4771,4770'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4776, 4771, 4770'}
x_mitre_log_source_references[3]	{'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4663'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4663, 4670, 4656'}

[AN1357] Analytic 1357

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[AN1361] Analytic 1361

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624	EventCode=4624, 4648

[AN1366] Analytic 1366

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[3]['channel']	EventCode=13	EventCode=13, 14
x_mitre_log_source_references[5]['channel']	EventCode=3	EventCode=3, 22

[AN1367] Analytic 1367

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN1369] Analytic 1369

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	WinEventLog:Security	WinEventLog:System
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN1375] Analytic 1375

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-10-28 19:57:23.683000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4624,4672	EventCode=4672

[AN1376] Analytic 1376

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1381] Analytic 1381

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN1384] Analytic 1384

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN1389] Analytic 1389

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1393] Analytic 1393

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4656	EventCode=4663, 4670, 4656

[AN1397] Analytic 1397

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1398] Analytic 1398

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4624	EventCode=4624, 4648
x_mitre_log_source_references[6]['channel']	EventCode=3	EventCode=3, 22

[AN1407] Analytic 1407

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN1410] Analytic 1410

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[1]['channel']	EventCode=20001/20003	EventCode=2003

[AN1413] Analytic 1413

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN1417] Analytic 1417

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN1434] Analytic 1434

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1440] Analytic 1440

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1443] Analytic 1443

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624, 4672, 4634, 4768, 4769	EventCode=4672, 4634

[AN1448] Analytic 1448

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[2]['channel']	EventCode=2004,2005,2006	EventCode=2004, 2005, 2006
x_mitre_log_source_references[3]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1452] Analytic 1452

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1461] Analytic 1461

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1464] Analytic 1464

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN1468] Analytic 1468

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624 (LogonType=3)	EventCode=4624, 4648
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1476] Analytic 1476

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Microsoft-Windows-WLAN-AutoConfig', 'channel': '8001, 8002, 8003'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba', 'name': 'WinEventLog:Microsoft-Windows-WLAN-AutoConfig', 'channel': 'EventCode=8001, 8002, 8003'}
x_mitre_log_source_references[1]	{'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'WinEventLog:Security', 'channel': '4624, 4625'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4776, 4625'}

[AN1483] Analytic 1483

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1489] Analytic 1489

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1496] Analytic 1496

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1506] Analytic 1506

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['name']	m365:signin	m365:signinlogs

[AN1511] Analytic 1511

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1527] Analytic 1527

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN1528] Analytic 1528

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN1543] Analytic 1543

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-27 15:56:07.094000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventID=4624	EventCode=4624
x_mitre_log_source_references[1]['channel']	EventID=4625	EventCode=4776, 4625

[AN1548] Analytic 1548

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1551] Analytic 1551

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4624	EventCode=4624, 4648
x_mitre_log_source_references[3]['channel']	EventCode=3	EventCode=3, 22
x_mitre_log_source_references[7]['channel']	EventCode=13	EventCode=13, 14
x_mitre_log_source_references[8]['channel']	EventCode=5857, 5860, 5861	EventCode=5857, 5858, 5860, 5861
x_mitre_log_source_references[9]['channel']	EventCode=4103, 4104	EventCode=4103, 4104, 4105, 4106

[AN1557] Analytic 1557

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4103	EventCode=4103, 4104, 4105, 4106

[AN1564] Analytic 1564

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1567] Analytic 1567

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]	{'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4104'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0', 'name': 'WinEventLog:PowerShell', 'channel': 'EventCode=4103, 4104, 4105, 4106'}
x_mitre_log_source_references[0]	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f', 'name': 'WinEventLog:System', 'channel': '20001-20003'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f', 'name': 'WinEventLog:System', 'channel': 'EventCode=2003'}
x_mitre_log_source_references[1]	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': '4688, 4104'}	{'x_mitre_data_component_ref': 'x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077', 'name': 'WinEventLog:Security', 'channel': 'EventCode=4688'}

[AN1571] Analytic 1571

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1575] Analytic 1575

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=13	EventCode=13, 14

[AN1583] Analytic 1583

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN1589] Analytic 1589

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1594] Analytic 1594

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	GetObject	GetObject, CopyObject

[AN1595] Analytic 1595

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=13	EventCode=13, 14

[AN1599] Analytic 1599

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=3	EventCode=3, 22

[AN1620] Analytic 1620

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4624, 4634	EventCode=4624, 4648
x_mitre_log_source_references[2]['channel']	EventCode=3	EventCode=3, 22

[AN1621] Analytic 1621

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106

[AN1622] Analytic 1622

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN1625] Analytic 1625

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[2]['channel']	GetObject	GetObject, CopyObject

[AN1626] Analytic 1626

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=15	EventCode=15
x_mitre_log_source_references[1]['channel']	EventCode=4663	EventCode=4663, 4670, 4656

[AN1632] Analytic 1632

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-21 15:10:28.402000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['name']	WinEventLog:DirectoryService	WinEventLog:Security

[AN2029] Analytic 2029

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-24 15:00:29.811000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[1]['channel']	EventCode=3	EventCode=3, 22

[AN2030] Analytic 2030

Current version: 1.0

Details

values_changed
STIX Field	Old value	New Value
modified	2025-10-23 20:07:29.933000+00:00	2025-11-12 22:03:39.105000+00:00
x_mitre_log_source_references[0]['channel']	EventCode=4104	EventCode=4103, 4104, 4105, 4106
x_mitre_log_source_references[2]['channel']	EventCode=4670	EventCode=4663, 4670, 4656