Skip to main content

MITRE ATT&CK Data Sources


MITRE ATT&CK Data Sources vs. Components​

Data Sources in the context of MITRE ATT&CK refer to the categories of information that can be used to detect specific MITRE ATT&CK Techniques. Examples include application logs, process monitoring data, network traffic logs, and authentication logs.

Data Components are the granular pieces of information that can be derived from Data Sources. Each Data Source is sub-categorized into one or more Data Components. They represent the actual observables or artifacts that can be used to indicate suspicious or malicious activity, such as process creation events, command-line arguments, or network connection details.


Correlation to MITRE ATT&CK Techniques​

Each technique detailed in the MITRE ATT&CK matrix is associated with one or more data sources and components - this can be seen under the technique's Detection section. By understanding the relationship between a technique and its data sources, CPTs can tailor their data collection to the specific behaviors exhibited by APTs. For example, the technique T1059.001: PowerShell could be correlated to data sources such as Command and Process logs, and further down to the specifc data components Command: Command Execution and Process: Process Creation.

Shown above is this example technique's Data Sources/Components listed under the Detection section.


MITRE ATT&CK Data Source/Component Table​

IDData Source/ComponentDescription
DS0026Active DirectoryA database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started)
Active Directory: Active Directory Credential RequestA user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)
Active Directory: Active Directory Object AccessOpening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)
Active Directory: Active Directory Object CreationInitial construction of a new active directory object (ex: Windows EID 5137)
Active Directory: Active Directory Object DeletionRemoval of an active directory object (ex: Windows EID 5141)
Active Directory: Active Directory Object ModificationChanges made to an active directory object (ex: Windows EID 5163 or 5136)
DS0039AssetData sources with information about the set of devices found within the network, along with their current software and configurations
Asset: Asset InventoryThis includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)
Asset: SoftwareThis includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).
DS0015Application LogEvents collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)
Application Log: Application Log ContentLogging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)
DS0037CertificateA digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications
Certificate: Certificate RegistrationQueried or logged information highlighting current and expired digital certificates (ex: Certificate transparency)
DS0025Cloud ServiceInfrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products)
Cloud Service: Cloud Service DisableDeactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)
Cloud Service: Cloud Service EnumerationAn extracted list of cloud services (ex: AWS ECS ListServices)
Cloud Service: Cloud Service MetadataContextual data about a cloud service and activity around it such as name, type, or purpose/function
Cloud Service: Cloud Service ModificationChanges made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)
DS0010Cloud StorageData object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)
Cloud Storage: Cloud Storage AccessOpening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject)
Cloud Storage: Cloud Storage CreationInitial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket)
Cloud Storage: Cloud Storage DeletionRemoval of cloud storage infrastructure (ex: AWS S3 DeleteBucket)
Cloud Storage: Cloud Storage EnumerationAn extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)
Cloud Storage: Cloud Storage MetadataContextual data about cloud storage infrastructure and activity around it such as name, size, or owner
Cloud Storage: Cloud Storage ModificationChanges made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl)
DS0017CommandA directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)
Command: Command ExecutionThe execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )
DS0032ContainerA standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container)
Container: Container CreationInitial construction of a new container (ex: docker create <container_name>)
Container: Container EnumerationAn extracted list of containers (ex: docker ps)
Container: Container StartActivation or invocation of a container (ex: docker start or docker restart)
DS0038Domain NameInformation obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)
Domain Name: Active DNSQueried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)
Domain Name: Domain RegistrationInformation about domain name assignments and other domain metadata (ex: WHOIS)
Domain Name: Passive DNSLogged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)
DS0016DriveA non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)
Drive: Drive AccessOpening of a data storage device with an assigned drive letter or mount point
Drive: Drive CreationInitial construction of a drive letter or mount point to a data storage device
Drive: Drive ModificationChanges made to a drive letter or mount point of a data storage device
DS0027DriverA computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers)
Driver: Driver LoadAttaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)
Driver: Driver MetadataContextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking
DS0022FileA computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)
File: File AccessOpening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)
File: File CreationInitial construction of a new file (ex: Sysmon EID 11)
File: File DeletionRemoval of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)
File: File MetadataContextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.
File: File ModificationChanges made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)
DS0018FirewallA network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC)
Firewall: Firewall DisableDeactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)
Firewall: Firewall EnumerationAn extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)
Firewall: Firewall MetadataContextual data about a firewall and activity around it such as name, policy, or status
Firewall: Firewall Rule ModificationChanges made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)
DS0001FirmwareComputer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI
Firmware: Firmware ModificationChanges made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)
DS0036GroupA collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups)
Group: Group EnumerationAn extracted list of available groups and/or their associated settings (ex: AWS list-groups)
Group: Group MetadataContextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group
Group: Group ModificationChanges made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)
DS0007ImageA single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI)
Image: Image CreationInitial construction of a virtual machine image (ex: Azure Compute Service Images PUT)
Image: Image DeletionRemoval of a virtual machine image (ex: Azure Compute Service Images DELETE)
Image: Image MetadataContextual data about a virtual machine image such as name, resource group, state, or type
Image: Image ModificationChanges made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)
DS0030InstanceA virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM)
Instance: Instance CreationInitial construction of a new instance (ex: instance.insert within GCP Audit Logs)
Instance: Instance DeletionRemoval of an instance (ex: instance.delete within GCP Audit Logs)
Instance: Instance EnumerationAn extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)
Instance: Instance MetadataContextual data about an instance and activity around it such as name, type, or status
Instance: Instance ModificationChanges made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)
Instance: Instance StartActivation or invocation of an instance (ex: instance.start within GCP Audit Logs)
Instance: Instance StopDeactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)
DS0035Internet ScanInformation obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet
Internet Scan: Response ContentLogged network traffic in response to a scan showing both protocol header and body values
Internet Scan: Response MetadataContextual data about an Internet-facing resource gathered from a scan, such as running services or ports
DS0008KernelA computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page)
Kernel: Kernel Module LoadAn object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls
DS0028Logon SessionLogon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)
Logon Session: Logon Session CreationInitial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)
Logon Session: Logon Session MetadataContextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it
DS0004Malware RepositoryInformation obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries
Malware Repository: Malware ContentCode, strings, and other signatures that compromise a malicious payload
Malware Repository: Malware MetadataContextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information
DS0011ModuleExecutable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)
Module: Module LoadAttaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)
DS0023Named PipeMechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes)
Named Pipe: Named Pipe MetadataContextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)
DS0033Network ShareA storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)
Network Share: Network Share AccessOpening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
DS0029Network TrafficData transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)
Network Traffic: Network Connection CreationInitial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)
Network Traffic: Network Traffic ContentLogged network traffic data showing both protocol header and body values (ex: PCAP)
Network Traffic: Network Traffic FlowSummarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)
DS0021PersonaA malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims
Persona: Social MediaEstablished, compromised, or otherwise acquired social media personas
DS0014PodA single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod)
Pod: Pod CreationInitial construction of a new pod (ex: kubectl apply/run)
Pod: Pod EnumerationAn extracted list of pods within a cluster (ex: kubectl get pods)
Pod: Pod ModificationChanges made to a pod, including its settings and/or control data (ex: kubectl set/patch/edit)
DS0009ProcessInstances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)
Process: OS API ExecutionOperating system function/method calls executed by a process
Process: Process AccessOpening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)
Process: Process CreationThe initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)
Process: Process MetadataContextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.
Process: Process ModificationChanges made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)
Process: Process TerminationExit of a running process (ex: Sysmon EID 5 or Windows EID 4689)
DS0003Scheduled JobAutomated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)
Scheduled Job: Scheduled Job CreationInitial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)
Scheduled Job: Scheduled Job MetadataContextual data about a scheduled job, which may include information such as name, timing, command(s), etc.
Scheduled Job: Scheduled Job ModificationChanges made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)
DS0012ScriptA file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)
Script: Script ExecutionThe execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)
DS0013Sensor HealthInformation from host telemetry providing insights about system status, errors, or other notable functional activity
Sensor Health: Host StatusLogging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)
DS0019ServiceA computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)
Service: Service CreationInitial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)
Service: Service MetadataContextual data about a service/daemon, which may include information such as name, service executable, start type, etc.
Service: Service ModificationChanges made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)
DS0020SnapshotA point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots)
Snapshot: Snapshot CreationInitial construction of a new snapshot (ex: AWS create-snapshot)
Snapshot: Snapshot DeletionRemoval of a snapshot (ex: AWS delete-snapshot)
Snapshot: Snapshot EnumerationAn extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)
Snapshot: Snapshot MetadataContextual data about a snapshot, which may include information such as ID, type, and status
Snapshot: Snapshot ModificationChanges made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)
DS0002User AccountA profile representing a user, device, service, or application used to authenticate and access resources
User Account: User Account AuthenticationAn attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)
User Account: User Account CreationInitial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)
User Account: User Account DeletionRemoval of an account (ex: Windows EID 4726 or /var/log access/authentication logs)
User Account: User Account MetadataContextual data about an account, which may include a username, user ID, environmental data, etc.
User Account: User Account ModificationChanges made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)
DS0034VolumeBlock object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)
Volume: Volume CreationInitial construction of a cloud volume (ex: AWS create-volume)
Volume: Volume DeletionRemoval of a a cloud volume (ex: AWS delete-volume)
Volume: Volume EnumerationAn extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)
Volume: Volume MetadataContextual data about a cloud volume and activity around it, such as id, type, state, and size
Volume: Volume ModificationChanges made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
DS0005WMIThe infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture)
WMI: WMI CreationInitial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)
DS0006Web CredentialCredential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens)
Web Credential: Web Credential CreationInitial construction of new web credential material (ex: Windows EID 1200 or 4769)
Web Credential: Web Credential UsageAn attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)
DS0024Windows RegistryA Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)
Windows Registry: Windows Registry Key AccessOpening a Registry Key, typically to read the associated value (ex: Windows EID 4656)
Windows Registry: Windows Registry Key CreationInitial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)
Windows Registry: Windows Registry Key DeletionRemoval of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)
Windows Registry: Windows Registry Key ModificationChanges made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13/14)