misp-galaxy/clusters/mitre-data-source.json

1260 lines
40 KiB
JSON
Raw Normal View History

{
"authors": [
"MITRE"
],
"category": "data-source",
"description": "Data sources represent the various subjects/topics of information that can be collected by sensors/logs. ",
"name": "mitre-data-source",
"source": "https://github.com/mitre/cti",
"type": "mitre-data-source",
"uuid": "5fc9f2b7-3fff-437e-80aa-4dac402be0e5",
"values": [
{
"description": "Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)",
"meta": {
"external_id": "DS0010",
"mitre_platforms": [
"IaaS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0010",
"https://aws.amazon.com/s3/",
"https://azure.microsoft.com/en-us/services/storage/blobs/",
"https://cloud.google.com/storage"
]
},
"related": [
{
"dest-uuid": "45977f14-1bcc-4ec4-ac14-a30fd3a11f44",
"type": "includes"
},
{
"dest-uuid": "4c41e296-b8d2-4a37-b789-eb565c87c00c",
"type": "includes"
},
{
"dest-uuid": "58ef998c-f3bf-4985-b487-b1005f5c05d1",
"type": "includes"
},
{
"dest-uuid": "59ec10d9-546b-4b8e-bccb-fa85f71e5055",
"type": "includes"
},
{
"dest-uuid": "e214eb6d-de8f-4154-9015-6d47915fbed1",
"type": "includes"
},
{
"dest-uuid": "fcc4811f-9cc8-4db5-8097-4d8242a380de",
"type": "includes"
}
],
"uuid": "2ce537a2-3b30-4374-9397-31d6460ec0bc",
"value": "Cloud Storage - DS0010"
},
{
"description": "A profile representing a user, device, service, or application used to authenticate and access resources",
"meta": {
"external_id": "DS0002",
"mitre_platforms": [
"Azure AD",
"Containers",
"Google Workspace",
"IaaS",
"Linux",
"Office 365",
"SaaS",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0002"
]
},
"related": [
{
"dest-uuid": "a953ca55-921a-44f7-9b8d-3d40141aa17e",
"type": "includes"
},
{
"dest-uuid": "b5d0492b-cda4-421c-8e51-ed2b8d85c5d0",
"type": "includes"
},
{
"dest-uuid": "d27b0089-2c39-4b6c-84ff-303e48657e77",
"type": "includes"
},
{
"dest-uuid": "d6257b8e-869c-41c0-8731-fdca40858a91",
"type": "includes"
},
{
"dest-uuid": "deb22295-7e37-4a3b-ac6f-c86666fbe63d",
"type": "includes"
}
],
"uuid": "0b4f86ed-f4ab-46a3-8ed1-175be1974da6",
"value": "User Account - DS0002"
},
{
"description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)",
"meta": {
"external_id": "DS0003",
"mitre_platforms": [
"Containers",
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0003",
"https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks"
]
},
"related": [
{
"dest-uuid": "7b375092-3a61-448d-900a-77c9a4bde4dc",
"type": "includes"
},
{
"dest-uuid": "f42df6f0-6395-4f0c-9376-525a031f00c3",
"type": "includes"
},
{
"dest-uuid": "faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b",
"type": "includes"
}
],
"uuid": "c9ddfb51-eb45-4e22-b614-44ac1caa7883",
"value": "Scheduled Job - DS0003"
},
{
"description": "Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries",
"meta": {
"external_id": "DS0004",
"mitre_platforms": [
"PRE"
],
"refs": [
"https://attack.mitre.org/datasources/DS0004"
]
},
"related": [
{
"dest-uuid": "167b48f7-76e9-4fcb-9e8d-7121f7bf56c3",
"type": "includes"
},
{
"dest-uuid": "93a6e38c-02a5-44d8-9035-b2e08459f31f",
"type": "includes"
}
],
"uuid": "b86d9b40-5fbe-4ef1-8dc3-263eff26f495",
"value": "Malware Repository - DS0004"
},
{
"description": "Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens)",
"meta": {
"external_id": "DS0006",
"mitre_platforms": [
"Azure AD",
"Google Workspace",
"Linux",
"Office 365",
"SaaS",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0006",
"https://auth0.com/docs/tokens/access-tokens",
"https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4"
]
},
"related": [
{
"dest-uuid": "5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3",
"type": "includes"
},
{
"dest-uuid": "ff93f688-d7a4-49cf-9c79-a14454da8428",
"type": "includes"
}
],
"uuid": "1e26f222-e27e-4bfa-830c-fa4b4f18b5e4",
"value": "Web Credential - DS0006"
},
{
"description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity",
"meta": {
"external_id": "DS0013",
"mitre_platforms": [
"Linux",
"Windows",
"macOS",
"Android",
"iOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0013"
]
},
"related": [
{
"dest-uuid": "85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
"type": "includes"
}
],
"uuid": "4523e7f3-8de2-4078-96f8-1227eb537159",
"value": "Sensor Health - DS0013"
},
{
"description": "Application vetting report generated by an external cloud service.",
"meta": {
"external_id": "DS0041",
"mitre_platforms": [
"Android",
"iOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0041"
]
},
"related": [
{
"dest-uuid": "5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
"type": "includes"
},
{
"dest-uuid": "613788f2-ad72-43f5-b5f7-a93e2adc70fa",
"type": "includes"
},
{
"dest-uuid": "6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
"type": "includes"
},
{
"dest-uuid": "764ee29e-48d6-4934-8e6b-7a606aaaafc0",
"type": "includes"
},
{
"dest-uuid": "b1e0bb80-23d4-44f2-b919-7e9c54898f43",
"type": "includes"
}
],
"uuid": "e156f007-c5bf-45cc-8dd5-d442ffb0d203",
"value": "Application Vetting - DS0041"
},
{
"description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)",
"meta": {
"external_id": "DS0015",
"mitre_platforms": [
"Google Workspace",
"IaaS",
"Linux",
"Office 365",
"SaaS",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0015",
"https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html"
]
},
"related": [
{
"dest-uuid": "9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"type": "includes"
}
],
"uuid": "40269753-26bd-437b-986e-159c66dec5e4",
"value": "Application Log - DS0015"
},
{
"description": "Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes)",
"meta": {
"external_id": "DS0023",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0023",
"https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes"
]
},
"related": [
{
"dest-uuid": "b9a1578e-8653-4103-be23-cb52e0b1816e",
"type": "includes"
}
],
"uuid": "221adcd5-cccf-44df-9be6-ef607a6e1c3c",
"value": "Named Pipe - DS0023"
},
{
"description": "Visual activity on the device that could alert the user to potentially malicious behavior.",
"meta": {
"external_id": "DS0042",
"mitre_platforms": [
"Android",
"iOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0042"
]
},
"related": [
{
"dest-uuid": "56c2b384-77f8-461f-a71a-76f7888ebfb6",
"type": "includes"
},
{
"dest-uuid": "bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
"type": "includes"
},
{
"dest-uuid": "e2f72131-14d1-411f-8e8c-aa3453dd5456",
"type": "includes"
}
],
"uuid": "55ba7d30-887f-42c1-a24e-c4e90aff24b8",
"value": "User Interface - DS0042"
},
{
"description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)",
"meta": {
"external_id": "DS0024",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/datasources/DS0024",
"https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry"
]
},
"related": [
{
"dest-uuid": "1177a4c5-31c8-400c-8544-9071166afa0e",
"type": "includes"
},
{
"dest-uuid": "7f70fae7-a68d-4730-a83a-f260b9606129",
"type": "includes"
},
{
"dest-uuid": "da85d358-741a-410d-9433-20d6269a6170",
"type": "includes"
},
{
"dest-uuid": "ed0dd8aa-1677-4551-bb7d-8da767617e1b",
"type": "includes"
}
],
"uuid": "0f42a24c-e035-4f93-a91c-5f7076bd8da0",
"value": "Windows Registry - DS0024"
},
{
"description": "Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products)",
"meta": {
"external_id": "DS0025",
"mitre_platforms": [
"Azure AD",
"Google Workspace",
"IaaS",
"Office 365",
"SaaS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0025",
"https://aws.amazon.com",
"https://azure.microsoft.com/en-us/services/"
]
},
"related": [
{
"dest-uuid": "8c826308-2760-492f-9e36-4f0f7e23bcac",
"type": "includes"
},
{
"dest-uuid": "b33d36e3-d7ea-4895-8eed-19a08a8f7c4f",
"type": "includes"
},
{
"dest-uuid": "e52d89f9-1710-4708-88a5-cbef77c4cd5e",
"type": "includes"
},
{
"dest-uuid": "ec0612c5-2644-4c50-bcac-82586974fedd",
"type": "includes"
}
],
"uuid": "b1ddede4-cafe-4955-ac4c-14b33ac3f647",
"value": "Cloud Service - DS0025"
},
{
"description": "A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started)",
"meta": {
"external_id": "DS0026",
"mitre_platforms": [
"Azure AD",
"Windows"
],
"refs": [
"https://attack.mitre.org/datasources/DS0026",
"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started"
]
},
"related": [
{
"dest-uuid": "02d090b6-8157-48da-98a2-517f7edd49fc",
"type": "includes"
},
{
"dest-uuid": "18b236d8-7224-488f-9d2f-50076a0f653a",
"type": "includes"
},
{
"dest-uuid": "5b8b466b-2c81-4fe7-946f-d677a74ae3db",
"type": "includes"
},
{
"dest-uuid": "5c6de881-bc70-4070-855a-7a9631a407f7",
"type": "includes"
},
{
"dest-uuid": "9085a576-636a-455b-91d2-c2921bbe6d1d",
"type": "includes"
}
],
"uuid": "d6188aac-17db-4861-845f-57c369f9b4c8",
"value": "Active Directory - DS0026"
},
{
"description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)",
"meta": {
"external_id": "DS0028",
"mitre_platforms": [
"Azure AD",
"Google Workspace",
"IaaS",
"Linux",
"Office 365",
"SaaS",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0028",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"
]
},
"related": [
{
"dest-uuid": "39b9db72-8b48-4595-a18d-db5bbba3091b",
"type": "includes"
},
{
"dest-uuid": "9ce98c86-8d30-4043-ba54-0784d478d0b5",
"type": "includes"
}
],
"uuid": "4358c631-e253-4557-86df-f687d0ef9891",
"value": "Logon Session - DS0028"
},
{
"description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
"meta": {
"external_id": "DS0029",
"mitre_platforms": [
"IaaS",
"Linux",
"Windows",
"macOS",
"Android",
"iOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0029"
]
},
"related": [
{
"dest-uuid": "181a9f8c-c780-4f1f-91a8-edb770e904ba",
"type": "includes"
},
{
"dest-uuid": "3772e279-27d6-477a-9fe3-c6beb363594c",
"type": "includes"
},
{
"dest-uuid": "a7f22107-02e5-4982-9067-6625d4a1765a",
"type": "includes"
}
],
"uuid": "c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"value": "Network Traffic - DS0029"
},
{
"description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)",
"meta": {
"external_id": "DS0033",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0033",
"https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview"
]
},
"related": [
{
"dest-uuid": "f5468e67-51c7-4756-9b4f-65707708e7fa",
"type": "includes"
}
],
"uuid": "ba27545a-9c32-47ea-ba6a-cce50f1b326e",
"value": "Network Share - DS0033"
},
{
"description": "Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet",
"meta": {
"external_id": "DS0035",
"mitre_platforms": [
"PRE"
],
"refs": [
"https://attack.mitre.org/datasources/DS0035"
]
},
"related": [
{
"dest-uuid": "0dcbbf4f-929c-489a-b66b-9b820d3f7f0e",
"type": "includes"
},
{
"dest-uuid": "1067aa74-5796-4d9b-b4f1-a4c9eb6fd9da",
"type": "includes"
}
],
"uuid": "38fe306c-bdec-4f3d-8521-b72dd32dbd17",
"value": "Internet Scan - DS0035"
},
{
"description": "Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)",
"meta": {
"external_id": "DS0038",
"mitre_platforms": [
"PRE"
],
"refs": [
"https://attack.mitre.org/datasources/DS0038"
]
},
"related": [
{
"dest-uuid": "2e521444-7295-4dec-96c1-7595b2df7811",
"type": "includes"
},
{
"dest-uuid": "cc150ad8-ecfa-4340-9aaa-d21165873bd4",
"type": "includes"
},
{
"dest-uuid": "ff9b665a-598b-4bcb-8b2a-a87566aa1256",
"type": "includes"
}
],
"uuid": "dd75f457-8dc0-4a24-9ae5-4b61c33af866",
"value": "Domain Name - DS0038"
},
{
"description": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI",
"meta": {
"external_id": "DS0001",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0001"
]
},
"related": [
{
"dest-uuid": "b9d031bb-d150-4fc6-8025-688201bf3ffd",
"type": "includes"
}
],
"uuid": "ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f",
"value": "Firmware - DS0001"
},
{
"description": "A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots)",
"meta": {
"external_id": "DS0020",
"mitre_platforms": [
"IaaS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0020",
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html",
"https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk"
]
},
"related": [
{
"dest-uuid": "16e07530-764b-4d83-bae0-cdbfc31bf21d",
"type": "includes"
},
{
"dest-uuid": "3da222e6-53f3-451c-a239-0b405c009432",
"type": "includes"
},
{
"dest-uuid": "8bc66f94-54a9-4be4-bdd1-fe90df643774",
"type": "includes"
},
{
"dest-uuid": "f1eb6ea9-f3ab-414f-af35-2d5427199984",
"type": "includes"
},
{
"dest-uuid": "ffd73905-2e51-4f2d-8549-e72fb0eb6c38",
"type": "includes"
}
],
"uuid": "6d7de3b7-283d-48f9-909c-60d123d9d768",
"value": "Snapshot - DS0020"
},
{
"description": "A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM)",
"meta": {
"external_id": "DS0030",
"mitre_platforms": [
"IaaS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0030",
"https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/",
"https://cloud.google.com/compute/docs/instances"
]
},
"related": [
{
"dest-uuid": "1361e324-b594-4c0e-a517-20cee32b8d7f",
"type": "includes"
},
{
"dest-uuid": "2a80d95f-08c4-48e3-833e-151ef19d90f5",
"type": "includes"
},
{
"dest-uuid": "45d0ff14-b9c4-41f5-8603-156657c20b75",
"type": "includes"
},
{
"dest-uuid": "45fd904d-6eb0-4b50-8478-a961f09f898b",
"type": "includes"
},
{
"dest-uuid": "7561ed50-16cb-4826-82c7-c1ddca61785e",
"type": "includes"
},
{
"dest-uuid": "b5b0e8ae-7436-4951-950a-7b83c4dd3f2c",
"type": "includes"
},
{
"dest-uuid": "f8213cde-6b3a-420d-9ab7-41c9af1a919f",
"type": "includes"
}
],
"uuid": "45232bc0-e858-440d-aa93-d48c6cf167f0",
"value": "Instance - DS0030"
},
{
"description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture)",
"meta": {
"external_id": "DS0005",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/datasources/DS0005",
"https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture",
"https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-system-classes"
]
},
"related": [
{
"dest-uuid": "05645013-2fed-4066-8bdc-626b2e201dd4",
"type": "includes"
}
],
"uuid": "2cd6cc81-d86e-4595-a4f0-43f5519f14e6",
"value": "WMI - DS0005"
},
{
"description": "A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI)",
"meta": {
"external_id": "DS0007",
"mitre_platforms": [
"IaaS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0007",
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html",
"https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource"
]
},
"related": [
{
"dest-uuid": "071a09b1-8945-46fd-8bb7-6bcc89400963",
"type": "includes"
},
{
"dest-uuid": "8b4ca854-ac08-47da-b24f-601b28a39aff",
"type": "includes"
},
{
"dest-uuid": "b008766d-f34f-4ded-b712-659f59aaed6e",
"type": "includes"
},
{
"dest-uuid": "b597a220-6510-4397-b0d8-342cd2c58827",
"type": "includes"
}
],
"uuid": "1ac0ca69-e07e-4b34-9061-e4588e146c52",
"value": "Image - DS0007"
},
{
"description": "A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page)",
"meta": {
"external_id": "DS0008",
"mitre_platforms": [
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0008",
"https://man7.org/linux/man-pages/man2/init_module.2.html",
"https://www.stigviewer.com/stig/oracle_linux_5/2016-12-20/finding/V-22383"
]
},
"related": [
{
"dest-uuid": "23e4ee78-26f3-4fcf-ba43-ab953962f96c",
"type": "includes"
}
],
"uuid": "8765a845-dea1-4cd1-a56f-f54939b7ab9e",
"value": "Kernel - DS0008"
},
{
"description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",
"meta": {
"external_id": "DS0009",
"mitre_platforms": [
"Linux",
"Windows",
"macOS",
"Android",
"iOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0009",
"https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads"
]
},
"related": [
{
"dest-uuid": "1887a270-576a-4049-84de-ef746b2572d6",
"type": "includes"
},
{
"dest-uuid": "3d20385b-24ef-40e1-9f56-f39750379077",
"type": "includes"
},
{
"dest-uuid": "61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
"type": "includes"
},
{
"dest-uuid": "9bde2f9d-a695-4344-bfac-f2dce13d121e",
"type": "includes"
},
{
"dest-uuid": "d5fca4e4-e47a-487b-873f-3d22f8865e96",
"type": "includes"
},
{
"dest-uuid": "ee575f4a-2d4f-48f6-b18b-89067760adc1",
"type": "includes"
}
],
"uuid": "e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
"value": "Process - DS0009"
},
{
"description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)",
"meta": {
"external_id": "DS0011",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0011",
"https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module",
"https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya"
]
},
"related": [
{
"dest-uuid": "c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
"type": "includes"
}
],
"uuid": "f424e4b4-a8a4-4c58-a4ae-4f53bfd08563",
"value": "Module - DS0011"
},
{
"description": "A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims",
"meta": {
"external_id": "DS0021",
"mitre_platforms": [
"PRE"
],
"refs": [
"https://attack.mitre.org/datasources/DS0021"
]
},
"related": [
{
"dest-uuid": "8fb2f315-1aca-4cef-ae0d-8105e1f95985",
"type": "includes"
}
],
"uuid": "3bef4799-906c-409c-ac00-3fb7a1e352e6",
"value": "Persona - DS0021"
},
{
"description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)",
"meta": {
"external_id": "DS0012",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/datasources/DS0012",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7",
"https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal",
"https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html"
]
},
"related": [
{
"dest-uuid": "9f387817-df83-432a-b56b-a8fb7f71eedd",
"type": "includes"
}
],
"uuid": "12c1e727-7fa4-49b6-af81-366ed2ce231e",
"value": "Script - DS0012"
},
{
"description": "A set of containerized computing resources that are managed together but have separate nodes to execute various tasks and/or applications(Citation: Kube Cluster Admin)(Citation: Kube Cluster Info)",
"meta": {
"external_id": "DS0031",
"mitre_platforms": [
"Containers"
],
"refs": [
"https://attack.mitre.org/datasources/DS0031",
"https://kubernetes.io/docs/concepts/cluster-administration/",
"https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cluster-info"
]
},
"related": [
{
"dest-uuid": "fafaa705-ec08-4405-ac62-288c252e520d",
"type": "includes"
}
],
"uuid": "c3af32ff-65c5-4ea8-912a-fb4a85197239",
"value": "Cluster - DS0031"
},
{
"description": "A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod)",
"meta": {
"external_id": "DS0014",
"mitre_platforms": [
"Containers"
],
"refs": [
"https://attack.mitre.org/datasources/DS0014",
"https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core",
"https://kubernetes.io/docs/reference/kubectl/kubectl/"
]
},
"related": [
{
"dest-uuid": "07688e40-a7fa-4436-937f-1216674341a0",
"type": "includes"
},
{
"dest-uuid": "5263cb33-08cc-4a68-820f-004e1e400d76",
"type": "includes"
},
{
"dest-uuid": "672b2ebd-4310-4efe-bf03-7ab005298a74",
"type": "includes"
},
{
"dest-uuid": "c0edd522-0aef-46b3-8efa-2bd334ce4242",
"type": "includes"
}
],
"uuid": "06bb1e05-533b-4de3-ae87-9b99910465cf",
"value": "Pod - DS0014"
},
{
"description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)",
"meta": {
"external_id": "DS0016",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0016",
"https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread"
]
},
"related": [
{
"dest-uuid": "3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f",
"type": "includes"
},
{
"dest-uuid": "4dcd8ba3-2075-4f8b-941e-39884ffaac08",
"type": "includes"
},
{
"dest-uuid": "73ff2dcc-24b1-4368-b9dc-706dd9e68354",
"type": "includes"
}
],
"uuid": "61bbbf27-f7c3-46ba-a6bc-48ae76928065",
"value": "Drive - DS0016"
},
{
"description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)",
"meta": {
"external_id": "DS0017",
"mitre_platforms": [
"Containers",
"Linux",
"Network",
"Windows",
"macOS",
"Android",
"iOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0017",
"https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html",
"https://www.scip.ch/en/?labs.20150108"
]
},
"related": [
{
"dest-uuid": "685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"type": "includes"
}
],
"uuid": "73691708-ffb5-4e29-906d-f485f6fa7089",
"value": "Command - DS0017"
},
{
"description": "A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC)",
"meta": {
"external_id": "DS0018",
"mitre_platforms": [
"Azure AD",
"Google Workspace",
"IaaS",
"Linux",
"Office 365",
"SaaS",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0018",
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
]
},
"related": [
{
"dest-uuid": "746f095a-f84c-4ccc-90a5-c7caa5c100a2",
"type": "includes"
},
{
"dest-uuid": "bf91faa8-0049-4870-810a-4df55e0b77ee",
"type": "includes"
},
{
"dest-uuid": "c97d0171-f6e0-4415-85ff-4082fdb8c72a",
"type": "includes"
},
{
"dest-uuid": "d2ff4b56-8351-4ed8-b0fb-d8605366005f",
"type": "includes"
}
],
"uuid": "f2f4f4bd-3455-400f-b2ee-104004df0f5b",
"value": "Firewall - DS0018"
},
{
"description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)",
"meta": {
"external_id": "DS0019",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0019",
"https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications",
"https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/"
]
},
"related": [
{
"dest-uuid": "5297a638-1382-4f0c-8472-0d21830bf705",
"type": "includes"
},
{
"dest-uuid": "66531bc6-a509-4868-8314-4d599e91d222",
"type": "includes"
},
{
"dest-uuid": "74fa567d-bc90-425c-8a41-3c703abb221c",
"type": "includes"
}
],
"uuid": "d710099e-df94-4be4-bf85-cabd30e912bb",
"value": "Service - DS0019"
},
{
"description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)",
"meta": {
"external_id": "DS0022",
"mitre_platforms": [
"Linux",
"Network",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0022",
"https://docs.microsoft.com/en-us/windows/win32/fileio/file-management"
]
},
"related": [
{
"dest-uuid": "235b7491-2d2b-4617-9a52-3c0783680f71",
"type": "includes"
},
{
"dest-uuid": "2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
"type": "includes"
},
{
"dest-uuid": "639e87f3-acb6-448a-9645-258f20da4bc5",
"type": "includes"
},
{
"dest-uuid": "84572de3-9583-4c73-aabd-06ea88123dd8",
"type": "includes"
},
{
"dest-uuid": "e905dad2-00d6-477c-97e8-800427abd0e8",
"type": "includes"
}
],
"uuid": "509ed41e-ca42-461e-9058-24602256daf9",
"value": "File - DS0022"
},
{
"description": "A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container)",
"meta": {
"external_id": "DS0032",
"mitre_platforms": [
"Containers"
],
"refs": [
"https://attack.mitre.org/datasources/DS0032",
"https://docs.docker.com/engine/api/v1.41/#tag/Container"
]
},
"related": [
{
"dest-uuid": "5fe82895-28e5-4aac-845e-dc886b63be2e",
"type": "includes"
},
{
"dest-uuid": "91b3ed33-d1b5-4c4b-a896-76c55eb3cfd8",
"type": "includes"
},
{
"dest-uuid": "a5ae90ca-0c4b-481c-959f-0eb18a7ff953",
"type": "includes"
},
{
"dest-uuid": "df508a43-65f5-453f-8b8f-4b5d64e60a21",
"type": "includes"
}
],
"uuid": "072ec5a7-00ba-466f-9057-69751a22a967",
"value": "Container - DS0032"
},
{
"description": "A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers)",
"meta": {
"external_id": "DS0027",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0027",
"https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode"
]
},
"related": [
{
"dest-uuid": "3551476e-14f5-4e48-a518-e82135329e03",
"type": "includes"
},
{
"dest-uuid": "f5a9a1dd-82f9-41a3-85b8-13e5b9cd6c79",
"type": "includes"
}
],
"uuid": "9ec8c0d7-6137-456f-b829-c5f8b96ba054",
"value": "Driver - DS0027"
},
{
"description": "Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)",
"meta": {
"external_id": "DS0034",
"mitre_platforms": [
"IaaS",
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/datasources/DS0034",
"https://aws.amazon.com/s3/",
"https://azure.microsoft.com/en-us/services/storage/blobs/",
"https://cloud.google.com/storage"
]
},
"related": [
{
"dest-uuid": "0f72bf50-35b3-419d-ab95-70f9b6a818dd",
"type": "includes"
},
{
"dest-uuid": "3acecdde-c327-4498-9bb8-33a2e63c6c57",
"type": "includes"
},
{
"dest-uuid": "d46272ce-a0fe-4256-855e-738de7bb63ee",
"type": "includes"
},
{
"dest-uuid": "dad75cc7-5bae-4175-adb4-ca1962d8650e",
"type": "includes"
},
{
"dest-uuid": "ec225357-8197-47a4-a9cd-57741d592877",
"type": "includes"
}
],
"uuid": "b0b6d26f-3747-4444-ac7a-239a6ff80cb5",
"value": "Volume - DS0034"
},
{
"description": "A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups)",
"meta": {
"external_id": "DS0036",
"mitre_platforms": [
"Azure AD",
"Google Workspace",
"IaaS",
"Office 365",
"SaaS",
"Windows"
],
"refs": [
"https://attack.mitre.org/datasources/DS0036",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html"
]
},
"related": [
{
"dest-uuid": "05d5b5b4-ef93-4807-b05f-33d8c5a35bc5",
"type": "includes"
},
{
"dest-uuid": "8d8c7cac-94cf-4726-8989-cab33851168c",
"type": "includes"
},
{
"dest-uuid": "8e44412e-3238-4d64-8878-4f11e27784fe",
"type": "includes"
}
],
"uuid": "3c07684f-3794-4536-8f70-21efe700c0ec",
"value": "Group - DS0036"
},
{
"description": "A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications",
"meta": {
"external_id": "DS0037",
"mitre_platforms": [
"PRE"
],
"refs": [
"https://attack.mitre.org/datasources/DS0037"
]
},
"related": [
{
"dest-uuid": "1dad5aa4-4bb5-45e4-9e42-55d40003cfa6",
"type": "includes"
}
],
"uuid": "29aa4e0e-4a26-4f79-a9bc-1ae66df1c923",
"value": "Certificate - DS0037"
}
],
"version": 2
}