Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)[1]
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1098 | .002 | Account Manipulation: Additional Email Delegate Permissions |
Enable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. A larger than normal volume of emails sent from an account and similar phishing emails sent from real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring. |
| .005 | Account Manipulation: Device Registration |
Azure AD creates several log entries when new devices are enrolled, which can be monitored for unexpected device registrations.[2] Additionally, joined devices can be viewed via the Azure AD portal.[3] |
||
| Enterprise | T1557 | Adversary-in-the-Middle |
Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.[4] |
|
| .003 | DHCP Spoofing |
Monitor Windows logs (ex: EIDs 1341, 1342, 1020, and 1063) for changes to DHCP settings. These may also highlight DHCP issues such as when IP allocations are low or have run out.[4][5] |
||
| Enterprise | T1110 | Brute Force |
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. |
|
| .001 | Password Guessing |
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. |
||
| .002 | Password Cracking |
Monitor authentication logs for system and application login failures of Valid Accounts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting. |
||
| .003 | Password Spraying |
Monitor authentication logs for system and application login failures of Valid Accounts. Consider the following event IDs:[6]Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625.Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771.All systems: "Audit Logon" (Success & Failure) for event ID 4648. |
||
| .004 | Credential Stuffing |
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. |
||
| Enterprise | T1213 | Data from Information Repositories |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. |
|
| .001 | Confluence |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Confluence repositories to mine valuable information. Watch for access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. |
||
| .002 | Sharepoint |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage the SharePoint repository as a source to mine valuable information. Monitor access to Microsoft SharePoint repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. |
||
| .003 | Code Repositories |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage code repositories to collect valuable information. Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies. |
||
| Enterprise | T1622 | Debugger Evasion |
Monitor debugger logs for signs of abnormal and potentially malicious activity. |
|
| Enterprise | T1491 | Defacement |
Monitor for third-party application logging, messaging, and/or other artifacts that may modify visual content available internally or externally to an enterprise network. |
|
| .001 | Internal Defacement |
Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems internal to an organization in an attempt to intimidate or mislead users. |
||
| .002 | External Defacement |
Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. |
||
| Enterprise | T1610 | Deploy Container |
Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network. |
|
| Enterprise | T1189 | Drive-by Compromise |
Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before. |
|
| Enterprise | T1114 | Email Collection |
Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include |
|
| .003 | Email Forwarding Rule |
Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.[8]Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.[7] High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.. |
||
| Enterprise | T1499 | Endpoint Denial of Service |
Monitor for third-party application logging, messaging, and/or other artifacts that may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS. |
|
| .002 | Service Exhaustion Flood |
Monitor for third-party application logging, messaging, and/or other artifacts that may target the different network services provided by systems to conduct a DoS. In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS. |
||
| .003 | Application Exhaustion Flood |
Monitor for third-party application logging, messaging, and/or other artifacts that may target resource intensive features of web applications to cause a denial of service (DoS). In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS. |
||
| .004 | Application or System Exploitation |
Monitor for third-party application logging, messaging, and/or other artifacts that may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. [9] Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS. |
||
| Enterprise | T1190 | Exploit Public-Facing Application |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. |
|
| Enterprise | T1203 | Exploitation for Client Execution |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. |
|
| Enterprise | T1210 | Exploitation of Remote Services |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. |
|
| Enterprise | T1133 | External Remote Services |
When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application. |
|
| Enterprise | T1564 | Hide Artifacts |
Monitor for third-party application logging, messaging, and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
| .008 | Email Hiding Rules |
Monitor for third-party application logging, messaging, and/or other artifacts that may use email rules to hide inbound emails in a compromised user's mailbox. Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries. |
||
| Enterprise | T1562 | .002 | Impair Defenses: Disable Windows Event Logging |
Monitor for third-party application logging, messaging, and/or other artifacts provided by third-party services that may disable Windows event logging to limit data that can be leveraged for detections and audits. |
| Enterprise | T1534 | Internal Spearphishing |
Monitor email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.[10] |
|
| Enterprise | T1621 | Multi-Factor Authentication Request Generation |
Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised. |
|
| Enterprise | T1137 | Office Application Startup |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Microsoft Office-based applications for persistence between startups. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[11] |
|
| .003 | Outlook Forms |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[11] |
||
| .004 | Outlook Home Page |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[11] |
||
| .005 | Outlook Rules |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[11] |
||
| Enterprise | T1069 | Permission Groups Discovery |
Monitor for logging, messaging, and other artifacts provided by cloud services |
|
| .003 | Cloud Groups |
Monitor for events collected that may attempt to find cloud groups and permission settings. |
||
| Enterprise | T1566 | Phishing |
Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. |
|
| .001 | Spearphishing Attachment |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[14] |
||
| .002 | Spearphishing Link |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. |
||
| .003 | Spearphishing via Service |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing messages via third-party services in an attempt to gain access to victim systems. |
||
| Enterprise | T1598 | Phishing for Information |
Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13]When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts). |
|
| .001 | Spearphishing Service |
Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. |
||
| .002 | Spearphishing Attachment |
Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13] |
||
| .003 | Spearphishing Link |
Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[12][13]Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites. |
||
| Enterprise | T1594 | Search Victim-Owned Websites |
Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. |
|
| Enterprise | T1505 | Server Software Component |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse legitimate extensible development features of servers to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [15] |
|
| .001 | SQL Stored Procedures |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse SQL stored procedures to establish persistent access to systems. On a MSSQL Server, consider monitoring for xp_cmdshell usage.[16] Consider enabling audit features that can log malicious startup activities. |
||
| .002 | Transport Agent |
Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft transport agents to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. |
||
| .003 | Web Shell |
Monitor for third-party application logging, messaging, and/or other artifacts that may backdoor web servers with web shells to establish persistent access to systems. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [15] |
||
| Enterprise | T1072 | Software Deployment Tools |
Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.Perform application deployment at regular times so that irregular deployment activity stands out. |
|
| Enterprise | T1199 | Trusted Relationship |
Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network. |
|
| Enterprise | T1550 | Use Alternate Authentication Material |
Monitor for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
|
| .004 | Web Session Cookie |
Monitor for third-party application logging, messaging, and/or other service artifacts that provide context of user authentication to web applications, including cloud-based services. Combine this information with web credentials usage events to identify authentication events that do not fit the organization baseline. |
||
| Enterprise | T1204 | User Execution |
Monitor for third-party application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution. |
|
| .003 | Malicious Image |
Monitor for third-party application logging, messaging, and/or other artifacts that may rely on a user running a malicious image to facilitate execution. |
||