Skip to content

Hide Navigation Hide TOC

Edit

mitre-data-component

Data components are parts of data sources.

Authors
Authors and/or Contributors
MITRE

Windows Registry Key Access - DC0050

The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies.

Internal MISP references

UUID ed0dd8aa-1677-4551-bb7d-8da767617e1b which can be used as unique global reference for Windows Registry Key Access - DC0050 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0050

Active Directory Object Access - DC0071

Object access refers to activities where AD objects (e.g., user accounts, groups, policies) are accessed or queried. Example: Windows Event ID 4661 logs object access attempts. Examples:

  • Attribute Access: e.g., userPassword, memberOf, securityDescriptor.
  • Group Enumeration: Enumerating critical group members (e.g., Domain Admins).
  • User Attributes: Commonly accessed attributes like samAccountName, lastLogonTimestamp.
  • Policy Access: Accessing GPOs to understand security settings.

Data Collection Measures:

  • Audit Policies:
    • Enable "Audit Directory Service Access" under Advanced Audit Policies (Success and Failure).
    • Path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object AccessEnable: Audit Directory Service Access (Success and Failure).
    • Captured Events: IDs 4661, 4662.
  • Event Forwarding: Use WEF to centralize logs for SIEM analysis.
  • SIEM Integration: Collect and parse logs (e.g., 4661, 4662) using tools like Splunk or Azure Sentinel.
  • Log Filtering:
  • Focus on sensitive objects/attributes like:
    • Domain Admins group.
    • userPassword, ntSecurityDescriptor.
  • Enable EDR Monitoring:
    • Detect processes accessing sensitive AD objects (e.g., samAccountName, securityDescriptor).
    • Log all attempts to enumerate critical groups (e.g., "Domain Admins").
Internal MISP references

UUID 5c6de881-bc70-4070-855a-7a9631a407f7 which can be used as unique global reference for Active Directory Object Access - DC0071 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0071

Windows Registry Key Modification - DC0063

Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.

Data Collection Measures:

  • Windows Event Logs
    • Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.
  • Sysmon (System Monitor) for Windows
    • Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.
    • Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.
  • Endpoint Detection and Response (EDR) Solutions
    • Monitor registry modifications for suspicious behavior.
Internal MISP references

UUID da85d358-741a-410d-9433-20d6269a6170 which can be used as unique global reference for Windows Registry Key Modification - DC0063 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0063

Windows Registry Key Deletion - DC0045

The removal of a registry key within the Windows operating system.

Data Collection Measures:

  • Windows Event Logs
    • Event ID 4658 - Registry Key Handle Closed: Captures when a handle to a registry key is closed, which may indicate deletion.
    • Event ID 4660 - Object Deleted: Logs when a registry key is deleted.
  • Sysmon (System Monitor) for Windows
    • Sysmon Event ID 12 - Registry Key Deleted: Logs when a registry key is removed.
    • Sysmon Event ID 13 - Registry Value Deleted: Captures removal of specific registry values.
  • Endpoint Detection and Response (EDR) Solutions
    • Monitor registry deletions for suspicious behavior.
Internal MISP references

UUID 1177a4c5-31c8-400c-8544-9071166afa0e which can be used as unique global reference for Windows Registry Key Deletion - DC0045 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0045

Active Directory Credential Request - DC0084

Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples:

  • Kerberos TGT and Service Tickets (Event IDs 4768, 4769)
  • NTLM Authentication Events
  • LDAP Bind Requests.
Internal MISP references

UUID 02d090b6-8157-48da-98a2-517f7edd49fc which can be used as unique global reference for Active Directory Credential Request - DC0084 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0084

Windows Registry Key Creation - DC0056

Initial construction of a new registry key within the Windows operating system.

Internal MISP references

UUID 7f70fae7-a68d-4730-a83a-f260b9606129 which can be used as unique global reference for Windows Registry Key Creation - DC0056 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0056

Active Directory Object Modification - DC0066

Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples:

  • User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts).
  • Group Membership: Adding/removing members.
  • OU: Changing properties/permissions (e.g., delegation).
  • Service Account: Modifying SPNs or other attributes.
  • Object Attributes: Changes to passwords, logon hours, or control flags.
Internal MISP references

UUID 5b8b466b-2c81-4fe7-946f-d677a74ae3db which can be used as unique global reference for Active Directory Object Modification - DC0066 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0066

Active Directory Object Deletion - DC0068

Object deletion in AD (e.g., user accounts, groups, OUs) is logged as Event ID 5141. Examples:

  • User Account: Deleted user.
  • Group: Deleted security/distribution group.
  • Organizational Unit (OU): Loss of configurations or policies.
  • Service Account: Disrupted operations or cover tracks.
  • Trust Object: Removed domain trust, disrupting connectivity.

Data Collection Measures:

  • Audit Policy:
    • Enable "Audit Directory Service Changes" (Success and Failure).
    • Path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.
    • Key Event: Event ID 5141.
  • Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk).
  • Enable EDR Monitoring:
    • Detect processes or users that initiate unauthorized object deletions.
    • Monitor tools and scripts that may delete key directory objects.
Internal MISP references

UUID 9085a576-636a-455b-91d2-c2921bbe6d1d which can be used as unique global reference for Active Directory Object Deletion - DC0068 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0068

Active Directory Object Creation - DC0087

Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples:

  • User Account Creation: New user account.
  • Group Creation: New security/distribution group.
  • OU Creation: New organizational unit.
  • Service Account Creation: New service account for automation or malicious tasks.
  • Trust Object Creation: Trust relationship with another domain.
Internal MISP references

UUID 18b236d8-7224-488f-9d2f-50076a0f653a which can be used as unique global reference for Active Directory Object Creation - DC0087 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0087

User Account Modification - DC0010

Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships.

Internal MISP references

UUID d27b0089-2c39-4b6c-84ff-303e48657e77 which can be used as unique global reference for User Account Modification - DC0010 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0010

Scheduled Job Creation - DC0001

The establishment of a task or job that will execute at a predefined time or based on specific triggers.

Internal MISP references

UUID f42df6f0-6395-4f0c-9376-525a031f00c3 which can be used as unique global reference for Scheduled Job Creation - DC0001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0001

User Account Authentication - DC0002

An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.

Internal MISP references

UUID a953ca55-921a-44f7-9b8d-3d40141aa17e which can be used as unique global reference for User Account Authentication - DC0002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0002

Scheduled Job Metadata - DC0005

Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Internal MISP references

UUID 7b375092-3a61-448d-900a-77c9a4bde4dc which can be used as unique global reference for Scheduled Job Metadata - DC0005 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0005

Web Credential Creation - DC0006

Initial construction of new web credential material (ex: Windows EID 1200 or 4769)

Internal MISP references

UUID 5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3 which can be used as unique global reference for Web Credential Creation - DC0006 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0006

Cloud Service Metadata - DC0070

Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples:

  • Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine.
  • AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the DescribeInstances API call.
  • Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using gcloud compute instances describe.
  • Office 365 Metadata: Metadata about an Office 365 SharePoint site.
Internal MISP references

UUID b33d36e3-d7ea-4895-8eed-19a08a8f7c4f which can be used as unique global reference for Cloud Service Metadata - DC0070 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0070

Web Credential Usage - DC0007

An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)

Internal MISP references

UUID ff93f688-d7a4-49cf-9c79-a14454da8428 which can be used as unique global reference for Web Credential Usage - DC0007 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0007

User Account Deletion - DC0009

The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service.

Internal MISP references

UUID d6257b8e-869c-41c0-8731-fdca40858a91 which can be used as unique global reference for User Account Deletion - DC0009 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0009

Cloud Service Disable - DC0090

This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (StopLogging API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples:

  • AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities.
  • Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions.
  • Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes.
  • SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior.
Internal MISP references

UUID ec0612c5-2644-4c50-bcac-82586974fedd which can be used as unique global reference for Cloud Service Disable - DC0090 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0090

OS API Execution - DC0021

Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.

Internal MISP references

UUID 9bde2f9d-a695-4344-bfac-f2dce13d121e which can be used as unique global reference for OS API Execution - DC0021 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0021

Network Share Access - DC0102

Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)

Internal MISP references

UUID f5468e67-51c7-4756-9b4f-65707708e7fa which can be used as unique global reference for Network Share Access - DC0102 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0102

Scheduled Job Modification - DC0012

Changes made to an existing scheduled job, including modifications to its execution parameters, command payload, or execution timing.

Internal MISP references

UUID faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b which can be used as unique global reference for Scheduled Job Modification - DC0012 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0012

User Account Metadata - DC0013

Contextual data about an account, which may include a username, user ID, environmental data, etc.

Internal MISP references

UUID b5d0492b-cda4-421c-8e51-ed2b8d85c5d0 which can be used as unique global reference for User Account Metadata - DC0013 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0013

Kernel Module Load - DC0031

The process of loading a kernel module into the operating system kernel. Kernel modules are object files that extend the kernel’s functionality, such as adding support for device drivers, new filesystems, or additional system calls. This action can be legitimate (e.g., loading a driver) or malicious (e.g., adding a rootkit).

Data Collection Measures:

  • Linux:
    • Auditd: Enable auditing of kernel module loading. Example rule: -a always,exit -F arch=b64 -S init_module,delete_module.
    • Syslog: Monitor /var/log/syslog or /var/log/messages for entries related to kernel module loads.
    • Systemd Journal: Use journalctl to query logs for module loading events: journalctl -k | grep "Loading kernel module"
  • macOS:
    • Unified Logs: Use the log command to query kernel module events: log show --predicate 'eventMessage contains "kextload"' --info
    • Endpoint Security Framework (ESF): Monitor for ES_EVENT_TYPE_AUTH_KEXTLOAD (kernel extension loading events).
  • Kernel-Specific Tools:
    • Lsmod: Use lsmod to list loaded kernel modules in real-time.
    • Kprobe/eBPF: Use extended Berkeley Packet Filter (eBPF) or Kernel Probes (kprobes) to monitor kernel events, including module loading. Example using eBPF tools like BCC: sudo python /path/to/bcc/tools/kprobe -v do_init_module
  • Enable EDR Monitoring:
    • Configure alerts for: Suspicious kernel module loads from non-standard paths (e.g., /tmp). Unexpected or unsigned kernel modules.
    • Review detailed telemetry data provided by the EDR for insight into who initiated the module load, the file path, and whether the module was signed.
Internal MISP references

UUID 23e4ee78-26f3-4fcf-ba43-ab953962f96c which can be used as unique global reference for Kernel Module Load - DC0031 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0031

User Account Creation - DC0014

The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system.

Internal MISP references

UUID deb22295-7e37-4a3b-ac6f-c86666fbe63d which can be used as unique global reference for User Account Creation - DC0014 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0014

Firewall Rule Modification - DC0051

The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples:

  • Rule Creation: Adding a new rule to allow inbound traffic on port 3389 (RDP).
  • Rule Deletion: Deleting a rule that blocks inbound traffic from untrusted IP ranges.
  • Rule Modification: Changing a rule to allow traffic from "any" source IP instead of a specific trusted range.
  • Audit Log Metadata: Logs indicating "Firewall rule modified by admin@domain.com."
  • Platform-Specific Scenarios
    • Azure: Altering rules in an Azure Network Security Group (NSG).
    • AWS: Modifying Security Group rules to allow traffic.
    • Windows: Changes tracked in Security Event Logs (EID 4950 or 4951).

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure: Collect rule modification logs from Azure Firewall Activity Logs.
    • Example Command: az network firewall policy rule-collection-group rule-collection list --policy-name <policy-name>
  • AWS: Use CloudTrail to track AuthorizeSecurityGroupIngress or RevokeSecurityGroupIngress actions. Example: aws ec2 describe-security-groups
  • Google Cloud: Use gcloud commands to extract firewall rules: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

  • Windows:
    • Collect events from the Windows Security Event Log (EID 4950: A rule has been modified).
    • Use PowerShell to track rule changes: Get-NetFirewallRule -PolicyStore PersistentStore
  • Linux:
    • Monitor iptables or nftables rule modifications: iptables -L -v
    • Use auditd for real-time monitoring: auditctl -w /etc/iptables.rules -p wa
  • macOS: Use pfctl to monitor rule changes: sudo pfctl -sr

SIEM Integration

  • Collect logs from cloud platforms, host systems, and network appliances for centralized monitoring.

API Monitoring

  • Monitor API calls for firewall rule modifications.
Internal MISP references

UUID d2ff4b56-8351-4ed8-b0fb-d8605366005f which can be used as unique global reference for Firewall Rule Modification - DC0051 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0051

Cloud Storage Enumeration - DC0017

Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples:

  • AWS S3 Bucket Enumeration: An AWS user lists all buckets using the ListBuckets API call.
  • Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API.
  • Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the storage.buckets.list API.
  • OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the GET method on the storage endpoint.
Internal MISP references

UUID fcc4811f-9cc8-4db5-8097-4d8242a380de which can be used as unique global reference for Cloud Storage Enumeration - DC0017 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0017

Cloud Storage Deletion - DC0022

Cloud Storage Deletion refers to the removal or destruction of cloud storage infrastructure, such as buckets, containers, or directories, within a cloud environment. Monitoring this activity is critical to detecting potential unauthorized or malicious actions, such as data destruction by adversaries or accidental deletions that may lead to data loss. Examples:

  • AWS S3 Bucket Deletion: An AWS user deletes an S3 bucket using the DeleteBucket API call.
  • Azure Blob Storage Container Deletion: A user deletes a container in Azure Blob Storage using the Delete Container operation.
  • Google Cloud Storage Bucket Deletion: A Google Cloud user deletes a bucket using the storage.buckets.delete API.
  • OpenStack Swift Container Deletion: A user deletes a container in OpenStack Swift using the DELETE method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

  • AWS S3: Enable AWS CloudTrail to log DeleteBucket API actions.
  • Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture Delete Container operations. Use Azure Event Grid to capture and trigger alerts for container deletion.
  • Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.delete API calls.
  • OpenStack Swift: Configure Swift logging to capture DELETE requests for containers.

Centralized Logging and Analysis

  • Use platforms like Splunk or native SIEMs to forward and analyze logs for anomalies in cloud storage deletions.
Internal MISP references

UUID 4c41e296-b8d2-4a37-b789-eb565c87c00c which can be used as unique global reference for Cloud Storage Deletion - DC0022 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0022

Cloud Storage Modification - DC0023

Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples:

AWS S3: An object is uploaded or its ACL is modified. - Azure Blob Storage: A blob's metadata or permissions are updated. - Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed. - OpenStack Swift: Modifications to container settings or uploading of new objects.

Internal MISP references

UUID 45977f14-1bcc-4ec4-ac14-a30fd3a11f44 which can be used as unique global reference for Cloud Storage Modification - DC0023 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0023

Cloud Storage Creation - DC0024

Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples:

  • AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the CreateBucket API call.
  • Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the Create Container operation.
  • Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using storage.buckets.create.
  • OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the PUT method.
Internal MISP references

UUID 59ec10d9-546b-4b8e-bccb-fa85f71e5055 which can be used as unique global reference for Cloud Storage Creation - DC0024 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0024

Cloud Storage Access - DC0025

Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples:

  • AWS S3 Access: An adversary uses the GetObject API to retrieve sensitive data from an AWS S3 bucket.
  • Azure Blob Storage Access: A user accesses a blob in Azure Storage using Get Blob or Get Blob Properties.
  • Google Cloud Storage Access: An adversary uses storage.objects.get to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the GET method.
Internal MISP references

UUID 58ef998c-f3bf-4985-b487-b1005f5c05d1 which can be used as unique global reference for Cloud Storage Access - DC0025 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0025

Cloud Storage Metadata - DC0027

Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples:

  • AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions.
  • Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags.
  • Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status.
  • OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes.
Internal MISP references

UUID e214eb6d-de8f-4154-9015-6d47915fbed1 which can be used as unique global reference for Cloud Storage Metadata - DC0027 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0027

Network Connection Creation - DC0082

The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.

Data Collection Measures:

  • Windows:
    • Event ID 5156 – Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).
    • Sysmon Event ID 3 – Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.
  • Linux/macOS:
    • Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.
    • AuditD (connect syscall) - Logs TCP, UDP, and ICMP connections.
    • Zeek (conn.log) - Captures protocol, duration, and bytes transferred.
  • Cloud & Network Infrastructure:
    • AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.
    • Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.
  • Endpoint Detection & Response (EDR):
    • Detect anomalous network activity such as new C2 connections or data exfiltration attempts.
Internal MISP references

UUID 181a9f8c-c780-4f1f-91a8-edb770e904ba which can be used as unique global reference for Network Connection Creation - DC0082 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0082

Application Log Content - DC0038

Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples:

  • Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).
  • Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).
  • SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.
  • Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.
  • System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.
Internal MISP references

UUID 9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa which can be used as unique global reference for Application Log Content - DC0038 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0038

Cloud Service Enumeration - DC0083

Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples:

AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration. - Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes. - Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation. - Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.

Internal MISP references

UUID 8c826308-2760-492f-9e36-4f0f7e23bcac which can be used as unique global reference for Cloud Service Enumeration - DC0083 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0083

Named Pipe Metadata - DC0048

Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)

Data Collection Measures:

  • Windows:
    • Sysmon Event ID 17: Logs the creation of a named pipe.
    • Sysmon Event ID 18: Logs connection attempts to a named pipe.
    • Windows Security Event ID 5145: Logs access attempts to named pipes via SMB shares.
    • ETW (Event Tracing for Windows): Provides deep telemetry into named pipe interactions.
  • Linux/macOS:
    • AuditD (mkfifo, open, read, write syscalls): Tracks FIFO (named pipe) creation and usage.
    • Lsof (lsof -p <PID> or lsof | grep PIPE): Lists active named pipes and associated processes.
    • Strace (strace -e open <process>): Monitors named pipe interactions.
  • Endpoint Detection & Response (EDR):
    • Capture named pipe events as part of process tracking.
  • Memory Forensics:
    • Volatility Plugin (pipescan): Enumerates named pipes in system memory.
    • Rekall Framework: Identifies active named pipes and associated processes.
Internal MISP references

UUID b9a1578e-8653-4103-be23-cb52e0b1816e which can be used as unique global reference for Named Pipe Metadata - DC0048 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0048

Network Traffic Content - DC0085

The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.

Data Collection Measures:

  • Network Packet Capture (Full Content Logging)
    • Wireshark / tcpdump / tshark
      • Full packet captures (PCAP files) for manual analysis or IDS correlation. tcpdump -i eth0 -w capture.pcap
    • Zeek (formerly Bro)
      • Extracts protocol headers and payload details into structured logs. echo "redef Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr capture.pcap local.zeek
    • Suricata / Snort (IDS/IPS with PCAP Logging)
      • Deep packet inspection (DPI) with signature-based and behavioral analysis. suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata
  • Host-Based Collection
    • Sysmon Event ID 22 – DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.
    • Sysmon Event ID 3 – Network Connection Initiated, Logs process-to-network connection relationships.
    • AuditD (Linux) – syscall=connect, Monitors outbound network requests from processes. auditctl -a always,exit -F arch=b64 -S connect -k network_activity
  • Cloud & SaaS Traffic Collection
    • AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.
    • Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.
Internal MISP references

UUID 3772e279-27d6-477a-9fe3-c6beb363594c which can be used as unique global reference for Network Traffic Content - DC0085 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0085

Logon Session Creation - DC0067

The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples:

  • Windows Systems
    • Event ID: 4624
      • Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP).
      • Account Name: JohnDoe
      • Source Network Address: 192.168.1.100
      • Authentication Package: NTLM
  • Linux Systems
    • /var/log/utmp or /var/log/wtmp:
      • Log format: login user [tty] from [source_ip]
      • User: jane
      • IP: 10.0.0.5
      • Timestamp: 2024-12-28 08:30:00
  • macOS Systems
    • /var/log/asl.log or unified logging framework:
      • Log: com.apple.securityd: Authentication succeeded for user 'admin'
  • Cloud Environments
    • Azure Sign-In Logs:
      • Activity: Sign-in successful
      • Client App: Browser
      • Location: Unknown (Country: X)
  • Google Workspace
    • Activity: Login
      • Event Type: successful_login
      • Source IP: 203.0.113.55
Internal MISP references

UUID 9ce98c86-8d30-4043-ba54-0784d478d0b5 which can be used as unique global reference for Logon Session Creation - DC0067 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0067

Cloud Service Modification - DC0069

Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples:

  • AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule).
  • Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource.
  • Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function.
  • Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365.
Internal MISP references

UUID e52d89f9-1710-4708-88a5-cbef77c4cd5e which can be used as unique global reference for Cloud Service Modification - DC0069 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0069

Network Traffic Flow - DC0078

Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.

Internal MISP references

UUID a7f22107-02e5-4982-9067-6625d4a1765a which can be used as unique global reference for Network Traffic Flow - DC0078 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0078

Logon Session Metadata - DC0088

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Internal MISP references

UUID 39b9db72-8b48-4595-a18d-db5bbba3091b which can be used as unique global reference for Logon Session Metadata - DC0088 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0088

Volume Metadata - DC0100

Contextual data about a cloud volume and activity around it, such as id, type, state, and size

Internal MISP references

UUID 0f72bf50-35b3-419d-ab95-70f9b6a818dd which can be used as unique global reference for Volume Metadata - DC0100 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0100

Process Modification - DC0020

Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges.

Internal MISP references

UUID d5fca4e4-e47a-487b-873f-3d22f8865e96 which can be used as unique global reference for Process Modification - DC0020 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0020

Malware Metadata - DC0003

Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information

Internal MISP references

UUID 93a6e38c-02a5-44d8-9035-b2e08459f31f which can be used as unique global reference for Malware Metadata - DC0003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0003

Pod Modification - DC0030

Changes made to a pod’s configuration or control data within a containerized cluster. This can include updating settings such as resource limits, environment variables, annotations, labels, or even the containers running within the pod. Pod modifications are often executed using commands like kubectl set, kubectl patch, or kubectl edit.

Data Collection Measures:

  • Kubernetes API Server Audit Logs:
    • Capture all API calls related to pod modification, such as PATCH, PUT, or UPDATE methods on v1/pods.
  • Runtime Security Tools:
    • Tools like Falco, Sysdig, and Kube-bench can monitor pod modifications at runtime and alert on policy violations.
  • Container Orchestration Logs:
    • Monitor events logged by Kubernetes itself (e.g., kubectl logs -n kube-system kube-controller-manager).
  • SIEM and EDR Solutions:
    • Use SIEM platforms (e.g., Splunk) to aggregate API server logs and detect patterns of unauthorized or suspicious pod modifications.
    • Endpoint Detection and Response (EDR) tools configured with container visibility can monitor commands like kubectl set or kubectl patch.
  • Host-Based Monitoring:
    • Collect and analyze logs for processes executing kubectl commands or interacting with Kubernetes configuration files (e.g., .kube/config).
Internal MISP references

UUID 672b2ebd-4310-4efe-bf03-7ab005298a74 which can be used as unique global reference for Pod Modification - DC0030 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0030

File Deletion - DC0040

Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.

Internal MISP references

UUID e905dad2-00d6-477c-97e8-800427abd0e8 which can be used as unique global reference for File Deletion - DC0040 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0040

Firmware Modification - DC0004

Changes made to firmware, which may include its settings, configurations, or underlying data. This can encompass alterations to the Master Boot Record (MBR), Volume Boot Record (VBR), or other firmware components critical to system boot and functionality. Such modifications are often indicators of adversary activity, including malware persistence and system compromise. Examples:

  • Changes to Master Boot Record (MBR): Modifying the MBR to load malicious code during the boot process.
  • Changes to Volume Boot Record (VBR): Altering the VBR to redirect boot processes to malicious locations.
  • Firmware Configuration Changes: Modifying BIOS/UEFI settings such as disabling Secure Boot.
  • Firmware Image Tampering: Updating firmware with a malicious or unauthorized image.
  • Logs or Errors Indicating Firmware Changes: Logs showing unauthorized firmware updates or checksum mismatches.

This data component can be collected through the following measures:

  • BIOS/UEFI Logs: Enable and monitor BIOS/UEFI logs to capture settings changes or firmware updates.
  • Firmware Integrity Monitoring: Use tools or firmware security features to detect changes to firmware components.
  • Endpoint Detection and Response (EDR) Solutions: Many EDR platforms can detect abnormal firmware activity, such as changes to MBR/VBR or unauthorized firmware updates.
  • File System Monitoring: Monitor changes to MBR/VBR-related files using tools like Sysmon or auditd.
    • Windows Example (Sysmon): Monitor Event ID 7 (Raw disk access).
    • Linux Example (auditd): auditctl -w /dev/sda -p wa -k firmware_modification
  • Network Traffic Analysis: Capture firmware updates downloaded over the network, particularly from untrusted sources. Use network monitoring tools like Zeek or Wireshark to analyze firmware-related traffic.
  • Secure Boot Logs: Collect and analyze Secure Boot logs for signs of tampering or unauthorized configurations. Example: Use PowerShell to retrieve Secure Boot settings on Windows: Confirm-SecureBootUEFI
  • Vendor-Specific Firmware Tools: Many hardware vendors provide tools for firmware integrity checks.Examples:
    • Intel Platform Firmware Resilience (PFR).
    • Lenovo UEFI diagnostics.
Internal MISP references

UUID b9d031bb-d150-4fc6-8025-688201bf3ffd which can be used as unique global reference for Firmware Modification - DC0004 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0004

Service Creation - DC0060

The registration of a new service or daemon on an operating system.

Data Collection Measures:

  • Windows Event Logs
    • Event ID 4697 - Captures the creation of a new Windows service.
    • Event ID 7045 - Captures services installed by administrators or adversaries.
    • Event ID 7034 - Could indicate malicious service modification or exploitation.
  • Sysmon Logs
    • Sysmon Event ID 1 - Process Creation (captures service executables).
    • Sysmon Event ID 4 - Service state changes (detects service installation).
    • Sysmon Event ID 13 - Registry modifications (captures service persistence changes).
  • PowerShell Logging
    • Monitor New-Service and Set-Service PowerShell cmdlets in Event ID 4104 (Script Block Logging).
  • Linux/macOS Collection Methods
    • AuditD & Syslog Daemon Logs (/var/log/syslog, /var/log/messages, /var/log/daemon.log)
    • AuditD Rules:
      • auditctl -w /etc/systemd/system -p wa -k service_creation
      • Detects changes to systemd service configurations.
  • Systemd Journals (journalctl -u <service_name>)
    • Captures newly created systemd services.
  • LaunchDaemons & LaunchAgents (macOS)
    • Monitor /Library/LaunchDaemons/ and /Library/LaunchAgents/ for new plist files.
Internal MISP references

UUID 5297a638-1382-4f0c-8472-0d21830bf705 which can be used as unique global reference for Service Creation - DC0060 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0060

WMI Creation - DC0008

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers.

Internal MISP references

UUID 05645013-2fed-4066-8bdc-626b2e201dd4 which can be used as unique global reference for WMI Creation - DC0008 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0008

Instance Start - DC0080

The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples:

  • Google Cloud Platform (GCP): Starting an instance through instance.start API activity.
  • AWS: Logging of StartInstances in AWS CloudTrail for EC2 instances.
  • Azure: Microsoft.Compute/virtualMachines/start entries indicate a VM instance being started.
Internal MISP references

UUID f8213cde-6b3a-420d-9ab7-41c9af1a919f which can be used as unique global reference for Instance Start - DC0080 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0080

Malware Content - DC0011

Code, strings, signatures, and other identifying characteristics of a malicious payload stored within a malware repository. It includes both static (file-based) and dynamic (behavioral or execution-based) components that can be analyzed for threat intelligence, detection, and prevention purposes. Examples:

  • Static Analysis:
    • Executable Code: Analyze binary data to identify unique patterns, obfuscated code, or embedded resources.
    • Strings Extraction: Use tools like strings or YARA rules to identify hardcoded URLs, IPs, filenames, or suspicious function calls.
    • Signatures: Extract cryptographic hashes (MD5, SHA256) of files to track known malware variants or detect previously unseen samples.
  • Dynamic Analysis:
    • Behavioral Observations: Monitor execution traces to capture API calls, registry modifications, or network traffic patterns indicative of malicious behavior.
    • Memory Analysis: Examine memory dumps to uncover injected code or runtime-decrypted payloads.
    • Artifacts: Record file system changes, process creation events, and command-line arguments.
  • Threat Intelligence Integration:
    • Campaign Attribution: Associate observed code snippets or signatures with known APT campaigns or ransomware families.
    • Indicator Sharing: Share identified Indicators of Compromise (IOCs) with threat intelligence platforms (e.g., MISP, OpenCTI).
  • Examples of Malware Content:
    • Embedded C2 domains (e.g., malicious-domain.com hardcoded in the payload).
    • Fileless malware indicators, such as PowerShell scripts invoking Invoke-Mimikatz.
    • Malware-specific signatures, such as unique PE header values for a particular strain.

Data Collection Measures:

  • Collection from Public Malware Repositories:
    • VirusTotal: Obtain samples for static analysis.
    • Hybrid Analysis: Gather execution data from sandbox analysis.
    • Any.Run: Access interactive malware execution traces.
    • MalwareBazaar: Download malware samples for research and signature generation.
    • Automate data extraction using repository APIs (e.g., VirusTotal API for hash lookups or sample retrieval).
  • Internal Malware Labs:
    • Sandbox Environments: Use dynamic malware analysis tools such as Cuckoo Sandbox or Joe Sandbox to execute and monitor malware in a controlled environment. Capture runtime behavior logs, memory dumps, and file system changes.
    • Reverse Engineering: Disassemble binaries with tools like IDA Pro, Ghidra, or Radare2 to identify malicious functionality and extract code patterns.
  • EDR/Endpoint Telemetry:
    • Collect samples of malicious binaries or scripts from infected endpoints using tools like CrowdStrike, Carbon Black, or SentinelOne.
    • Extract memory-resident payloads from live systems for analysis.
  • Threat Intelligence Platforms:
    • Gather contextual metadata for identified malware using tools like OpenCTI, Recorded Future, or ThreatConnect. Participate in intelligence-sharing groups such as ISACs (e.g., FS-ISAC, IT-ISAC).
  • Custom Data Collection Pipelines: Use open-source tools like malwoverview or Maltrail to automate sample downloads, hash extraction, and IOC generation.
Internal MISP references

UUID 167b48f7-76e9-4fcb-9e8d-7121f7bf56c3 which can be used as unique global reference for Malware Content - DC0011 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0011

Domain Registration - DC0101

"Domain Name: Domain Registration" data component captures information about the assignment, ownership, and metadata of domain names. This information is often sourced from registries like WHOIS and includes details such as registrant names, contact information, registration dates, expiration dates, and registrar details. This data is invaluable for tracking domain ownership, detecting malicious domain registrations, and identifying trends in adversary behavior. Examples:

  • Registrant Information: WHOIS lookup of example.com
  • Registration and Expiration Dates: A domain registered a week before being used in phishing attacks.
  • Domain Status: Status codes like clientTransferProhibited or serverHold indicate domain restrictions or potential hijacking activity.
  • Name Server Information: Name servers point to a public DNS provider often associated with malicious campaigns.
  • Privacy Protection: A domain uses WHOIS privacy protection to hide registrant details.

This data component can be collected through the following measures:

  • WHOIS Services: Use tools or services to perform WHOIS lookups:
  • WHOIS APIs: Automate domain registration lookups with APIs:
  • Registrar Platforms: Directly query domain registrars (e.g., GoDaddy, Namecheap) for detailed registration data.
  • Threat Intelligence Platforms: Integrate domain registration data from services like Recorded Future, RiskIQ, or PassiveTotal for enriched analysis.
Internal MISP references

UUID ff9b665a-598b-4bcb-8b2a-a87566aa1256 which can be used as unique global reference for Domain Registration - DC0101 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0101

Cluster Metadata - DC0120

Contextual data about a cluster and activity around it such as name, namespace, age, or status

Internal MISP references

UUID fafaa705-ec08-4405-ac62-288c252e520d which can be used as unique global reference for Cluster Metadata - DC0120 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0120

Active DNS - DC0103

"Domain Name: Active DNS" data component captures queried DNS registry data that highlights current domain-to-IP address resolutions. This data includes both direct queries to DNS servers and records that provide mappings between domain names and associated IP addresses. It serves as a critical resource for tracking active infrastructure and understanding the network footprint of an organization or adversary. Examples:

  • DNS Query Example: nslookup example.com, dig example.com A
  • PTR Record Example: dig -x 192.168.1.1
  • Tracking Malicious Domains: DNS logs reveal repeated queries to suspicious domains like malicious-site.com. The IPs resolved by these domains may be indicators of compromise (IOCs).
  • DNS Record Types
    • A/AAAA Record: Maps domain names to IP addresses (IPv4/IPv6).
    • CNAME Record: Canonical name records, often used for redirects.
    • MX Record: Mail exchange records, used to route emails.
    • TXT Record: Can include security information like SPF or DKIM policies.
    • SOA Record: Start of authority record for domain management.
    • NS Record: Lists authoritative name servers for the domain.

This data component can be collected through the following measures:

  • System Utilities: Use built-in tools like nslookup, dig, or host on Linux, macOS, and Windows to perform active DNS queries.
  • DNS Logging
    • Windows DNS Server: Enable DNS Analytical Logging to capture DNS queries and responses.
    • Bind DNS: Enable query logging in the named.conf file.
  • Cloud Provider DNS Logging
    • AWS Route 53: Enable query logging through CloudWatch or S3:
    • Google Cloud DNS: Enable logging for Cloud DNS queries through Google Cloud Logging.
  • Network Traffic Monitoring: Use tools like Wireshark or Zeek to analyze DNS queries within network traffic.
  • Security Information and Event Management (SIEM) Integration: Aggregate DNS logs in a SIEM like Splunk to create alerts and monitor patterns.
  • Public OSINT Tools: Use OSINT platforms like VirusTotal, or PassiveTotal to collect information on domains and their associated IP addresses.
Internal MISP references

UUID 2e521444-7295-4dec-96c1-7595b2df7811 which can be used as unique global reference for Active DNS - DC0103 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0103

Response Content - DC0104

Captured network traffic that provides details about responses received during an internet scan. This data includes both protocol header values (e.g., HTTP status codes, IP headers, or DNS response codes) and response body content (e.g., HTML, JSON, or raw data). Examples:

  • HTTP Scan: A web server responds to a probe with an HTTP 200 status code and an HTML body indicating the default page is accessible.
  • DNS Scan: A DNS server replies to a query with a resolved IP address for a domain, along with details like Time-To-Live (TTL) and authoritative information.
  • TCP Banner Grab: A service listening on a port (e.g., SSH or FTP) responds with a banner containing service name, version, or other metadata.
Internal MISP references

UUID 0dcbbf4f-929c-489a-b66b-9b820d3f7f0e which can be used as unique global reference for Response Content - DC0104 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0104

Service Metadata - DC0041

Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

Internal MISP references

UUID 74fa567d-bc90-425c-8a41-3c703abb221c which can be used as unique global reference for Service Metadata - DC0041 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0041

Image Creation - DC0015

Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples:

  • Azure Compute Service Image Creation
    • Example: Creating a virtual machine image in Azure using Azure CLI: az image create --resource-group MyResourceGroup --name MyImage --source MyVM
  • AWS EC2 AMI (Amazon Machine Image) Creation
    • Example: Creating an AMI from an EC2 instance: aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"
  • Google Cloud Compute Engine Image Creation
    • Example: Creating a custom image using gcloud: gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a
  • VMware vSphere
    • Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering.
Internal MISP references

UUID b008766d-f34f-4ded-b712-659f59aaed6e which can be used as unique global reference for Image Creation - DC0015 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0015

Group Metadata - DC0105

Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:

  • Active Directory: Get-ADGroup -Identity "Domain Admins" -Properties Members, Description
  • Azure AD: Get-AzureADGroup -ObjectId <GroupId>
  • Google Workspace: GET https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
  • AWS IAM: aws iam list-group-policies --group-name <group_name>
  • Office 365: GET https://graph.microsoft.com/v1.0/groups/<id>

Data Collection Measures:

  • Cloud Logging:
    • AWS CloudTrail for IAM group-related activities.
    • Azure AD Sign-In/Audit logs for metadata changes.
    • Google Admin Activity logs for API calls.
  • Directory Logging: Log metadata access (e.g., Windows Event ID 4662).
  • API Monitoring: Log API calls to modify group metadata (e.g., Microsoft Graph API).
  • SIEM Integration: Centralize group metadata logs for analysis.
Internal MISP references

UUID 8d8c7cac-94cf-4726-8989-cab33851168c which can be used as unique global reference for Group Metadata - DC0105 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0105

File Modification - DC0061

Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples:

  • Content Modifications: Changes to the content of a configuration file, such as modifying /etc/ssh/sshd_config on Linux or C:\Windows\System32\drivers\etc\hosts on Windows.
  • Permission Changes: Altering file permissions to allow broader access, such as changing a file from 644 to 777 on Linux or modifying NTFS permissions on Windows.
  • Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.
  • Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like touch in Linux or timestomping tools on Windows.
  • Software or System File Changes: Modifying system files such as boot.ini, kernel modules, or application binaries.
Internal MISP references

UUID 84572de3-9583-4c73-aabd-06ea88123dd8 which can be used as unique global reference for File Modification - DC0061 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0061

Module Load - DC0016

When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.

Internal MISP references

UUID c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1 which can be used as unique global reference for Module Load - DC0016 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0016

Response Metadata - DC0106

Contextual information about an Internet-facing resource collected during a scan, including details such as open ports, running services, protocols, and versions. This metadata is typically derived from interpreting scan results and helps build a profile of the targeted system. Examples:

  • Port and Service Details:
    • Open ports (e.g., 22, 80, 443).
    • Identified services running on those ports (e.g., SSH, HTTP, HTTPS).
  • Service Versions: Detected software version information (e.g., Apache 2.4.41, OpenSSH 8.2).
  • Operating System Information: OS fingerprinting data (e.g., Linux Kernel 5.4.0).
  • TLS/SSL Certificate Data: Information about the TLS/SSL certificate, such as the expiration date, issuer, and cipher suites.

Data Collection Measures:

  • Scanning Tools:
    • Nmap: Collects port, service, and version information using commands like nmap -sV .
    • Masscan: High-speed scanning tool for discovering open ports and active services.
    • Zmap: Focused on large-scale Internet scanning, collecting metadata about discovered services.
    • Shodan API: Retrieves scan metadata for publicly exposed devices and services.
  • Network Logs:
    • Use logs from firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS) to gather metadata from scan attempts. Example: Zeek or Suricata logs for incoming scan traffic.
  • OSINT Platforms: Platforms like Censys, GreyNoise, or Shodan provide aggregated metadata about Internet-facing resources.
  • Cloud Metadata Services: AWS Security Hub, Azure Monitor, or GCP Security Command Center can collect and centralize scan-related metadata for Internet-facing resources in cloud environments.
Internal MISP references

UUID 1067aa74-5796-4d9b-b4f1-a4c9eb6fd9da which can be used as unique global reference for Response Metadata - DC0106 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0106

Instance Deletion - DC0081

Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples:

  • AWS: instance deletion involves the TerminateInstances API call, which is recorded in CloudTrail logs.
  • Azure: VM deletion can be monitored via Azure Activity Logs, showing the Microsoft.Compute/virtualMachines/delete operation.
  • GCP: instance deletion is logged as an instance.delete operation within GCP Audit Logs.
Internal MISP references

UUID 7561ed50-16cb-4826-82c7-c1ddca61785e which can be used as unique global reference for Instance Deletion - DC0081 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0081

Host Status - DC0018

Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.

Data Collection Measures:

  • Windows Event Logs:
    • Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.
    • Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.
    • Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.
    • Event ID 12 (Windows Defender Status Change) – Detects changes in Windows Defender state.
  • Linux/macOS Monitoring:
    • /var/log/syslog, /var/log/auth.log, /var/log/kern.log
    • Journald (journalctl) for kernel and system alerts.
  • Endpoint Detection and Response (EDR) Tools:
    • Monitor agent health status, detect sensor tampering, and alert on missing telemetry.
  • Mobile Threat Intelligence Logs:
    • Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.
Internal MISP references

UUID 85a533a4-5fa4-4dba-b45d-f0717bedd6e6 which can be used as unique global reference for Host Status - DC0018 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0018

Container Enumeration - DC0091

"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples:

  • Docker Example: docker ps, docker ps -a
  • Kubernetes Example: kubectl get pods, kubectl get deployments
  • Cloud Container Services Example
    • AWS ECS: API Call: ListTasks or ListContainers
    • Azure Kubernetes Service: API Call: List pod or container instances.
    • Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers.
Internal MISP references

UUID 91b3ed33-d1b5-4c4b-a896-76c55eb3cfd8 which can be used as unique global reference for Container Enumeration - DC0091 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0091

Pod Creation - DC0019

The initial deployment or instantiation of a new pod in a containerized environment. This includes creating a pod manually, through orchestration tools (Kubernetes), or via Infrastructure-as-Code (IaC) configurations. A Pod is the smallest deployable unit in Kubernetes, typically containing one or more containers. Creation methods include: - Direct pod deployment (kubectl run, kubectl apply) - Automated deployment via CI/CD pipelines (e.g., ArgoCD, Jenkins, GitOps) - Infrastructure-as-Code (IaC) templates (e.g., Terraform, Helm Charts) - API-based deployments via Kubernetes control plane (create_pod API calls) - Pods can be ephemeral (short-lived) or persistent (part of a StatefulSet or Deployment).

Data Collection Measures:

  • Kubernetes Audit Logs
    • Captures all API requests, including pod create events.
  • Kube-api server Logs
    • Monitors API calls related to pod deployments and modifications. Related Events: PodSandboxChanged, SyncLoop, Created pod
  • Container Runtime Logs
    • Logs from CRI-O, containerd, or Docker capture pod creation events. Related Events: container start, container create
  • Cloud Provider Logs
    • GKE, EKS, AKS logs provide insights into Kubernetes API interactions.
  • SIEM & Log Aggregation
    • Integrates Kubernetes logs into SIEM solutions.
  • EDR/XDR Solutions
    • Monitors container-based activity for anomalous pod creations.
Internal MISP references

UUID 5263cb33-08cc-4a68-820f-004e1e400d76 which can be used as unique global reference for Pod Creation - DC0019 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0019

Process Creation - DC0032

Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts..

Internal MISP references

UUID 3d20385b-24ef-40e1-9f56-f39750379077 which can be used as unique global reference for Process Creation - DC0032 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0032

Drive Creation - DC0042

The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:

  • USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter E:\ on a Windows machine.
  • Network Drive Mapping: A network share \\server\share is mapped to the drive Z:\.
  • Virtual Drive Creation: A virtual disk is mounted on /mnt/virtualdrive using an ISO image or a virtual hard disk (VHD).
  • Cloud Storage Mounting: Google Drive is mounted as G:\ on a Windows machine using a cloud sync tool.
  • External Storage Integration: An external HDD or SSD is connected and assigned /mnt/external on a Linux system..
Internal MISP references

UUID 3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f which can be used as unique global reference for Drive Creation - DC0042 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0042

Social Media - DC0052

Established, compromised, or otherwise acquired by adversaries to conduct reconnaissance, influence operations, social engineering, or other cyber threats.

Data Collection Measures:

  • API Monitoring
    • Social media APIs (e.g., Twitter API, Facebook Graph API) can extract behavioral patterns of accounts.
  • Web Scraping
    • Extracts public profile data, friend lists, or interactions to identify impersonation attempts.
  • Threat Intelligence Feeds
    • External feeds track malicious personas linked to disinformation campaigns or phishing.
  • OSINT Tools
    • Maltego, SpiderFoot, and OpenCTI can map social media persona relationships.
  • Endpoint Detection
    • EDR logs user behavior and alerts on suspicious social media interactions.
  • SIEM Logging
    • Detects access to known phishing pages or social media abuse via proxy logs.
  • Dark Web Monitoring
    • Identifies compromised social media credentials being sold.
Internal MISP references

UUID 8fb2f315-1aca-4cef-ae0d-8105e1f95985 which can be used as unique global reference for Social Media - DC0052 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0052

Image Deletion - DC0026

Removal of a virtual machine image in a cloud infrastructure (ex: Azure Compute Service Images DELETE) Examples:

  • Azure Compute Service Image Deletion
    • Example: Deleting a virtual machine image using Azure CLI: az image delete --name MyImage --resource-group MyResourceGroup
  • AWS EC2 AMI (Amazon Machine Image) Deletion
    • Example: Deregistering an AMI in AWS: aws ec2 deregister-image --image-id ami-1234567890abcdef0
  • Google Cloud Compute Engine Image Deletion
    • Example: Deleting a custom image in Google Cloud: gcloud compute images delete my-custom-image
  • VMware vSphere
    • Example: Deleting a VM image/template from a vSphere environment:

This data component can be collected through the following measures:

Enable Cloud Platform Logging

  • Azure: Enable "Activity Logs" to capture DELETE requests to Microsoft.Compute/images.
  • AWS: Use AWS CloudTrail to monitor DeregisterImage or DeleteSnapshot API calls.
  • Google Cloud: Enable "Cloud Audit Logs" to track image deletion events under compute.googleapis.com/images.

API Monitoring

  • Monitor API activity to track the deletion of images using:
    • AWS SDK/CLI DeregisterImage or DeleteSnapshot.
    • Azure REST API DELETE operations for images.
    • Google Cloud Compute Engine APIs for image deletion.

Cloud SIEM Integration

  • Ingest logs into a centralized SIEM platform for monitoring and alerting:

Event Correlation

  • Correlate image deletion events with unusual account activity or concurrent unauthorized operations.
Internal MISP references

UUID 8b4ca854-ac08-47da-b24f-601b28a39aff which can be used as unique global reference for Image Deletion - DC0026 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0026

Snapshot Metadata - DC0062

Contextual data about a snapshot, which may include information such as ID, type, and status

Internal MISP references

UUID 8bc66f94-54a9-4be4-bdd1-fe90df643774 which can be used as unique global reference for Snapshot Metadata - DC0062 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0062

Container Creation - DC0072

"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples:

  • Docker Example: docker create my-container, docker run --name=my-container nginx:latest
  • Kubernetes Example: kubectl run my-pod --image=nginx, kubectl create deployment my-deployment --image=nginx
  • Cloud Container Services Example
    • AWS ECS: Task or service creation (RunTask or CreateService).
    • Azure Container Instances: Deployment of a container group.
    • Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs.
Internal MISP references

UUID a5ae90ca-0c4b-481c-959f-0eb18a7ff953 which can be used as unique global reference for Container Creation - DC0072 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0072

Image Metadata - DC0028

contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples:

  • Azure Compute Service Image Metadata Example:
    • Name: MyCustomImage
    • Resource Group: MyResourceGroup
    • State: Available
    • Type: Managed Image
  • AWS EC2 AMI Metadata Example:
    • Image ID: ami-1234567890abcdef0
    • Name: ProdImage
    • State: Available
    • Platform: Windows
  • Google Cloud Compute Engine Image Metadata Example:
    • Image Name: webserver-image
    • Project: my-project-id
    • Family: webserver
    • Source Disk: my-disk-id
  • VMware vSphere Template Metadata Example:
    • Name: LinuxTemplate
    • Disk Size: 40GB
    • Network Adapter: VM Network
Internal MISP references

UUID b597a220-6510-4397-b0d8-342cd2c58827 which can be used as unique global reference for Image Metadata - DC0028 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0028

Script Execution - DC0029

The execution of a text file that contains code via the interpreter.

Internal MISP references

UUID 9f387817-df83-432a-b56b-a8fb7f71eedd which can be used as unique global reference for Script Execution - DC0029 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0029

Volume Modification - DC0092

Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)

Internal MISP references

UUID d46272ce-a0fe-4256-855e-738de7bb63ee which can be used as unique global reference for Volume Modification - DC0092 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0092

Process Termination - DC0033

The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.

Internal MISP references

UUID 61f1d40e-f3d0-4cc6-aa2d-937b6204194f which can be used as unique global reference for Process Termination - DC0033 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0033

Firewall Disable - DC0043

The deactivation, misconfiguration, or complete stoppage of firewall services, either on a host or in a cloud control plane. Such activity may involve turning off firewalls, modifying rules to disable protection, or deleting firewall-related configurations and activity logs. Examples:

  • Disabling Host-Based Firewalls: Stopping the Windows Defender Firewall service or using iptables -F to flush all rules on a Linux system.
  • Cloud Firewall Modification or Deactivation: Modifying or deleting security group rules in AWS or disabling a network firewall in Azure.
  • Activity Log Deletion: Writing or deleting entries in Azure Firewall Activity Logs to hide unauthorized firewall changes.
  • Temporary Disable for Malicious Operations: Temporarily disabling a firewall to allow malicious files or traffic, then re-enabling it to avoid detection.
  • Using Command-Line Tools to Stop Firewalls: Running commands like Set-NetFirewallProfile -Enabled False on Windows or systemctl stop ufw on Linux.

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure Activity Logs:
    • Enable logging of administrative actions, such as stopping or modifying Azure Firewall configurations.
    • Use Azure Monitor to track specific firewall-related actions, including disabling or rule deletion.
  • AWS CloudTrail Logs:
    • Monitor RevokeSecurityGroupIngress or RevokeSecurityGroupEgress events to detect rule changes in AWS Security Groups.
  • Google Cloud Platform Logs:
    • Collect logs from the Firewall Rules resource in Google Cloud Operations Suite to detect rule deletions or modifications.

Host-Level Firewalls

  • Windows Firewall Event Logs:
    • Enable logging of firewall state changes:
      • Security Event ID 2004: Firewall service stopped.
      • Security Event ID 2005: Firewall service started.
    • Use Sysmon for process creation events tied to firewall commands or scripts (Sysmon Event ID 1).
  • Linux Firewall Logs: Use auditd to track commands like iptables, firewalld, or ufw: auditctl -a always,exit -F arch=b64 -S execve -k firewall_disable
  • macOS Firewall: Monitor changes to the macOS Application Firewall using the log show command.

Network-Level Monitoring

  • IDS/IPS Alerts: Deploy IDS/IPS systems to monitor abnormal traffic flows that could indicate firewall disablement.
  • NetFlow Data: Analyze NetFlow or packet capture data for traffic patterns inconsistent with firewall enforcement.

SIEM and CSPM Tools

  • SIEM Integration: Use tools like Splunk or QRadar to centralize and analyze firewall disablement events from both hosts and cloud platforms.
  • Cloud Security Posture Management (CSPM): Use CSPM solutions to monitor misconfigurations and track deactivation of critical cloud services like firewalls.
Internal MISP references

UUID c97d0171-f6e0-4415-85ff-4082fdb8c72a which can be used as unique global reference for Firewall Disable - DC0043 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0043

Process Metadata - DC0034

Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.

Internal MISP references

UUID ee575f4a-2d4f-48f6-b18b-89067760adc1 which can be used as unique global reference for Process Metadata - DC0034 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0034

Process Access - DC0035

Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • EDR solutions that provide telemetry on inter-process access and memory manipulation.
  • Sysmon (Windows):
    • Event ID 10: Captures process access attempts, including:
      • Source process (initiator)
      • Target process (victim)
      • Access rights requested
      • Process ID correlation
  • Windows Event Logs:
    • Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.
    • Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.
  • Linux/macOS Monitoring:
    • AuditD: Monitors process access through syscall tracing (e.g., ptrace, open, read, write).
    • eBPF/XDP: Used for low-level monitoring of kernel process access.
    • OSQuery: Query process access behavior via structured SQL-like logging.
  • Procmon (Process Monitor) and Debugging Tools:
    • Windows Procmon: Captures real-time process interactions.
    • Linux strace / ptrace: Useful for tracking process behavior at the system call level.
Internal MISP references

UUID 1887a270-576a-4049-84de-ef746b2572d6 which can be used as unique global reference for Process Access - DC0035 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0035

Firewall Metadata - DC0053

Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples:

  • Firewall Name and Configuration: The name, type, and purpose of a firewall such as "Azure Firewall - Production Environment."
  • Policy Details: Capturing firewall policy details, such as "Allow inbound TCP 443 to web servers."
  • Firewall Status: Status indicators like "Active," "Disabled," or "Pending Updates."
  • Audit Log Metadata: Log entries showing administrative changes, such as "Policy modified by admin@domain.com."
  • Rules Associated with Firewalls: Rules specifying source/destination IP ranges, protocols, and ports.
  • Tagging Information: Tags like "Environment: Production" or "Owner: NetworkOps."

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure: Use Azure Activity Logs and Network Watcher to collect metadata for Azure Firewall.
    • Example: az network firewall show --name <firewall-name>
  • AWS: Use AWS CloudTrail and describe commands: aws ec2 describe-security-groups
  • Google Cloud: Use gcloud commands to extract metadata: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

  • Windows: Use PowerShell to gather metadata: Get-NetFirewallRule -PolicyStore PersistentStore
  • Linux: Query iptables or nftables rulesets: iptables -S
  • macOS: Use pfctl to extract metadata: sudo pfctl -sr

SIEM Integration

  • Collect logs from cloud platforms, host systems, and network appliances.

API Monitoring

  • Monitor API calls for metadata requests. Example (AWS): Capture DescribeSecurityGroups or DescribeNetworkAcls calls via CloudTrail.

Endpoint Detection and Response (EDR)

  • Use EDR solutions to monitor firewall management tools for configuration changes or queries.
Internal MISP references

UUID 746f095a-f84c-4ccc-90a5-c7caa5c100a2 which can be used as unique global reference for Firewall Metadata - DC0053 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0053

Image Modification - DC0036

Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)

Internal MISP references

UUID 071a09b1-8945-46fd-8bb7-6bcc89400963 which can be used as unique global reference for Image Modification - DC0036 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0036

Pod Enumeration - DC0037

Extracting a list of running or existing pods within a containerized cluster environment. Pods are the smallest deployable units in a Kubernetes cluster and typically represent an application or workload. Enumeration of pods provides insight into the structure and state of applications running in the cluster, such as the names of pods, their namespaces, and their associated metadata.

Data Collection Measures:

  • Kubernetes API Server Audit Logs:
    • Enable Audit Logging in Kubernetes to capture API requests, such as GET /api/v1/pods.
  • Container Runtime Logs:
    • Collect runtime-level logs from tools like CRI-O, containerd, or Docker, which might show relevant API calls for pod enumeration.
  • EDR and SIEM:
    • Endpoint Detection and Response (EDR) tools, if configured with cluster-level visibility, can monitor user commands like kubectl get pods.
    • SIEM platforms (e.g., Splunk) can ingest Kubernetes API logs to detect enumeration patterns.
  • Host-Based Monitoring:
    • Monitor processes and commands executed on nodes where kubectl is installed using tools like auditd, Sysmon for Linux, or kernel modules.
Internal MISP references

UUID 07688e40-a7fa-4436-937f-1216674341a0 which can be used as unique global reference for Pod Enumeration - DC0037 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0037

Instance Modification - DC0073

Changes made to a virtual machine (VM) or compute instance, including alterations to its configuration, metadata, attached policies, or operational state. Such modifications can include updating metadata, attaching or detaching resource policies, resizing instances, or modifying network configurations. Examples:

  • AWS: instance modifications include API actions like ModifyInstanceAttribute, ModifyInstanceMetadataOptions, or RebootInstances.
  • Azure: modifications can be tracked through operations like Microsoft.Compute/virtualMachines/write.
  • GCP: instance modification events include operations like instances.setMetadata, instances.addResourcePolicies, or instances.resize.

Data Collection Measures:

  • AWS CloudTrail: Log Location: Stored in S3 or forwarded to CloudWatch.
  • Azure Activity Logs: Log Location: Accessible via Azure Monitor or exported to a storage account.
  • GCP Audit Logs: Log Location: Logs Explorer or BigQuery.
Internal MISP references

UUID 45d0ff14-b9c4-41f5-8603-156657c20b75 which can be used as unique global reference for Instance Modification - DC0073 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0073

File Creation - DC0039

A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).

Internal MISP references

UUID 2b3bfe19-d59a-460d-93bb-2f546adc2d2c which can be used as unique global reference for File Creation - DC0039 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0039

Certificate Registration - DC0093

Certificate Registration refers to the collection and analysis of information about digital certificates, including current, revoked, and expired certificates. Sources such as Certificate Transparency logs and other public resources provide visibility into certificates issued for specific domains or organizations. Monitoring certificate registrations can help identify potential misuse, such as unauthorized certificates or signs of adversary reconnaissance. Examples:

  • Certificate Transparency Logs: These logs record the issuance of SSL/TLS certificates by trusted Certificate Authorities (CAs).
  • Revoked Certificates: Information about certificates that have been invalidated before their expiration date.
  • Expired Certificates: Reports of expired certificates for a domain, which may indicate lax security practices or opportunities for adversaries to exploit expired credentials.
  • Domain Monitoring for Certificates: Maps SSL/TLS certificates to domains and subdomains, helping to identify any rogue certificates.
  • Public Certificate Directories: Services providing APIs to query issued certificates for analysis.

This data component can be collected through the following measures:

Use Certificate Transparency Monitors

  • Tools like crt.sh, CertStream, or APIs provided by certificate authorities (CAs) allow you to monitor issued certificates in real-time.
  • Example: Use CertStream to stream certificate issuance logs and filter for domains of interest.

Analyze Certificate Revocation Sources

  • Monitor CRLs or query OCSP responders to detect revoked certificates.
  • Configure tools like OpenSSL or browsers to validate certificate revocation status automatically.

Leverage Public Scanning Tools

  • Use tools such as SSL Labs, Censys, or Shodan to scan for certificate details related to your domain or network.

Automate Certificate Monitoring

  • Set up automated scripts or services to parse Certificate Transparency logs for anomalies.
  • Example: Automate searches on crt.sh to identify certificates issued for typo-squatted domains.

Integrate with Threat Intelligence

  • Enrich certificate data with threat intelligence feeds to detect connections to known adversary-controlled infrastructure.
  • Tools like VirusTotal can identify malicious certificates based on associated indicators.
Internal MISP references

UUID 1dad5aa4-4bb5-45e4-9e42-55d40003cfa6 which can be used as unique global reference for Certificate Registration - DC0093 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0093

Firewall Enumeration - DC0044

Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples:

  • Querying Host-Based Firewalls: Using Windows PowerShell commands like Get-NetFirewallRule or Linux commands such as iptables -L or firewalld --list-all.
  • Cloud Firewall Rule Listing: Running commands like az network firewall list for Azure or aws ec2 describe-security-groups for AWS.
  • Using Management APIs: Leveraging APIs like Google Cloud Firewall's list API method or AWS's DescribeSecurityGroups API. Identifying Misconfigurations: Extracting firewall rules to identify “allow all” policies or rules that lack logging.
  • Enumerating with CLI Tools: Using CLI commands like gcloud compute firewall-rules list to extract firewall settings in Google Cloud.
Internal MISP references

UUID bf91faa8-0049-4870-810a-4df55e0b77ee which can be used as unique global reference for Firewall Enumeration - DC0044 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0044

Drive Access - DC0054

Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\, /mnt/drive) or mount point. Examples:

  • Removable Drive Insertion: A USB drive is inserted, assigned the letter F:\, and files are accessed.
  • Network Drive Mounting: A network share \\server\share is mapped to the drive Z:\.
  • External Hard Drive Access: An external drive is connected, mounted at /mnt/backup, and accessed for copying files.
  • System Volume Access: The system volume C:\ is accessed for modifications to critical files.
  • Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts.
Internal MISP references

UUID 73ff2dcc-24b1-4368-b9dc-706dd9e68354 which can be used as unique global reference for Drive Access - DC0054 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0054

Command Execution - DC0064

Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as cmd.exe, bash, zsh, PowerShell, or programmatic execution. Examples:

  • Windows Command Prompt
    • dir – Lists directory contents.
    • net user – Queries or manipulates user accounts.
    • tasklist – Lists running processes.
  • PowerShell
    • Get-Process – Retrieves processes running on a system.
    • Set-ExecutionPolicy – Changes PowerShell script execution policies.
    • Invoke-WebRequest – Downloads remote resources.
  • Linux Shell
    • ls – Lists files in a directory.
    • cat /etc/passwd – Reads the user accounts file.
    • curl http://malicious-site.com – Retrieves content from a malicious URL.
  • Container Environments
    • docker exec – Executes a command inside a running container.
    • kubectl exec – Runs commands in Kubernetes pods.
  • macOS Terminal
    • open – Opens files or URLs.
    • dscl . -list /Users – Lists all users on the system.
    • osascript -e – Executes AppleScript commands.
Internal MISP references

UUID 685f917a-e95e-4ba0-ade1-c7d354dae6e0 which can be used as unique global reference for Command Execution - DC0064 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0064

Drive Modification - DC0046

The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples:

  • Drive Letter Reassignment: A USB drive previously assigned E:\ is reassigned to D:\ on a Windows machine.
  • Mount Point Change: On a Linux system, a mounted storage device at /mnt/external is moved to /mnt/storage.
  • Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.
  • Renaming of a Drive: A network drive labeled "HR_Share" is renamed to "Shared_Resources."
  • Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.

This data component can be collected through the following measures:

Windows Event Logs

  • Relevant Events:
    • Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).
    • Event ID 1006: Logs permission modifications or changes to removable storage.
  • Configuration: Enable "Storage Operational Logs" in the Event Viewer: Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational

Linux System Logs

  • Auditd Configuration: Add audit rules to track changes to mounted drives: auditctl -w /mnt/ -p w -k drive_modification
  • Command-Line Monitoring: Use dmesg or journalctl to observe drive modifications.

macOS System Logs

  • Unified Logs: Collect mount or drive modification events: log show --info | grep "Volume modified"
  • Command-Line Monitoring: Use diskutil to track changes:

Endpoint Detection and Response (EDR) Tools

  • Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.

SIEM Tools

  • Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.
Internal MISP references

UUID 4dcd8ba3-2075-4f8b-941e-39884ffaac08 which can be used as unique global reference for Drive Modification - DC0046 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0046

Driver Metadata - DC0074

to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples:

  • Driver Signature Validation: A driver is validated to ensure it is signed by a trusted Certificate Authority (CA).
  • Driver Hash Verification: The hash of a driver is compared to a known good hash stored in a database.
  • Driver Compatibility Issues: A driver error is logged due to compatibility issues with a particular version of the operating system.
  • Vulnerable Driver Identification: Metadata indicates the driver version is outdated or contains a known vulnerability.
  • Monitoring Driver Integrity: Drivers are monitored for any unauthorized modifications to their binary or associated files.

This data component can be collected through the following measures:

Windows

  • Windows Event Logs:
    • Event ID 3000-3006: Logs metadata about driver signature validation.
    • Event ID 2000-2011 (Windows Defender Application Control): Tracks driver integrity and policy enforcement.
  • Sysmon Logs: Configure Sysmon to capture driver loading metadata (Event ID 6).
  • Driver Verifier: Use Driver Verifier to collect diagnostic and performance data about drivers, including stability and compatibility metrics.
  • PowerShell: Use commands to retrieve metadata about installed drivers: Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Version

Linux

  • Auditd: Configure audit rules to monitor driver interactions and collect metadata: auditctl -w /lib/modules/ -p rwxa -k driver_metadata
  • dmesg: Use dmesg to extract kernel logs with driver metadata: dmesg | grep "module"
  • lsmod and modinfo: Commands to list loaded modules and retrieve metadata about drivers: lsmod | modinfo <module_name>

macOS

  • Unified Logs: Collect metadata from system logs about kernel extensions (kexts): log show --predicate 'eventMessage contains "kext load"' --info
  • kextstat: Command to retrieve information about loaded kernel extensions: kextstat

SIEM Tools

  • Ingest Driver Metadata: Collect driver metadata logs from Sysmon, Auditd, or macOS logs into SIEMs like Splunk or Elastic.

Vulnerability Management Tools

  • Use these tools to collect metadata about vulnerable drivers across enterprise systems.
Internal MISP references

UUID f5a9a1dd-82f9-41a3-85b8-13e5b9cd6c79 which can be used as unique global reference for Driver Metadata - DC0074 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0074

Snapshot Enumeration - DC0047

The process of listing or retrieving metadata about existing snapshots in a cloud environment.

Data Collection Measures:

  • AWS CloudTrail
    • Logs API calls such as DescribeSnapshots, ListSnapshots, and GetSnapshotAttributes.
  • Azure Monitor Logs
    • Tracks snapshot enumeration via Microsoft.Compute/snapshots/read.
  • Google Cloud Logging
    • Detects snapshot listing through compute.disks.listSnapshots.
Internal MISP references

UUID ffd73905-2e51-4f2d-8549-e72fb0eb6c38 which can be used as unique global reference for Snapshot Enumeration - DC0047 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0047

Snapshot Deletion - DC0049

The removal of a point-in-time backup of a cloud storage volume, virtual machine (VM), or database.

Data Collection Measures:

  • AWS CloudTrail
    • Logs DeleteSnapshot API calls in EC2, RDS, and EBS services.
  • Azure Monitor Logs
    • Tracks snapshot deletions via Microsoft.Compute/snapshots/delete API calls.
  • Google Cloud Logging
    • Detects snapshot removal through compute.disks.deleteSnapshot events.
Internal MISP references

UUID 16e07530-764b-4d83-bae0-cdbfc31bf21d which can be used as unique global reference for Snapshot Deletion - DC0049 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0049

Group Modification - DC0094

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples:

  • Active Directory:
    • Event ID 4728: Member added to a global group.
    • Event ID 4732: Member added to a local group.
  • Azure AD: Set-AzureADGroup -ObjectId <GroupId> -DisplayName "New Name"
  • AWS IAM: aws iam update-group --group-name <GroupName> --new-path "/admin/"
  • Google Workspace: Modify permissions via Admin SDK API: PATCH https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
  • Office 365: Modify groups via Graph API: PATCH https://graph.microsoft.com/v1.0/groups/<groupId>

Data Collection Measures:

  • Directory Logging:
    • Windows: Log EIDs 4728 (add), 4729 (remove).
    • Azure AD: Enable "Audit logs."
    • Google Workspace: Enable Admin Activity logs.
    • Office 365: Use Unified Audit Logs.
  • Cloud Monitoring:
    • AWS: Log UpdateGroup, AttachGroupPolicy, RemoveUserFromGroup.
    • Azure: Track modifications via Audit logs.
  • API Monitoring: Log Google Admin SDK and Microsoft Graph API calls.
  • SIEM Integration: Centralize and monitor group modification logs.
Internal MISP references

UUID 05d5b5b4-ef93-4807-b05f-33d8c5a35bc5 which can be used as unique global reference for Group Modification - DC0094 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0094

File Access - DC0055

To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples:

  • File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.
  • File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).
  • Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., /etc/passwd on Linux or System32 files on Windows).
  • File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).
  • File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).
Internal MISP references

UUID 235b7491-2d2b-4617-9a52-3c0783680f71 which can be used as unique global reference for File Access - DC0055 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0055

Service Modification - DC0065

Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.

Internal MISP references

UUID 66531bc6-a509-4868-8314-4d599e91d222 which can be used as unique global reference for Service Modification - DC0065 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0065

Snapshot Creation - DC0057

The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments.

Internal MISP references

UUID 3da222e6-53f3-451c-a239-0b405c009432 which can be used as unique global reference for Snapshot Creation - DC0057 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0057

Instance Enumeration - DC0075

The process of retrieving or querying a list of virtual machine instances or compute instances within a cloud infrastructure. This activity provides a view of all available or running instances, typically including their associated metadata such as instance ID, name, state, and configuration details. Examples:

  • AWS: instance enumeration involves the DescribeInstances API call, which retrieves information about running or stopped EC2 instances.
  • Azure: VM enumeration can be monitored via the Microsoft.Compute/virtualMachines/read operation.
  • GCP: instance enumeration is logged as an instance.list operation within GCP Audit Logs.

Data Collection Measures:

  • AWS CloudTrail: CloudTrail logs stored in S3 or forwarded to CloudWatch.
  • Azure Activity Logs: Accessible via Azure Monitor or exported to a storage account.
  • GCP Audit Logs: Logs Explorer or BigQuery.
Internal MISP references

UUID 2a80d95f-08c4-48e3-833e-151ef19d90f5 which can be used as unique global reference for Instance Enumeration - DC0075 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0075

Snapshot Modification - DC0058

Changes made to a cloud snapshot's metadata, attributes, or control settings. These modifications may involve adjusting access permissions, changing retention policies, or altering encryption settings.

Data Collection Measures:

  • AWS CloudTrail
    • Tracks API calls such as ModifySnapshotAttribute, ResetSnapshotAttribute, and ModifySnapshotTier.
  • Azure Monitor Logs
    • Logs changes via Microsoft.Compute/snapshots/write.
  • Google Cloud Logging
    • Captures modifications through compute.snapshots.setIamPolicy and compute.snapshots.patch.
Internal MISP references

UUID f1eb6ea9-f3ab-414f-af35-2d5427199984 which can be used as unique global reference for Snapshot Modification - DC0058 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0058

Volume Enumeration - DC0095

An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)

Internal MISP references

UUID ec225357-8197-47a4-a9cd-57741d592877 which can be used as unique global reference for Volume Enumeration - DC0095 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0095

File Metadata - DC0059

contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples:

  • File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows.
  • Timestamps: Analyzing the creation, modification, and access timestamps of a file.
  • File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.
  • File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.
  • File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.
  • File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.
Internal MISP references

UUID 639e87f3-acb6-448a-9645-258f20da4bc5 which can be used as unique global reference for File Metadata - DC0059 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0059

Instance Creation - DC0076

The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples:

  • AWS: creating an EC2 instance using RunInstances API calls.
  • Azure, creating a VM through the Azure Resource Manager (ARM).
  • GCP, an instance.insert action recorded.
Internal MISP references

UUID b5b0e8ae-7436-4951-950a-7b83c4dd3f2c which can be used as unique global reference for Instance Creation - DC0076 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0076

Instance Metadata - DC0086

Contextual data about an instance and activity around it such as name, type, or status

Internal MISP references

UUID 45fd904d-6eb0-4b50-8478-a961f09f898b which can be used as unique global reference for Instance Metadata - DC0086 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0086

Passive DNS - DC0096

"Domain Name: Passive DNS" captures logged historical and real-time domain name system (DNS) data. This includes records of domain-to-IP address resolutions over time, enabling analysts to track the evolution of domain infrastructure, uncover historical patterns of use, and detect malicious activities tied to domains and their associated IP addresses. Examples:

  • Historical Resolutions
  • Shared IP Usage
  • Temporal Patterns
  • Malicious Domain Clustering
  • Historical Lookback

This data component can be collected through the following measures:

  • Passive DNS Platforms: Use platforms that specialize in passive DNS collection and analysis:
  • Tools: Farsight DNSDB, RiskIQ PassiveTotal, PassiveDNS.
  • Threat Intelligence Feeds: Integrate passive DNS data from commercial or open-source threat intelligence providers.
  • Custom DNS Collectors: Deploy custom tools to capture DNS traffic at the network level for analysis.
  • Cloud DNS Services: Leverage cloud DNS services (e.g., AWS Route 53, Azure DNS) that maintain DNS query logs.
Internal MISP references

UUID cc150ad8-ecfa-4340-9aaa-d21165873bd4 which can be used as unique global reference for Passive DNS - DC0096 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0096

Container Start - DC0077

"Container Start" data component captures events related to the activation or invocation of a container within a containerized environment. This includes starting a previously stopped container, restarting an existing container, or initializing a container for runtime. Monitoring these activities is critical for identifying unauthorized or unexpected container activations, which may indicate potential adversarial activity or misconfigurations. Examples:

  • Docker Example: docker start <container_name>, docker restart <container_name>
  • Kubernetes Example: Kubernetes automatically restarts containers as part of pod lifecycle management (e.g., due to health checks or configuration changes).
  • Cloud-Native Example
    • AWS ECS: API Call: StartTask to activate a stopped ECS task.
    • Azure Container Instances: Command to restart a container group instance.
    • GCP Kubernetes Engine: Automatic restarts as part of node or pod management.

This data component can be collected through the following measures:

  • Docker Audit Logging: Enable Docker logging to capture start and restart events. Use tools like auditd to monitor terminal activity involving container lifecycle commands.
  • Kubernetes Audit Logs: Enable Kubernetes API server audit logging.
  • Cloud Provider Logs
    • AWS CloudTrail: Capture StartTask or related API calls for ECS.
    • Azure Monitor: Track activity in container groups that indicate start or restart events.
    • GCP Cloud Logging: Record logs related to pod restarts or scaling events in Kubernetes Engine.
  • SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services to correlate container start events.
Internal MISP references

UUID 5fe82895-28e5-4aac-845e-dc886b63be2e which can be used as unique global reference for Container Start - DC0077 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0077

Volume Creation - DC0097

The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.

Internal MISP references

UUID dad75cc7-5bae-4175-adb4-ca1962d8650e which can be used as unique global reference for Volume Creation - DC0097 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0097

Driver Load - DC0079

The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples:

  • Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system.
  • Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel.
  • Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes.
  • Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities.
  • Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks).
Internal MISP references

UUID 3551476e-14f5-4e48-a518-e82135329e03 which can be used as unique global reference for Driver Load - DC0079 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0079

Volume Deletion - DC0098

The removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up.

Data Collection Measures:

  • Cloud Logging & APIs
    • AWS CloudTrail Logs
      • eventName: DeleteVolume (tracks volume deletions)
    • Azure Monitor Logs
      • operationName: Microsoft.Compute/disks/delete
      • status: Success | Failure (flag unauthorized delete attempts)
    • Google Cloud Audit Logs
      • protoPayload.methodName: "v1.compute.disks.delete"
      • authenticationInfo.principalEmail (identifies the user deleting the volume)
  • System & Host-Based Logging
    • Linux & macOS Logs:
      • /var/log/syslog or /var/log/messages for volume detach/deletion actions
    • Windows Event Logs:
      • Event ID 98 (Storage Class Memory)
      • Event ID 225 (Volume Removal Detected)
      • Event ID 12 (Disk Removal Notification)
Internal MISP references

UUID 3acecdde-c327-4498-9bb8-33a2e63c6c57 which can be used as unique global reference for Volume Deletion - DC0098 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0098

Instance Stop - DC0089

The deactivation or shutdown of a virtual machine instance within a cloud infrastructure. This action typically involves stopping a running instance, which halts its operation and releases certain associated resources, such as CPU and memory. Examples:

  • Google Cloud Platform (GCP): instance.stop events recorded in GCP Audit Logs indicate the deactivation of an instance.
  • Amazon Web Services (AWS): StopInstances actions in AWS CloudTrail indicate EC2 instances being stopped.
  • Microsoft Azure: Microsoft.Compute/virtualMachines/deallocate or stop events in Azure Activity Logs represent a virtual machine being stopped or deallocated.
Internal MISP references

UUID 1361e324-b594-4c0e-a517-20cee32b8d7f which can be used as unique global reference for Instance Stop - DC0089 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0089

Group Enumeration - DC0099

Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:

  • AWS CLI: aws iam list-groups
  • PowerShell: Get-ADGroup -Filter *
  • (Saas) Google Workspace: Admin SDK Directory API
  • Azure: Get-AzureADGroup
  • Microsoft 365: Graph API GET https://graph.microsoft.com/v1.0/groups

Data Collection Measures:

  • Cloud Logging: Enable AWS CloudTrail, Azure Activity Logs, and Google Workspace Admin Logs for group-related actions.
  • Directory Monitoring: Track logs like AD Event ID 4662 (object operations).
  • API Monitoring: Log API activity like AWS IAM queries.
  • SaaS Monitoring: Use platform logs (e.g., Office 365 Unified Audit Logs).
  • SIEM Integration: Centralize group query tracking.
Internal MISP references

UUID 8e44412e-3238-4d64-8878-4f11e27784fe which can be used as unique global reference for Group Enumeration - DC0099 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0099

API Calls - DC0112

API calls utilized by an application that could indicate malicious activity

Internal MISP references

UUID 5ae32c6a-2d12-4b8f-81ca-f862f2be0962 which can be used as unique global reference for API Calls - DC0112 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0112

Pod Metadata - DC0121

Contextual data about a pod and activity around it such as name, ID, namespace, or status

Internal MISP references

UUID c0edd522-0aef-46b3-8efa-2bd334ce4242 which can be used as unique global reference for Pod Metadata - DC0121 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0121

Network Communication - DC0113

Network requests made by an application or domains contacted

Internal MISP references

UUID 764ee29e-48d6-4934-8e6b-7a606aaaafc0 which can be used as unique global reference for Network Communication - DC0113 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0113

Permissions Requests - DC0114

Permissions declared in an application's manifest or property list file

Internal MISP references

UUID b1e0bb80-23d4-44f2-b919-7e9c54898f43 which can be used as unique global reference for Permissions Requests - DC0114 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0114

Protected Configuration - DC0115

Device configuration options that are not typically utilized by benign applications

Internal MISP references

UUID 6c62144a-cd5c-401c-ada9-58c4c74cd9d2 which can be used as unique global reference for Protected Configuration - DC0115 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0115

Permissions Request - DC0116

System prompts triggered when an application requests new or additional permissions

Internal MISP references

UUID e2f72131-14d1-411f-8e8c-aa3453dd5456 which can be used as unique global reference for Permissions Request - DC0116 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0116

System Notifications - DC0117

Notifications generated by the OS

Internal MISP references

UUID bf0ff551-a5a7-40e5-bff9-f9405011b1f4 which can be used as unique global reference for System Notifications - DC0117 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0117

System Settings - DC0118

Settings visible to the user on the device

Internal MISP references

UUID 56c2b384-77f8-461f-a71a-76f7888ebfb6 which can be used as unique global reference for System Settings - DC0118 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0118

Application Assets - DC0119

Additional assets included with an application

Internal MISP references

UUID 613788f2-ad72-43f5-b5f7-a93e2adc70fa which can be used as unique global reference for Application Assets - DC0119 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0119

Container Metadata - DC0122

Contextual data about a container and activity around it such as name, ID, image, or status

Internal MISP references

UUID df508a43-65f5-453f-8b8f-4b5d64e60a21 which can be used as unique global reference for Container Metadata - DC0122 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id DC0122