Data Components

Data Components identify the specific properties/values relevant to detecting a given ATT&CK technique or sub-technique.

Filter by Domain:
DC0084
Enterprise

Active Directory Credential Request

Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries.

Examples:
Windows Event ID 4768 (Kerberos Authentication), 4771 (Kerberos pre-authentication), 4624 (Account Logon)
DC0071
Enterprise

Active Directory Object Access

Object access refers to activities where AD objects (e.g., user accounts, groups, policies) are accessed or queried.

Examples:
Windows Event ID 4661 logs object access attempts.
DC0087
Enterprise

Active Directory Object Creation

Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships.

Examples:
Logged as Event ID 5137.
DC0068
Enterprise

Active Directory Object Deletion

Object deletion in AD (e.g., user accounts, groups, OUs) is logged as Event ID 5141.

Examples:
Windows Event ID 5141 (Directory Service Object Deletion)
DC0066
Enterprise

Active Directory Object Modification

Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes).

Examples:
Windows Event ID 5136, 5163, 4738 (User Account Changed)
DC0103
Enterprise

Active DNS

Captures queried DNS registry data that highlights current domain-to-IP address resolutions. This data includes both direct queries to DNS servers and records that provide mappings between domain names and associated IP addresses.

Examples:
DNS query logs, resolver cache, DNS analytics platforms
DC0112
Mobile

API Calls

API calls utilized by an application that could indicate malicious activity.

Examples:
Android API call logs, iOS system calls, application behavior analytics
DC0119
Mobile

Application Assets

Additional assets included with an application.

Examples:
App resources, embedded files, configuration assets
DC0038
ICS & Enterprise

Application Log Content

Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications.

Examples:
Web server logs (IIS, Apache), mail server logs, database logs, application error logs
DC0110
ICS

Asset Inventory

This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses).

Examples:
ICS asset management systems, network scanners, device inventories
DC0093
Enterprise

Certificate Registration

Certificate Registration refers to the collection and analysis of information about digital certificates, including current, revoked, and expired certificates.

Examples:
Certificate Transparency logs, public certificate databases, internal PKI logs
DC0064
ICS, Mobile & Enterprise

Command Execution

Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application.

Examples:
Windows Event ID 4688, Sysmon Event ID 1, bash history logs, PowerShell transcripts

Comprehensive Data Collection

This repository contains all 119 MITRE ATT&CK Data Components. The components displayed above represent a sample of the complete collection. Each component is categorized by domain (Enterprise, ICS, or Mobile) and includes relevant detection examples.