Data sources per platform

Content:

• Enterprise
• Mobile
• ICS

Enterprise

The below mapping from data sources/data components to platforms is created on the information provided by MITRE within the data source objects. Also, note that the below is only listing data components that are actually referenced by a technique. Therefore it does not include all data components as referenced in the STIX repository.

Data source	PRE	Windows	macOS	Linux	Office Suite	Identity Provider	SaaS	IaaS	Network Devices	Containers	ESXi
DHCP [DeTT&CT data source]		X	X	X
Email [DeTT&CT data source]		X	X	X	X		X
Internal DNS [DeTT&CT data source]		X	X	X				X	X	X
Web [DeTT&CT data source]		X	X	X	X		X	X	X	X
Active DNS	X
Active Directory Credential Request		X		X
Active Directory Object Access		X
Active Directory Object Creation		X				X		X
Active Directory Object Deletion		X
Active Directory Object Modification		X			X	X	X				X
Application Log Content	X	X	X	X	X	X	X	X	X	X	X
Certificate Registration	X
Cloud Service Disable							X	X
Cloud Service Enumeration					X	X	X	X
Cloud Service Metadata		X			X	X	X	X
Cloud Service Modification					X	X	X	X
Cloud Storage Access		X			X		X	X
Cloud Storage Creation								X
Cloud Storage Deletion								X
Cloud Storage Enumeration								X
Cloud Storage Metadata					X		X	X
Cloud Storage Modification					X		X	X
Command Execution		X	X	X	X	X	X	X	X	X	X
Container Creation				X						X
Container Enumeration										X
Container Start				X						X
Domain Registration	X	X									X
Drive Access		X	X	X
Drive Creation		X	X	X
Drive Modification		X	X	X					X
Driver Load		X		X
File Access		X	X	X	X		X	X		X	X
File Creation		X	X	X			X	X	X		X
File Deletion		X	X	X						X	X
File Metadata		X	X	X			X		X	X	X
File Modification		X	X	X	X			X	X	X	X
Firewall Disable								X			X
Firewall Rule Modification		X		X				X	X		X
Firmware Modification		X	X	X					X
Group Enumeration							X	X
Group Metadata					X
Group Modification					X
Host Status		X	X	X				X	X	X	X
Image Creation				X				X		X
Image Metadata										X	X
Image Modification								X		X
Instance Creation		X						X
Instance Deletion								X
Instance Enumeration								X
Instance Metadata								X
Instance Modification								X
Instance Start		X						X
Instance Stop								X
Kernel Module Load			X								X
Logon Session Creation		X	X	X	X	X	X	X	X	X	X
Logon Session Metadata		X	X	X	X	X	X	X		X	X
Malware Content	X
Malware Metadata	X
Module Load		X	X	X	X				X		X
Named Pipe Metadata		X	X
Network Connection Creation		X	X	X				X	X	X	X
Network Share Access		X		X			X
Network Traffic Content	X	X	X	X	X		X	X	X	X	X
Network Traffic Flow	X	X	X	X			X	X	X	X	X
OS API Execution		X	X	X				X	X		X
Passive DNS	X
Pod Creation										X
Pod Enumeration										X
Process Access		X	X	X
Process Creation		X	X	X	X			X		X	X
Process Metadata		X	X	X				X	X	X	X
Process Modification		X	X	X
Process Termination		X	X	X						X	X
Response Content	X		X
Response Metadata	X			X
Scheduled Job Creation		X	X	X						X	X
Scheduled Job Metadata		X	X	X							X
Scheduled Job Modification		X		X	X
Script Execution		X	X	X	X			X	X		X
Service Creation		X	X	X						X
Service Metadata		X	X	X					X	X	X
Service Modification		X
Snapshot Creation								X			X
Snapshot Deletion								X			X
Snapshot Metadata								X
Snapshot Modification								X
Social Media	X
User Account Authentication		X	X	X	X	X	X	X	X	X	X
User Account Creation		X		X	X	X	X	X	X	X
User Account Deletion		X			X						X
User Account Metadata		X	X	X	X	X	X	X		X	X
User Account Modification		X	X	X	X	X	X	X		X
Volume Creation		X						X
Volume Deletion								X			X
Volume Modification								X		X
WMI Creation		X
Web Credential Creation		X			X	X	X	X
Web Credential Usage			X		X	X	X	X		X
Windows Registry Key Access		X
Windows Registry Key Creation		X
Windows Registry Key Modification		X	X		X

Mobile

The below mapping from data sources/data components to platforms is created on the information provided by MITRE within the data source objects. Also, note that the below is only listing data components that are actually referenced by a technique. Therefore it does not include all data components as referenced in the STIX repository.

At this moment we do not have any DeTT&CT data sources for Mobile. If there is a need or if you do have a suggestion, we will look into this.

Data source	Android	iOS
API Calls	X	X
Application Assets	X	X
Command Execution	X	X
Host Status	X	X
Network Communication	X	X
Network Connection Creation	X	X
Network Traffic Content	X	X
Network Traffic Flow	X	X
OS API Execution	X	X
Permissions Request	X	X
Permissions Requests	X	X
Process Creation	X	X
Process Metadata	X	X
Process Termination	X
Protected Configuration	X	X
System Notifications	X	X
System Settings	X	X

ICS

Official platform mapping is missing

An official mapping for ICS sources/data components to platforms is currently missing. Since v14 release of ATT&CK platforms are not being used anymore for ICS. Therefor we cannot generate data source - platform mappings for ICS.

As we do not consider ourselves experts in the field of ICS, we have not included the DeTT&CT data sources. Any help and thus contributions on that matter are very much appreciated. Possibly, with future developments of ATT&CK ICS, we could automate this part when Detection objects are introduced. However, it is not certain whether this will provide good results.