Concrete ATT&CK data components linked to detectable techniques.
Results are validated against normalized ATT&CK source records when available; sample records are used only in development or empty-data environments.
This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).
System Notifications represent operating system alerts, warnings, or status messages generated in response to application actions, system state changes, or security events. These notifications may indicate potentially malicious activity or abnormal application behavior.
Examples
- Application requesting sensitive permissions - USB device connected notifications - Security warnings triggered by device configuration changes
Collection Methods
- Mobile OS notification monitoring - Mobile EDR sensors - Device management telemetry
System Settings represent user-visible or OS-level configuration settings that influence device behavior, application permissions, connectivity, or system features.
Monitoring system settings changes allows defenders to detect abnormal modifications that may indicate malicious activity or device compromise.
Collection Methods
- MDM device telemetry - Mobile EDR monitoring - OS configuration monitoring
An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.
An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.
An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.
The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system.
The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service.
Contextual data about an account, which may include a username, user ID, environmental data, etc.
Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships.
The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.
The removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up.
*Data Collection Measures:*
- Cloud Logging & APIs - AWS CloudTrail Logs - `eventName: DeleteVolume` (tracks volume deletions) - Azure Monitor Logs - `operationName: Microsoft.Compute/disks/delete` - `status: Success | Failure` (flag unauthorized delete attempts) - Google Cloud Audit Logs - `protoPayload.methodName: "v1.compute.disks.delete"` - `authenticationInfo.principalEmail` (identifies the user deleting the volume) - System & Host-Based Logging - Linux & macOS Logs: - `/var/log/syslog` or `/var/log/messages` for volume detach/deletion actions - Windows Event Logs: - Event ID 98 (Storage Class Memory) - Event ID 225 (Volume Removal Detected) - Event ID 12 (Disk Removal Notification)
An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)
Contextual data about a cloud volume and activity around it, such as id, type, state, and size
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers.
Initial construction of new web credential material (ex: Windows EID 1200 or 4769)
An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)
The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies.
Initial construction of a new registry key within the Windows operating system.
The removal of a registry key within the Windows operating system.
*Data Collection Measures:*
- Windows Event Logs - Event ID 4658 - Registry Key Handle Closed: Captures when a handle to a registry key is closed, which may indicate deletion. - Event ID 4660 - Object Deleted: Logs when a registry key is deleted. - Sysmon (System Monitor) for Windows - Sysmon Event ID 12 - Registry Key Deleted: Logs when a registry key is removed. - Sysmon Event ID 13 - Registry Value Deleted: Captures removal of specific registry values. - Endpoint Detection and Response (EDR) Solutions - Monitor registry deletions for suspicious behavior.
The removal of a registry key within the Windows operating system.
*Data Collection Measures:*
- Windows Event Logs - Event ID 4658 - Registry Key Handle Closed: Captures when a handle to a registry key is closed, which may indicate deletion. - Event ID 4660 - Object Deleted: Logs when a registry key is deleted. - Sysmon (System Monitor) for Windows - Sysmon Event ID 12 - Registry Key Deleted: Logs when a registry key is removed. - Sysmon Event ID 13 - Registry Value Deleted: Captures removal of specific registry values. - Endpoint Detection and Response (EDR) Solutions - Monitor registry deletions for suspicious behavior.
Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.
*Data Collection Measures:*
- Windows Event Logs - Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations. - Sysmon (System Monitor) for Windows - Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values. - Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts. - Endpoint Detection and Response (EDR) Solutions - Monitor registry modifications for suspicious behavior.
Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.
*Data Collection Measures:*
- Windows Event Logs - Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations. - Sysmon (System Monitor) for Windows - Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values. - Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts. - Endpoint Detection and Response (EDR) Solutions - Monitor registry modifications for suspicious behavior.
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.
