Finding Inconsistencies In MITRE ATT&CK Data Sources

Summary: The “Command Execution” data source can be merged into either “Process” or “Script Execution”. Also, “User Account Authentication” Documentation lists the wrong Event ID.

I’ve been going through the documentation for ATT&CK data sources, mostly to build a better strategy for how to prioritize data collection. At first, I took all information at face value, and wrote my initial prioritization here. The application data source later became a problem, so I broke it down to its individual components here. However, the more I dug into it, the more questions I had about the definition of other data sources.

My questions are listed below:

1. What is “Command Execution”?

At first glance, “Command Execution” is a recording of the CLI commands executed on a host. So executing the command cmd.exe /c echo Ich bin eine Kartoffel would fit under the “Command Execution” umbrella.

Except, the EID that is capturing this information in this case is Windows EID 4688 or Sysmon ID 1, both of which are events for “Process Creation”, which is its own data source in ATT&CK. That is to say, “Command Execution” is a field in “Process Creation”, rather than an event onto itself.

Of course, you can have execution without “Process Creation”. This is why we have the “Script Execution” to handle events like Powershell 4104 where scripts or commands can be entered interactively instead of being passed in as parameters to a Powershell Process.

So my question is, if “Command Execution” is not distinct from “Process Creation” on the Event ID level and it is not different from “Script Execution” on the conceptual level, why do we need “Command Execution” as its own data source? For the purposes of prioritizing data collection, having a data source that blurs the line between two others would only serve to mess up the prioritization system.

2. What is “User Account Authentication”?

Logging into a host is a multi-step process. But to simplify, we can focus on two parts: Authentication (think NTLM, Kerberos, or similar) and creating a new logon session. The latter is clearly covered in “Logon Session Creation” as stated by the listed Event ID: 4624.

The former should be covered by “User Account Authentication”. But reading the documentation on that data source actually lists Event ID 4625 (An account failed to log on) instead of Kerberos events like 4769 (A Kerberos service ticket was requested) or NTLM ones like 4776 (The computer attempted to validate the credentials for an account). That is, “User Account Authentication” as defined in the documentation reads more like a copy of “Logon Session Creation” than actual authentication.

It is worth mentioning that 4769 (A Kerberos service ticket was requested) is actually mentioned in the “Web Credentials Creation” data source. As the name implies, this data source is more focused on the web side of authentication and does not cover regular “domain” authentication.

So if “Logon Session Creation” and “User Account Authentication” are fairly similar if we consider the documented Event IDs and “Web Credentials Creation” is focused on web authentication, which data source covers account authentication? The most logical answer is that it seems that the documentation for “User Account Authentication” lists the wrong Event IDs and should include Event ID 4769 instead of 4625.

For the third question, I honestly was going to ask whether we really needed a Kernel data source that was distinct from Driver, but that felt a little nitpicky. Instead, let’s just end the list with two questions.

If you have any answers for these questions or have found your own inconsistencies in the documentation, please let a comment below. I’m curious how many have gone down this rabbithole before.

P.S. If you’re interested in Threat Hunting or Detection Engineering, you may be interested in checking out our newsletter at the link here: https://threathuntersdigest.substack.com