How To Use ATT&CK’s Application Datasource

Summary: The “Application Log” ATT&CK datasource contains widely different log types. This blog offers a breakdown of the subcategories within “Application Log”.

Continuing from my previous post about MITRE ATT&CK data collection, the “Application Log” datasource was particularly problematic. The datasource is effectively “other”, a place where MITRE would simply put miscellaneous datasources not mature enough to have their own datasources. This makes it difficult when trying to set up collection for one’s SIEM.

As such, I’ve gone through all the techniques that use the “Application Log” datasource and listed them out. This hopefully would allow us to better plan our data collections in the future.

Here are the datasources I got:

1. Application Health: This source is only seen for T1499 (Endpoint Denial of Service) and its subtechniques. Effectively, it means that if an OS, Application, or Service can log its level of utilization, you can use those logs to determine if they are under a Denial of Service attack. These logs sound related to “Sensor Health” datasource, though the concept of a Sensor in ATT&CK context does not seem to include applications reporting on their own health.
2. Code Repository Logs, Confluence Logs, SharePoint Logs: All three of these are used in T1213 (Data from Information Repositories), and its subtechniques. As the technique name implies, the source in this case is monitoring who is getting access to what. Couple this with good Data Classification and you should be able to get some good Detection Rules for users who are accessing too much sensitive information, even if said user does have permission to access any singular piece of information on its own.
3. Email Server Logs: As you might expect, email server logs are used for the various flavours of phishing (T1566, T1598, and T1534) and T1114 (email collection)
4. Email Client Logs: This is a difficult one because email clients are not usually monitored in a security context. The datasource is only used in one subtechnique, T1564.008 (Hide Artifacts: Email Hiding Rules) for generic email clients (that is, not Outlook specific). ATT&CK’s documentation does not mention any specific event IDs to monitor despite mentioning a few Powershell commands for use on Outlook. The Outlook specific techniques are T1137.003 (Office Application Startup: Outlook Forms), T1137.004 (Office Application Startup: Outlook Home Page), and T1137.005 (Office Application Startup: Outlook Rules).
5. Exchange Logs: Apart from the more generic “Email Server Logs”, Exchange Logs are only used in two subtechniques that are specific to Exchange, T1098.002 (Account Manipulation: Exchange Email Delegate Permissions) and T1505.002 (Server Software Component: Transport Agent).
6. Proxy Logs: This datasource is used in a single technique, T1189 (Drive-by Compromise). You can think of it more broadly as anything that captures outbound web traffic. Note: ATT&CK does not mention this source in Phishing detection explicitly but we can assume that it can be used for this purpose as well).
7. Remote Service Logon Logs: Remote Services in this context covers any service that would allow remote access to internal systems. These services include VPNs, Citrix, RDP or VNC jumpboxes. This datasource covers the titular External Remote Services technique (T1133).
8. MS SQL Server Logs: This datasource focuses explicitly on MS SQL Server’s Stored Procedures feature for T1505.001 (Server Software Component: SQL Stored Procedures). For the curious, generic SQL attacks are listed under the generic T1190 (Exploit Public-Facing Application).
9. Software Deployment Tool Logs: Software Deployment Tools in this context include SCCM, HBSS, Altiris, etc. This datasource is used in only one technique, T1072 (Software Deployment Tools).
10. Web Application Logs: This datasource covers all of T1491 (Defacement), T1594 (Search Victim-Owned Websites), T1505.003 (Server Software Component: Web Shell), T1550.001 (Use Alternate Authentication Material: Application Access Token), T1550.004 (Use Alternate Authentication Material: Web Session Cookie), and the extremely wide net of T1190 (Exploit Public-Facing Application). This is a datasource that might require further analysis and breakdown.
11. Security Event ID 1102, Service Control Manager Event ID 7035, System Event ID 104: These are used for T1562.002 (Impair Defenses: Disable Windows Event Logging).
12. Application User Account Authentication: While “User Account Authentication” is its own datasource in ATT&CK, I believe MITRE included “Application logs” just in case people think of “User Account Authentication” exclusively in Kerberos or NTLM terms. Application User Account Authentication is used for T1110 (Bruteforce).
13. EDR / Sysmon: T1210 (Exploitation of Remote Services) covers a lot of ground. Fortunately, ATT&CK does include some specific events to monitor like suspicious writes to disk, Process Injection, and suspicious network connections. Neither EDR protection nor Sysmon logs can guarantee that we will detect exploitation but this is our best bet for now.

Sadly, not all techniques could be mapped to the datasources above. Below are the techniques that did not make the cut:

1. T1199 (Trust Relationship): The concept of Trust Relationships is too broad to be covered by any datasource.
2. T1204.003 (User Execution: Malicious [Cloud] Image): The technique already list all of “Command Execution”, “Container Creation”, “Container Start”, “Image Creation”, “Instance Creation”, and “Instance Start” as datasources so I’m not sure what else is left for an application to log.
3. T1610 (Deploy Container): same as the above.
4. T1613 (Container and Resource Discovery): same as the above.

Finally, if you prefer to read this data in a table format, you can do so at the Github link below:

GitHub - TareqAlKhatib/ATTACK_data_sources

Github Preview

P.S. If you’re interested in Threat Hunting or Detection Engineering, you may be interested in checking out our newsletter at the link here: https://threathuntersdigest.substack.com