DS0015 Application Log

Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)¹

Item	Value
ID	DS0015
Platforms	Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers	Cloud Control Plane, Host
Version	1.0
Created	20 October 2021
Last Modified	11 May 2022

Data Components

Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Domain	ID	Name
enterprise	T1098	Account Manipulation
enterprise	T1098.002	Additional Email Delegate Permissions
enterprise	T1098.005	Device Registration
ics	T0800	Activate Firmware Update Mode
enterprise	T1557	Adversary-in-the-Middle
enterprise	T1557.003	DHCP Spoofing
ics	T0830	Adversary-in-the-Middle
ics	T0803	Block Command Message
ics	T0804	Block Reporting Message
ics	T0805	Block Serial COM
enterprise	T1110	Brute Force
enterprise	T1110.001	Password Guessing
enterprise	T1110.002	Password Cracking
enterprise	T1110.003	Password Spraying
enterprise	T1110.004	Credential Stuffing
ics	T0806	Brute Force I/O
ics	T0858	Change Operating Mode
ics	T0807	Command-Line Interface
enterprise	T1213	Data from Information Repositories
enterprise	T1213.001	Confluence
enterprise	T1213.002	Sharepoint
enterprise	T1213.003	Code Repositories
ics	T0811	Data from Information Repositories
enterprise	T1622	Debugger Evasion
enterprise	T1491	Defacement
enterprise	T1491.001	Internal Defacement
enterprise	T1491.002	External Defacement
ics	T0814	Denial of Service
enterprise	T1610	Deploy Container
ics	T0816	Device Restart/Shutdown
enterprise	T1189	Drive-by Compromise
ics	T0817	Drive-by Compromise
enterprise	T1114	Email Collection
enterprise	T1114.003	Email Forwarding Rule
enterprise	T1499	Endpoint Denial of Service
enterprise	T1499.002	Service Exhaustion Flood
enterprise	T1499.003	Application Exhaustion Flood
enterprise	T1499.004	Application or System Exploitation
enterprise	T1048	Exfiltration Over Alternative Protocol
enterprise	T1190	Exploit Public-Facing Application
ics	T0819	Exploit Public-Facing Application
enterprise	T1203	Exploitation for Client Execution
enterprise	T1212	Exploitation for Credential Access
enterprise	T1211	Exploitation for Defense Evasion
ics	T0820	Exploitation for Evasion
ics	T0890	Exploitation for Privilege Escalation
enterprise	T1210	Exploitation of Remote Services
ics	T0866	Exploitation of Remote Services
enterprise	T1133	External Remote Services
ics	T0822	External Remote Services
enterprise	T1200	Hardware Additions
enterprise	T1564	Hide Artifacts
enterprise	T1564.008	Email Hiding Rules
enterprise	T1562	Impair Defenses
enterprise	T1562.002	Disable Windows Event Logging
enterprise	T1070	Indicator Removal
enterprise	T1070.008	Clear Mailbox Data
enterprise	T1534	Internal Spearphishing
ics	T0838	Modify Alarm Settings
enterprise	T1556	Modify Authentication Process
enterprise	T1556.007	Hybrid Identity
ics	T0821	Modify Controller Tasking
ics	T0836	Modify Parameter
ics	T0889	Modify Program
ics	T0839	Module Firmware
ics	T0801	Monitor Process State
enterprise	T1621	Multi-Factor Authentication Request Generation
enterprise	T1027	Obfuscated Files or Information
enterprise	T1027.005	Indicator Removal from Tools
enterprise	T1137	Office Application Startup
enterprise	T1137.003	Outlook Forms
enterprise	T1137.004	Outlook Home Page
enterprise	T1137.005	Outlook Rules
enterprise	T1069	Permission Groups Discovery
enterprise	T1069.003	Cloud Groups
enterprise	T1566	Phishing
enterprise	T1566.001	Spearphishing Attachment
enterprise	T1566.002	Spearphishing Link
enterprise	T1566.003	Spearphishing via Service
enterprise	T1598	Phishing for Information
enterprise	T1598.001	Spearphishing Service
enterprise	T1598.002	Spearphishing Attachment
enterprise	T1598.003	Spearphishing Link
ics	T0861	Point & Tag Identification
ics	T0843	Program Download
ics	T0845	Program Upload
ics	T0848	Rogue Master
enterprise	T1594	Search Victim-Owned Websites
enterprise	T1505	Server Software Component
enterprise	T1505.001	SQL Stored Procedures
enterprise	T1505.002	Transport Agent
enterprise	T1505.003	Web Shell
enterprise	T1648	Serverless Execution
enterprise	T1072	Software Deployment Tools
ics	T0865	Spearphishing Attachment
enterprise	T1649	Steal or Forge Authentication Certificates
ics	T0857	System Firmware
ics	T0864	Transient Cyber Asset
enterprise	T1199	Trusted Relationship
ics	T0855	Unauthorized Command Message
enterprise	T1552	Unsecured Credentials
enterprise	T1552.008	Chat Messages
enterprise	T1550	Use Alternate Authentication Material
enterprise	T1550.004	Web Session Cookie
enterprise	T1204	User Execution
enterprise	T1204.003	Malicious Image
ics	T0863	User Execution
ics	T0860	Wireless Compromise

References

Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021. ↩
Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022. ↩
Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022. ↩
SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019. ↩
Slack Help Center. (n.d.). View Access Logs for your workspace. Retrieved April 10, 2023. ↩
Microsoft. (2006, August 31). DHCP Server Operational Events. Retrieved March 7, 2022. ↩
Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. ↩
Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. ↩
Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. ↩
US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. ↩
Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. ↩
Microsoft. (2022, February 15). Email exfiltration controls for connectors. Retrieved May 27, 2022. ↩
Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved March 7, 2022. ↩
Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019. ↩
Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019. ↩
Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022. ↩
Microsoft. (2022, February 18). Manage device identities by using the Azure portal. Retrieved April 13, 2022. ↩
Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit in the Wild. Retrieved April 26, 2019. ↩
Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022. ↩
Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021. ↩
McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019. ↩
Chris Taylor. (2017, October 5). When Phishing Starts from the Inside. Retrieved October 8, 2019. ↩