User Interface, Data Source DS0042

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>User Interface, Data Source DS0042 | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-expanded="true" aria-controls="#sidebar-collapse" aria-selected="false">DATA SOURCES <i class="fa-solid fa-fw fa-chevron-down"></i> <i class="fa-solid fa-fw fa-chevron-up"></i> </div> <div class="checkbox-div" id="v-home-tab" aria-selected="false"> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="enterpriseSwitch" onchange="filterTables(enterpriseSwitch, icsSwitch)"> <label class="custom-control-label" for="enterpriseSwitch">Enterprise</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="mobileSwitch" onchange="filterTables(mobileSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="mobileSwitch">Mobile</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="icsSwitch" onchange="filterTables(icsSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="icsSwitch">ICS</label> </div> </div> <br class="br-mobile"> <div class="sidenav-list collapse show" id="sidebar-collapse" aria-labelledby="v-home-tab"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026"> <a href="/datasources/DS0026/"> Active Directory </a> <div class="expand-button collapsed" id="DS0026-header" data-toggle="collapse" data-target="#DS0026-body" aria-expanded="false" aria-controls="#DS0026-body"></div> </div> <div class="sidenav-body collapse" id="DS0026-body" aria-labelledby="DS0026-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Credential Request"> <a href="/datasources/DS0026/#Active%20Directory%20Credential%20Request"> Active Directory Credential Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Access"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Access"> Active Directory Object Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Creation"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Creation"> Active Directory Object Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Deletion"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Deletion"> Active Directory Object Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Modification"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Modification"> Active Directory Object Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015"> <a href="/datasources/DS0015/"> Application Log </a> <div class="expand-button collapsed" id="DS0015-header" data-toggle="collapse" data-target="#DS0015-body" aria-expanded="false" aria-controls="#DS0015-body"></div> </div> <div class="sidenav-body collapse" id="DS0015-body" aria-labelledby="DS0015-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015-Application Log Content"> <a href="/datasources/DS0015/#Application%20Log%20Content"> Application Log Content </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041"> <a href="/datasources/DS0041/"> Application Vetting </a> <div class="expand-button collapsed" id="DS0041-header" data-toggle="collapse" data-target="#DS0041-body" aria-expanded="false" aria-controls="#DS0041-body"></div> </div> <div class="sidenav-body collapse" id="DS0041-body" aria-labelledby="DS0041-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-API Calls"> <a href="/datasources/DS0041/#API%20Calls"> API Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Application Assets"> <a href="/datasources/DS0041/#Application%20Assets"> Application Assets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Network Communication"> <a href="/datasources/DS0041/#Network%20Communication"> Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Permissions Requests"> <a href="/datasources/DS0041/#Permissions%20Requests"> Permissions Requests </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Protected Configuration"> <a href="/datasources/DS0041/#Protected%20Configuration"> Protected Configuration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039"> <a href="/datasources/DS0039/"> Asset </a> <div class="expand-button collapsed" id="DS0039-header" data-toggle="collapse" data-target="#DS0039-body" aria-expanded="false" aria-controls="#DS0039-body"></div> </div> <div class="sidenav-body collapse" id="DS0039-body" aria-labelledby="DS0039-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Asset Inventory"> <a href="/datasources/DS0039/#Asset%20Inventory"> Asset Inventory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Software"> <a href="/datasources/DS0039/#Software"> Software </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037"> <a href="/datasources/DS0037/"> Certificate </a> <div class="expand-button collapsed" id="DS0037-header" data-toggle="collapse" data-target="#DS0037-body" aria-expanded="false" aria-controls="#DS0037-body"></div> </div> <div class="sidenav-body collapse" id="DS0037-body" aria-labelledby="DS0037-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037-Certificate Registration"> <a href="/datasources/DS0037/#Certificate%20Registration"> Certificate Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025"> <a href="/datasources/DS0025/"> Cloud Service </a> <div class="expand-button collapsed" id="DS0025-header" data-toggle="collapse" data-target="#DS0025-body" aria-expanded="false" aria-controls="#DS0025-body"></div> </div> <div class="sidenav-body collapse" id="DS0025-body" aria-labelledby="DS0025-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Disable"> <a href="/datasources/DS0025/#Cloud%20Service%20Disable"> Cloud Service Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Enumeration"> <a href="/datasources/DS0025/#Cloud%20Service%20Enumeration"> Cloud Service Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Metadata"> <a href="/datasources/DS0025/#Cloud%20Service%20Metadata"> Cloud Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Modification"> <a href="/datasources/DS0025/#Cloud%20Service%20Modification"> Cloud Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010"> <a href="/datasources/DS0010/"> Cloud Storage </a> <div class="expand-button collapsed" id="DS0010-header" data-toggle="collapse" data-target="#DS0010-body" aria-expanded="false" aria-controls="#DS0010-body"></div> </div> <div class="sidenav-body collapse" id="DS0010-body" aria-labelledby="DS0010-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Access"> <a href="/datasources/DS0010/#Cloud%20Storage%20Access"> Cloud Storage Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Creation"> <a href="/datasources/DS0010/#Cloud%20Storage%20Creation"> Cloud Storage Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Deletion"> <a href="/datasources/DS0010/#Cloud%20Storage%20Deletion"> Cloud Storage Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Enumeration"> <a href="/datasources/DS0010/#Cloud%20Storage%20Enumeration"> Cloud Storage Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Metadata"> <a href="/datasources/DS0010/#Cloud%20Storage%20Metadata"> Cloud Storage Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Modification"> <a href="/datasources/DS0010/#Cloud%20Storage%20Modification"> Cloud Storage Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017"> <a href="/datasources/DS0017/"> Command </a> <div class="expand-button collapsed" id="DS0017-header" data-toggle="collapse" data-target="#DS0017-body" aria-expanded="false" aria-controls="#DS0017-body"></div> </div> <div class="sidenav-body collapse" id="DS0017-body" aria-labelledby="DS0017-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017-Command Execution"> <a href="/datasources/DS0017/#Command%20Execution"> Command Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032"> <a href="/datasources/DS0032/"> Container </a> <div class="expand-button collapsed" id="DS0032-header" data-toggle="collapse" data-target="#DS0032-body" aria-expanded="false" aria-controls="#DS0032-body"></div> </div> <div class="sidenav-body collapse" id="DS0032-body" aria-labelledby="DS0032-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Creation"> <a href="/datasources/DS0032/#Container%20Creation"> Container Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Enumeration"> <a href="/datasources/DS0032/#Container%20Enumeration"> Container Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Start"> <a href="/datasources/DS0032/#Container%20Start"> Container Start </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038"> <a href="/datasources/DS0038/"> Domain Name </a> <div class="expand-button collapsed" id="DS0038-header" data-toggle="collapse" data-target="#DS0038-body" aria-expanded="false" aria-controls="#DS0038-body"></div> </div> <div class="sidenav-body collapse" id="DS0038-body" aria-labelledby="DS0038-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Active DNS"> <a href="/datasources/DS0038/#Active%20DNS"> Active DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Domain Registration"> <a href="/datasources/DS0038/#Domain%20Registration"> Domain Registration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Passive DNS"> <a href="/datasources/DS0038/#Passive%20DNS"> Passive DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016"> <a href="/datasources/DS0016/"> Drive </a> <div class="expand-button collapsed" id="DS0016-header" data-toggle="collapse" data-target="#DS0016-body" aria-expanded="false" aria-controls="#DS0016-body"></div> </div> <div class="sidenav-body collapse" id="DS0016-body" aria-labelledby="DS0016-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Access"> <a href="/datasources/DS0016/#Drive%20Access"> Drive Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016-Drive Creation"> <a href="/datasources/DS0016/#Drive%20Creation"> Drive Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Modification"> <a href="/datasources/DS0016/#Drive%20Modification"> Drive Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027"> <a href="/datasources/DS0027/"> Driver </a> <div class="expand-button collapsed" id="DS0027-header" data-toggle="collapse" data-target="#DS0027-body" aria-expanded="false" aria-controls="#DS0027-body"></div> </div> <div class="sidenav-body collapse" id="DS0027-body" aria-labelledby="DS0027-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Load"> <a href="/datasources/DS0027/#Driver%20Load"> Driver Load </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Metadata"> <a href="/datasources/DS0027/#Driver%20Metadata"> Driver Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022"> <a href="/datasources/DS0022/"> File </a> <div class="expand-button collapsed" id="DS0022-header" data-toggle="collapse" data-target="#DS0022-body" aria-expanded="false" aria-controls="#DS0022-body"></div> </div> <div class="sidenav-body collapse" id="DS0022-body" aria-labelledby="DS0022-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Access"> <a href="/datasources/DS0022/#File%20Access"> File Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Creation"> <a href="/datasources/DS0022/#File%20Creation"> File Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Deletion"> <a href="/datasources/DS0022/#File%20Deletion"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Metadata"> <a href="/datasources/DS0022/#File%20Metadata"> File Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Modification"> <a href="/datasources/DS0022/#File%20Modification"> File Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018"> <a href="/datasources/DS0018/"> Firewall </a> <div class="expand-button collapsed" id="DS0018-header" data-toggle="collapse" data-target="#DS0018-body" aria-expanded="false" aria-controls="#DS0018-body"></div> </div> <div class="sidenav-body collapse" id="DS0018-body" aria-labelledby="DS0018-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Disable"> <a href="/datasources/DS0018/#Firewall%20Disable"> Firewall Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Enumeration"> <a href="/datasources/DS0018/#Firewall%20Enumeration"> Firewall Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Metadata"> <a href="/datasources/DS0018/#Firewall%20Metadata"> Firewall Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Rule Modification"> <a href="/datasources/DS0018/#Firewall%20Rule%20Modification"> Firewall Rule Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001"> <a href="/datasources/DS0001/"> Firmware </a> <div class="expand-button collapsed" id="DS0001-header" data-toggle="collapse" data-target="#DS0001-body" aria-expanded="false" aria-controls="#DS0001-body"></div> </div> <div class="sidenav-body collapse" id="DS0001-body" aria-labelledby="DS0001-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001-Firmware Modification"> <a href="/datasources/DS0001/#Firmware%20Modification"> Firmware Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036"> <a href="/datasources/DS0036/"> Group </a> <div class="expand-button collapsed" id="DS0036-header" data-toggle="collapse" data-target="#DS0036-body" aria-expanded="false" aria-controls="#DS0036-body"></div> </div> <div class="sidenav-body collapse" id="DS0036-body" aria-labelledby="DS0036-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Enumeration"> <a href="/datasources/DS0036/#Group%20Enumeration"> Group Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Metadata"> <a href="/datasources/DS0036/#Group%20Metadata"> Group Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Modification"> <a href="/datasources/DS0036/#Group%20Modification"> Group Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007"> <a href="/datasources/DS0007/"> Image </a> <div class="expand-button collapsed" id="DS0007-header" data-toggle="collapse" data-target="#DS0007-body" aria-expanded="false" aria-controls="#DS0007-body"></div> </div> <div class="sidenav-body collapse" id="DS0007-body" aria-labelledby="DS0007-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Creation"> <a href="/datasources/DS0007/#Image%20Creation"> Image Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Deletion"> <a href="/datasources/DS0007/#Image%20Deletion"> Image Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Metadata"> <a href="/datasources/DS0007/#Image%20Metadata"> Image Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Modification"> <a href="/datasources/DS0007/#Image%20Modification"> Image Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030"> <a href="/datasources/DS0030/"> Instance </a> <div class="expand-button collapsed" id="DS0030-header" data-toggle="collapse" data-target="#DS0030-body" aria-expanded="false" aria-controls="#DS0030-body"></div> </div> <div class="sidenav-body collapse" id="DS0030-body" aria-labelledby="DS0030-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Creation"> <a href="/datasources/DS0030/#Instance%20Creation"> Instance Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Deletion"> <a href="/datasources/DS0030/#Instance%20Deletion"> Instance Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Enumeration"> <a href="/datasources/DS0030/#Instance%20Enumeration"> Instance Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Metadata"> <a href="/datasources/DS0030/#Instance%20Metadata"> Instance Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Modification"> <a href="/datasources/DS0030/#Instance%20Modification"> Instance Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Start"> <a href="/datasources/DS0030/#Instance%20Start"> Instance Start </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Stop"> <a href="/datasources/DS0030/#Instance%20Stop"> Instance Stop </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035"> <a href="/datasources/DS0035/"> Internet Scan </a> <div class="expand-button collapsed" id="DS0035-header" data-toggle="collapse" data-target="#DS0035-body" aria-expanded="false" aria-controls="#DS0035-body"></div> </div> <div class="sidenav-body collapse" id="DS0035-body" aria-labelledby="DS0035-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Content"> <a href="/datasources/DS0035/#Response%20Content"> Response Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Metadata"> <a href="/datasources/DS0035/#Response%20Metadata"> Response Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008"> <a href="/datasources/DS0008/"> Kernel </a> <div class="expand-button collapsed" id="DS0008-header" data-toggle="collapse" data-target="#DS0008-body" aria-expanded="false" aria-controls="#DS0008-body"></div> </div> <div class="sidenav-body collapse" id="DS0008-body" aria-labelledby="DS0008-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008-Kernel Module Load"> <a href="/datasources/DS0008/#Kernel%20Module%20Load"> Kernel Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028"> <a href="/datasources/DS0028/"> Logon Session </a> <div class="expand-button collapsed" id="DS0028-header" data-toggle="collapse" data-target="#DS0028-body" aria-expanded="false" aria-controls="#DS0028-body"></div> </div> <div class="sidenav-body collapse" id="DS0028-body" aria-labelledby="DS0028-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Creation"> <a href="/datasources/DS0028/#Logon%20Session%20Creation"> Logon Session Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Metadata"> <a href="/datasources/DS0028/#Logon%20Session%20Metadata"> Logon Session Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004"> <a href="/datasources/DS0004/"> Malware Repository </a> <div class="expand-button collapsed" id="DS0004-header" data-toggle="collapse" data-target="#DS0004-body" aria-expanded="false" aria-controls="#DS0004-body"></div> </div> <div class="sidenav-body collapse" id="DS0004-body" aria-labelledby="DS0004-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Content"> <a href="/datasources/DS0004/#Malware%20Content"> Malware Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Metadata"> <a href="/datasources/DS0004/#Malware%20Metadata"> Malware Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011"> <a href="/datasources/DS0011/"> Module </a> <div class="expand-button collapsed" id="DS0011-header" data-toggle="collapse" data-target="#DS0011-body" aria-expanded="false" aria-controls="#DS0011-body"></div> </div> <div class="sidenav-body collapse" id="DS0011-body" aria-labelledby="DS0011-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011-Module Load"> <a href="/datasources/DS0011/#Module%20Load"> Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023"> <a href="/datasources/DS0023/"> Named Pipe </a> <div class="expand-button collapsed" id="DS0023-header" data-toggle="collapse" data-target="#DS0023-body" aria-expanded="false" aria-controls="#DS0023-body"></div> </div> <div class="sidenav-body collapse" id="DS0023-body" aria-labelledby="DS0023-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023-Named Pipe Metadata"> <a href="/datasources/DS0023/#Named%20Pipe%20Metadata"> Named Pipe Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033"> <a href="/datasources/DS0033/"> Network Share </a> <div class="expand-button collapsed" id="DS0033-header" data-toggle="collapse" data-target="#DS0033-body" aria-expanded="false" aria-controls="#DS0033-body"></div> </div> <div class="sidenav-body collapse" id="DS0033-body" aria-labelledby="DS0033-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033-Network Share Access"> <a href="/datasources/DS0033/#Network%20Share%20Access"> Network Share Access </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029"> <a href="/datasources/DS0029/"> Network Traffic </a> <div class="expand-button collapsed" id="DS0029-header" data-toggle="collapse" data-target="#DS0029-body" aria-expanded="false" aria-controls="#DS0029-body"></div> </div> <div class="sidenav-body collapse" id="DS0029-body" aria-labelledby="DS0029-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Connection Creation"> <a href="/datasources/DS0029/#Network%20Connection%20Creation"> Network Connection Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Content"> <a href="/datasources/DS0029/#Network%20Traffic%20Content"> Network Traffic Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Flow"> <a href="/datasources/DS0029/#Network%20Traffic%20Flow"> Network Traffic Flow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040"> <a href="/datasources/DS0040/"> Operational Databases </a> <div class="expand-button collapsed" id="DS0040-header" data-toggle="collapse" data-target="#DS0040-body" aria-expanded="false" aria-controls="#DS0040-body"></div> </div> <div class="sidenav-body collapse" id="DS0040-body" aria-labelledby="DS0040-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Device Alarm"> <a href="/datasources/DS0040/#Device%20Alarm"> Device Alarm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process History/Live Data"> <a href="/datasources/DS0040/#Process%20History/Live%20Data"> Process History/Live Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process/Event Alarm"> <a href="/datasources/DS0040/#Process/Event%20Alarm"> Process/Event Alarm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021"> <a href="/datasources/DS0021/"> Persona </a> <div class="expand-button collapsed" id="DS0021-header" data-toggle="collapse" data-target="#DS0021-body" aria-expanded="false" aria-controls="#DS0021-body"></div> </div> <div class="sidenav-body collapse" id="DS0021-body" aria-labelledby="DS0021-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021-Social Media"> <a href="/datasources/DS0021/#Social%20Media"> Social Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014"> <a href="/datasources/DS0014/"> Pod </a> <div class="expand-button collapsed" id="DS0014-header" data-toggle="collapse" data-target="#DS0014-body" aria-expanded="false" aria-controls="#DS0014-body"></div> </div> <div class="sidenav-body collapse" id="DS0014-body" aria-labelledby="DS0014-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Creation"> <a href="/datasources/DS0014/#Pod%20Creation"> Pod Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Enumeration"> <a href="/datasources/DS0014/#Pod%20Enumeration"> Pod Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Modification"> <a href="/datasources/DS0014/#Pod%20Modification"> Pod Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009"> <a href="/datasources/DS0009/"> Process </a> <div class="expand-button collapsed" id="DS0009-header" data-toggle="collapse" data-target="#DS0009-body" aria-expanded="false" aria-controls="#DS0009-body"></div> </div> <div class="sidenav-body collapse" id="DS0009-body" aria-labelledby="DS0009-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0009-OS API Execution"> <a href="/datasources/DS0009/#OS%20API%20Execution"> OS API Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Access"> <a href="/datasources/DS0009/#Process%20Access"> Process Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Creation"> <a href="/datasources/DS0009/#Process%20Creation"> Process Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Metadata"> <a href="/datasources/DS0009/#Process%20Metadata"> Process Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Modification"> <a href="/datasources/DS0009/#Process%20Modification"> Process Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Termination"> <a href="/datasources/DS0009/#Process%20Termination"> Process Termination </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003"> <a href="/datasources/DS0003/"> Scheduled Job </a> <div class="expand-button collapsed" id="DS0003-header" data-toggle="collapse" data-target="#DS0003-body" aria-expanded="false" aria-controls="#DS0003-body"></div> </div> <div class="sidenav-body collapse" id="DS0003-body" aria-labelledby="DS0003-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Creation"> <a href="/datasources/DS0003/#Scheduled%20Job%20Creation"> Scheduled Job Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0003-Scheduled Job Metadata"> <a href="/datasources/DS0003/#Scheduled%20Job%20Metadata"> Scheduled Job Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Modification"> <a href="/datasources/DS0003/#Scheduled%20Job%20Modification"> Scheduled Job Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012"> <a href="/datasources/DS0012/"> Script </a> <div class="expand-button collapsed" id="DS0012-header" data-toggle="collapse" data-target="#DS0012-body" aria-expanded="false" aria-controls="#DS0012-body"></div> </div> <div class="sidenav-body collapse" id="DS0012-body" aria-labelledby="DS0012-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012-Script Execution"> <a href="/datasources/DS0012/#Script%20Execution"> Script Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013"> <a href="/datasources/DS0013/"> Sensor Health </a> <div class="expand-button collapsed" id="DS0013-header" data-toggle="collapse" data-target="#DS0013-body" aria-expanded="false" aria-controls="#DS0013-body"></div> </div> <div class="sidenav-body collapse" id="DS0013-body" aria-labelledby="DS0013-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013-Host Status"> <a href="/datasources/DS0013/#Host%20Status"> Host Status </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019"> <a href="/datasources/DS0019/"> Service </a> <div class="expand-button collapsed" id="DS0019-header" data-toggle="collapse" data-target="#DS0019-body" aria-expanded="false" aria-controls="#DS0019-body"></div> </div> <div class="sidenav-body collapse" id="DS0019-body" aria-labelledby="DS0019-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Creation"> <a href="/datasources/DS0019/#Service%20Creation"> Service Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Metadata"> <a href="/datasources/DS0019/#Service%20Metadata"> Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Modification"> <a href="/datasources/DS0019/#Service%20Modification"> Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020"> <a href="/datasources/DS0020/"> Snapshot </a> <div class="expand-button collapsed" id="DS0020-header" data-toggle="collapse" data-target="#DS0020-body" aria-expanded="false" aria-controls="#DS0020-body"></div> </div> <div class="sidenav-body collapse" id="DS0020-body" aria-labelledby="DS0020-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Creation"> <a href="/datasources/DS0020/#Snapshot%20Creation"> Snapshot Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Deletion"> <a href="/datasources/DS0020/#Snapshot%20Deletion"> Snapshot Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Enumeration"> <a href="/datasources/DS0020/#Snapshot%20Enumeration"> Snapshot Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Metadata"> <a href="/datasources/DS0020/#Snapshot%20Metadata"> Snapshot Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Modification"> <a href="/datasources/DS0020/#Snapshot%20Modification"> Snapshot Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002"> <a href="/datasources/DS0002/"> User Account </a> <div class="expand-button collapsed" id="DS0002-header" data-toggle="collapse" data-target="#DS0002-body" aria-expanded="false" aria-controls="#DS0002-body"></div> </div> <div class="sidenav-body collapse" id="DS0002-body" aria-labelledby="DS0002-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002-User Account Authentication"> <a href="/datasources/DS0002/#User%20Account%20Authentication"> User Account Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Creation"> <a href="/datasources/DS0002/#User%20Account%20Creation"> User Account Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Deletion"> <a href="/datasources/DS0002/#User%20Account%20Deletion"> User Account Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Metadata"> <a href="/datasources/DS0002/#User%20Account%20Metadata"> User Account Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Modification"> <a href="/datasources/DS0002/#User%20Account%20Modification"> User Account Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active mobile " id="DS0042"> <a href="/datasources/DS0042/"> User Interface </a> <div class="expand-button collapsed" id="DS0042-header" data-toggle="collapse" data-target="#DS0042-body" aria-expanded="false" aria-controls="#DS0042-body"></div> </div> <div class="sidenav-body collapse" id="DS0042-body" aria-labelledby="DS0042-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-Permissions Request"> <a href="/datasources/DS0042/#Permissions%20Request"> Permissions Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Notifications"> <a href="/datasources/DS0042/#System%20Notifications"> System Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Settings"> <a href="/datasources/DS0042/#System%20Settings"> System Settings </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034"> <a href="/datasources/DS0034/"> Volume </a> <div class="expand-button collapsed" id="DS0034-header" data-toggle="collapse" data-target="#DS0034-body" aria-expanded="false" aria-controls="#DS0034-body"></div> </div> <div class="sidenav-body collapse" id="DS0034-body" aria-labelledby="DS0034-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Creation"> <a href="/datasources/DS0034/#Volume%20Creation"> Volume Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Deletion"> <a href="/datasources/DS0034/#Volume%20Deletion"> Volume Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Enumeration"> <a href="/datasources/DS0034/#Volume%20Enumeration"> Volume Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Metadata"> <a href="/datasources/DS0034/#Volume%20Metadata"> Volume Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Modification"> <a href="/datasources/DS0034/#Volume%20Modification"> Volume Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006"> <a href="/datasources/DS0006/"> Web Credential </a> <div class="expand-button collapsed" id="DS0006-header" data-toggle="collapse" data-target="#DS0006-body" aria-expanded="false" aria-controls="#DS0006-body"></div> </div> <div class="sidenav-body collapse" id="DS0006-body" aria-labelledby="DS0006-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Creation"> <a href="/datasources/DS0006/#Web%20Credential%20Creation"> Web Credential Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Usage"> <a href="/datasources/DS0006/#Web%20Credential%20Usage"> Web Credential Usage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024"> <a href="/datasources/DS0024/"> Windows Registry </a> <div class="expand-button collapsed" id="DS0024-header" data-toggle="collapse" data-target="#DS0024-body" aria-expanded="false" aria-controls="#DS0024-body"></div> </div> <div class="sidenav-body collapse" id="DS0024-body" aria-labelledby="DS0024-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Access"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Access"> Windows Registry Key Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Creation"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Creation"> Windows Registry Key Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Deletion"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Deletion"> Windows Registry Key Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Modification"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification"> Windows Registry Key Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005"> <a href="/datasources/DS0005/"> WMI </a> <div class="expand-button collapsed" id="DS0005-header" data-toggle="collapse" data-target="#DS0005-body" aria-expanded="false" aria-controls="#DS0005-body"></div> </div> <div class="sidenav-body collapse" id="DS0005-body" aria-labelledby="DS0005-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005-WMI Creation"> <a href="/datasources/DS0005/#WMI%20Creation"> WMI Creation </a> </div> </div> </div> </div> </div> </div> </div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/datasources/">Data Sources</a></li> <li class="breadcrumb-item">User Interface</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> User Interface </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Visual activity on the device that could alert the user to potentially malicious behavior.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">ID: </span>DS0042 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Platforms: </span>Android, iOS </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="A description of where the data source may be physically collected (ex: Host, Network, Cloud Control Plane, etc.)">ⓘ</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Collection Layer: </span>Device </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Version</span>: 1.0 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Created: </span>13 March 2023 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Last Modified: </span>13 March 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of DS0042" href="/versions/v16/datasources/DS0042/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of DS0042" href="/versions/v16/datasources/DS0042/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id="datacomponents">Data Components</h2> <div class="row no-techniques-in-data-source-message" style="display: none"> <div class="col-md-12 description-body"> <p>This data source does not have any techniques in the selected domain(s)</p> </div> </div> <div class="row"> <div class="col-md-12 section-view mobile "> <a class="anchor" id="Permissions Request"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">User Interface: Permissions Request</h4> <div class="description-body"> <p>System prompts triggered when an application requests new or additional permissions</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">User Interface: Permissions Request</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>System prompts triggered when an application requests new or additional permissions</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1626">T1626</a> </td> <td> <a href="/techniques/T1626">Abuse Elevation Control Mechanism</a> </td> <td> <p>When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1626/001">.001</a> </td> <td> <a href="/techniques/T1626/001">Device Administrator Permissions</a> </td> <td> <p>The user is prompted for approval when an application requests device administrator permissions.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1638">T1638</a> </td> <td> <a href="/techniques/T1638">Adversary-in-the-Middle</a> </td> <td> <p>On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1662">T1662</a> </td> <td> <a href="/techniques/T1662">Data Destruction</a> </td> <td> <p>The user is prompted for approval when an application requests device administrator permissions.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1420">T1420</a> </td> <td> <a href="/techniques/T1420">File and Directory Discovery</a> </td> <td> <p>On Android, the user is presented with a permissions popup when an application requests access to external device storage.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1663">T1663</a> </td> <td> <a href="/techniques/T1663">Remote Access Software</a> </td> <td> <p>Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. </p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view mobile "> <a class="anchor" id="System Notifications"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">User Interface: System Notifications</h4> <div class="description-body"> <p>Notifications generated by the OS</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">User Interface: System Notifications</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Notifications generated by the OS</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1616">T1616</a> </td> <td> <a href="/techniques/T1616">Call Control</a> </td> <td> <p>The user can review available call logs for irregularities, such as missing or unrecognized calls.</p> </td> </tr> <tr class="sub technique noparent mobile" id="mobile"> <td> Mobile </td> <td> <a href="/techniques/T1627">T1627</a> </td> <td> <a href="/techniques/T1627/001">.001</a> </td> <td> <a href="/techniques/T1627">Execution Guardrails</a>: <a href="/techniques/T1627/001">Geofencing</a> </td> <td> <p>On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1541">T1541</a> </td> <td> <a href="/techniques/T1541">Foreground Persistence</a> </td> <td> <p>The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.</p> </td> </tr> <tr class="sub technique noparent mobile" id="mobile"> <td> Mobile </td> <td> <a href="/techniques/T1430">T1430</a> </td> <td> <a href="/techniques/T1430/001">.001</a> </td> <td> <a href="/techniques/T1430">Location Tracking</a>: <a href="/techniques/T1430/001">Remote Device Management Services</a> </td> <td> <p>Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1655">T1655</a> </td> <td> <a href="/techniques/T1655">Masquerading</a> </td> <td> <p>Unexpected behavior from an application could be an indicator of masquerading.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1655/001">.001</a> </td> <td> <a href="/techniques/T1655/001">Match Legitimate Name or Location</a> </td> <td> <p>Unexpected behavior from an application could be an indicator of masquerading.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1464">T1464</a> </td> <td> <a href="/techniques/T1464">Network Denial of Service</a> </td> <td> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1644">T1644</a> </td> <td> <a href="/techniques/T1644">Out of Band Data</a> </td> <td> <p>If the user sees a notification with text they do not recognize, they should review their list of installed applications.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1635">T1635</a> </td> <td> <a href="/techniques/T1635">Steal Application Access Token</a> </td> <td> <p>On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1635/001">.001</a> </td> <td> <a href="/techniques/T1635/001">URI Hijacking</a> </td> <td> <p>On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view mobile "> <a class="anchor" id="System Settings"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">User Interface: System Settings</h4> <div class="description-body"> <p>Settings visible to the user on the device</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">User Interface: System Settings</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Settings visible to the user on the device</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="sub technique noparent mobile" id="mobile"> <td> Mobile </td> <td> <a href="/techniques/T1626">T1626</a> </td> <td> <a href="/techniques/T1626/001">.001</a> </td> <td> <a href="/techniques/T1626">Abuse Elevation Control Mechanism</a>: <a href="/techniques/T1626/001">Device Administrator Permissions</a> </td> <td> <p>The user can see which applications are registered as device administrators in the device settings.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1517">T1517</a> </td> <td> <a href="/techniques/T1517">Access Notifications</a> </td> <td> <p>The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1429">T1429</a> </td> <td> <a href="/techniques/T1429">Audio Capture</a> </td> <td> <p>In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022."data-reference="iOS Mic Spyware"><sup><a href="https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p><p>In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022."data-reference="Android Privacy Indicators"><sup><a href="https://source.android.com/devices/tech/config/privacy-indicators" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1616">T1616</a> </td> <td> <a href="/techniques/T1616">Call Control</a> </td> <td> <p>The user can view their default phone app in device settings.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1662">T1662</a> </td> <td> <a href="/techniques/T1662">Data Destruction</a> </td> <td> <p>The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1642">T1642</a> </td> <td> <a href="/techniques/T1642">Endpoint Denial of Service</a> </td> <td> <p>On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1627">T1627</a> </td> <td> <a href="/techniques/T1627">Execution Guardrails</a> </td> <td> <p>The user can review which applications have location and sensitive phone information permissions in the operating system鈥檚 settings menu. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1627/001">.001</a> </td> <td> <a href="/techniques/T1627/001">Geofencing</a> </td> <td> <p>The user can review which applications have location permissions in the operating system鈥檚 settings menu.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1643">T1643</a> </td> <td> <a href="/techniques/T1643">Generate Traffic from Victim</a> </td> <td> <p>On Android, the user can review which applications can use premium SMS features in the "Special access" page within application settings. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1628">T1628</a> </td> <td> <a href="/techniques/T1628">Hide Artifacts</a> </td> <td> <p>The user can examine the list of all installed applications in the device settings. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1628/001">.001</a> </td> <td> <a href="/techniques/T1628/001">Suppress Application Icon</a> </td> <td> <p>The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application鈥檚 icon, they should inspect the application to ensure it is genuine.</p> </td> </tr> <tr class="sub technique noparent mobile" id="mobile"> <td> Mobile </td> <td> <a href="/techniques/T1629">T1629</a> </td> <td> <a href="/techniques/T1629/001">.001</a> </td> <td> <a href="/techniques/T1629">Impair Defenses</a>: <a href="/techniques/T1629/001">Prevent Application Removal</a> </td> <td> <p>The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1629/002">.002</a> </td> <td> <a href="/techniques/T1629">Impair Defenses</a>: <a href="/techniques/T1629/002">Device Lockout</a> </td> <td> <p>The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1629/003">.003</a> </td> <td> <a href="/techniques/T1629">Impair Defenses</a>: <a href="/techniques/T1629/003">Disable or Modify Tools</a> </td> <td> <p>The user can view a list of active device administrators in the device settings.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1630">T1630</a> </td> <td> <a href="/techniques/T1630">Indicator Removal on Host</a> </td> <td> <p>The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1630/001">.001</a> </td> <td> <a href="/techniques/T1630/001">Uninstall Malicious Application</a> </td> <td> <p>The user can see a list of applications that can use accessibility services in the device settings.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1630/002">.002</a> </td> <td> <a href="/techniques/T1630/002">File Deletion</a> </td> <td> <p>The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1417">T1417</a> </td> <td> <a href="/techniques/T1417">Input Capture</a> </td> <td> <p>The user can view and manage installed third-party keyboards.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1417/001">.001</a> </td> <td> <a href="/techniques/T1417/001">Keylogging</a> </td> <td> <p>On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1417/002">.002</a> </td> <td> <a href="/techniques/T1417/002">GUI Input Capture</a> </td> <td> <p>An Android user can view and manage which applications hold the <code>SYSTEM_ALERT_WINDOW</code> permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1516">T1516</a> </td> <td> <a href="/techniques/T1516">Input Injection</a> </td> <td> <p>The user can view applications that have registered accessibility services in the accessibility menu within the device settings.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1430">T1430</a> </td> <td> <a href="/techniques/T1430">Location Tracking</a> </td> <td> <p>In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1636">T1636</a> </td> <td> <a href="/techniques/T1636">Protected User Data</a> </td> <td> <p>The user can view permissions granted to an application in device settings. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1636/001">.001</a> </td> <td> <a href="/techniques/T1636/001">Calendar Entries</a> </td> <td> <p>On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1636/002">.002</a> </td> <td> <a href="/techniques/T1636/002">Call Log</a> </td> <td> <p>On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1636/003">.003</a> </td> <td> <a href="/techniques/T1636/003">Contact List</a> </td> <td> <p>On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1636/004">.004</a> </td> <td> <a href="/techniques/T1636/004">SMS Messages</a> </td> <td> <p>On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1513">T1513</a> </td> <td> <a href="/techniques/T1513">Screen Capture</a> </td> <td> <p>The user can view a list of apps with accessibility service privileges in the device settings.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1582">T1582</a> </td> <td> <a href="/techniques/T1582">SMS Control</a> </td> <td> <p>The user can view the default SMS handler in system settings.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1632">T1632</a> </td> <td> <a href="/techniques/T1632">Subvert Trust Controls</a> </td> <td> <p>On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.</p><p>On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1632/001">.001</a> </td> <td> <a href="/techniques/T1632/001">Code Signing Policy Modification</a> </td> <td> <p>On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. </p><p>On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1512">T1512</a> </td> <td> <a href="/techniques/T1512">Video Capture</a> </td> <td> <p>The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.</p> </td> </tr> </tbody> </table> </div> </div> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/" target="_blank"> ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="2.0"> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://source.android.com/devices/tech/config/privacy-indicators" target="_blank"> Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/filter/filter.js?8085"></script> <script src="/theme/scripts/navigation.js"></script> <script src="/theme/scripts/mobileview-datasources.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

CINXE.COM

User Interface, Data Source DS0042 | MITRE ATT&CK®