<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Application Vetting, Data Source DS0041 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-expanded="true" aria-controls="#sidebar-collapse" aria-selected="false">DATA SOURCES <i class="fa-solid fa-fw fa-chevron-down"></i> <i class="fa-solid fa-fw fa-chevron-up"></i> </div> <div class="checkbox-div" id="v-home-tab" aria-selected="false"> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="enterpriseSwitch" onchange="filterTables(enterpriseSwitch, icsSwitch)"> <label class="custom-control-label" for="enterpriseSwitch">Enterprise</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="mobileSwitch" onchange="filterTables(mobileSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="mobileSwitch">Mobile</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="icsSwitch" onchange="filterTables(icsSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="icsSwitch">ICS</label> </div> </div> <br class="br-mobile"> <div class="sidenav-list collapse show" id="sidebar-collapse" aria-labelledby="v-home-tab"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026"> <a href="/datasources/DS0026/"> Active Directory </a> <div class="expand-button collapsed" id="DS0026-header" data-toggle="collapse" data-target="#DS0026-body" aria-expanded="false" aria-controls="#DS0026-body"></div> </div> <div class="sidenav-body collapse" id="DS0026-body" aria-labelledby="DS0026-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Credential Request"> <a href="/datasources/DS0026/#Active%20Directory%20Credential%20Request"> Active Directory Credential Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Access"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Access"> Active Directory Object Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Creation"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Creation"> Active Directory Object Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Deletion"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Deletion"> Active Directory Object Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Modification"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Modification"> Active Directory Object Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015"> <a href="/datasources/DS0015/"> Application Log </a> <div class="expand-button collapsed" id="DS0015-header" data-toggle="collapse" data-target="#DS0015-body" aria-expanded="false" aria-controls="#DS0015-body"></div> </div> <div class="sidenav-body collapse" id="DS0015-body" aria-labelledby="DS0015-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015-Application Log Content"> <a href="/datasources/DS0015/#Application%20Log%20Content"> Application Log Content </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active mobile " id="DS0041"> <a href="/datasources/DS0041/"> Application Vetting </a> <div class="expand-button collapsed" id="DS0041-header" data-toggle="collapse" data-target="#DS0041-body" aria-expanded="false" aria-controls="#DS0041-body"></div> </div> <div class="sidenav-body collapse" id="DS0041-body" aria-labelledby="DS0041-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-API Calls"> <a href="/datasources/DS0041/#API%20Calls"> API Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Application Assets"> <a href="/datasources/DS0041/#Application%20Assets"> Application Assets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Network Communication"> <a href="/datasources/DS0041/#Network%20Communication"> Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Permissions Requests"> <a href="/datasources/DS0041/#Permissions%20Requests"> Permissions Requests </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Protected Configuration"> <a href="/datasources/DS0041/#Protected%20Configuration"> Protected Configuration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039"> <a href="/datasources/DS0039/"> Asset </a> <div class="expand-button collapsed" id="DS0039-header" data-toggle="collapse" data-target="#DS0039-body" aria-expanded="false" aria-controls="#DS0039-body"></div> </div> <div class="sidenav-body collapse" id="DS0039-body" aria-labelledby="DS0039-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Asset Inventory"> <a href="/datasources/DS0039/#Asset%20Inventory"> Asset Inventory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Software"> <a href="/datasources/DS0039/#Software"> Software </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037"> <a href="/datasources/DS0037/"> Certificate </a> <div class="expand-button collapsed" id="DS0037-header" data-toggle="collapse" data-target="#DS0037-body" aria-expanded="false" aria-controls="#DS0037-body"></div> </div> <div class="sidenav-body collapse" id="DS0037-body" aria-labelledby="DS0037-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037-Certificate Registration"> <a href="/datasources/DS0037/#Certificate%20Registration"> Certificate Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025"> <a href="/datasources/DS0025/"> Cloud Service </a> <div class="expand-button collapsed" id="DS0025-header" data-toggle="collapse" data-target="#DS0025-body" aria-expanded="false" aria-controls="#DS0025-body"></div> </div> <div class="sidenav-body collapse" id="DS0025-body" aria-labelledby="DS0025-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Disable"> <a href="/datasources/DS0025/#Cloud%20Service%20Disable"> Cloud Service Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Enumeration"> <a href="/datasources/DS0025/#Cloud%20Service%20Enumeration"> Cloud Service Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Metadata"> <a href="/datasources/DS0025/#Cloud%20Service%20Metadata"> Cloud Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Modification"> <a href="/datasources/DS0025/#Cloud%20Service%20Modification"> Cloud Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010"> <a href="/datasources/DS0010/"> Cloud Storage </a> <div class="expand-button collapsed" id="DS0010-header" data-toggle="collapse" data-target="#DS0010-body" aria-expanded="false" aria-controls="#DS0010-body"></div> </div> <div class="sidenav-body collapse" id="DS0010-body" aria-labelledby="DS0010-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Access"> <a href="/datasources/DS0010/#Cloud%20Storage%20Access"> Cloud Storage Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Creation"> <a href="/datasources/DS0010/#Cloud%20Storage%20Creation"> Cloud Storage Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Deletion"> <a href="/datasources/DS0010/#Cloud%20Storage%20Deletion"> Cloud Storage Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Enumeration"> <a href="/datasources/DS0010/#Cloud%20Storage%20Enumeration"> Cloud Storage Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Metadata"> <a href="/datasources/DS0010/#Cloud%20Storage%20Metadata"> Cloud Storage Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Modification"> <a href="/datasources/DS0010/#Cloud%20Storage%20Modification"> Cloud Storage Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017"> <a href="/datasources/DS0017/"> Command </a> <div class="expand-button collapsed" id="DS0017-header" data-toggle="collapse" data-target="#DS0017-body" aria-expanded="false" aria-controls="#DS0017-body"></div> </div> <div class="sidenav-body collapse" id="DS0017-body" aria-labelledby="DS0017-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017-Command Execution"> <a href="/datasources/DS0017/#Command%20Execution"> Command Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032"> <a href="/datasources/DS0032/"> Container </a> <div class="expand-button collapsed" id="DS0032-header" data-toggle="collapse" data-target="#DS0032-body" aria-expanded="false" aria-controls="#DS0032-body"></div> </div> <div class="sidenav-body collapse" id="DS0032-body" aria-labelledby="DS0032-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Creation"> <a href="/datasources/DS0032/#Container%20Creation"> Container Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Enumeration"> <a href="/datasources/DS0032/#Container%20Enumeration"> Container Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Start"> <a href="/datasources/DS0032/#Container%20Start"> Container Start </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038"> <a href="/datasources/DS0038/"> Domain Name </a> <div class="expand-button collapsed" id="DS0038-header" data-toggle="collapse" data-target="#DS0038-body" aria-expanded="false" aria-controls="#DS0038-body"></div> </div> <div class="sidenav-body collapse" id="DS0038-body" aria-labelledby="DS0038-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Active DNS"> <a href="/datasources/DS0038/#Active%20DNS"> Active DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Domain Registration"> <a href="/datasources/DS0038/#Domain%20Registration"> Domain Registration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Passive DNS"> <a href="/datasources/DS0038/#Passive%20DNS"> Passive DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016"> <a href="/datasources/DS0016/"> Drive </a> <div class="expand-button collapsed" id="DS0016-header" data-toggle="collapse" data-target="#DS0016-body" aria-expanded="false" aria-controls="#DS0016-body"></div> </div> <div class="sidenav-body collapse" id="DS0016-body" aria-labelledby="DS0016-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Access"> <a href="/datasources/DS0016/#Drive%20Access"> Drive Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016-Drive Creation"> <a href="/datasources/DS0016/#Drive%20Creation"> Drive Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Modification"> <a href="/datasources/DS0016/#Drive%20Modification"> Drive Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027"> <a href="/datasources/DS0027/"> Driver </a> <div class="expand-button collapsed" id="DS0027-header" data-toggle="collapse" data-target="#DS0027-body" aria-expanded="false" aria-controls="#DS0027-body"></div> </div> <div class="sidenav-body collapse" id="DS0027-body" aria-labelledby="DS0027-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Load"> <a href="/datasources/DS0027/#Driver%20Load"> Driver Load </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Metadata"> <a href="/datasources/DS0027/#Driver%20Metadata"> Driver Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022"> <a href="/datasources/DS0022/"> File </a> <div class="expand-button collapsed" id="DS0022-header" data-toggle="collapse" data-target="#DS0022-body" aria-expanded="false" aria-controls="#DS0022-body"></div> </div> <div class="sidenav-body collapse" id="DS0022-body" aria-labelledby="DS0022-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Access"> <a href="/datasources/DS0022/#File%20Access"> File Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Creation"> <a href="/datasources/DS0022/#File%20Creation"> File Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Deletion"> <a href="/datasources/DS0022/#File%20Deletion"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Metadata"> <a href="/datasources/DS0022/#File%20Metadata"> File Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Modification"> <a href="/datasources/DS0022/#File%20Modification"> File Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018"> <a href="/datasources/DS0018/"> Firewall </a> <div class="expand-button collapsed" id="DS0018-header" data-toggle="collapse" data-target="#DS0018-body" aria-expanded="false" aria-controls="#DS0018-body"></div> </div> <div class="sidenav-body collapse" id="DS0018-body" aria-labelledby="DS0018-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Disable"> <a href="/datasources/DS0018/#Firewall%20Disable"> Firewall Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Enumeration"> <a href="/datasources/DS0018/#Firewall%20Enumeration"> Firewall Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Metadata"> <a href="/datasources/DS0018/#Firewall%20Metadata"> Firewall Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Rule Modification"> <a href="/datasources/DS0018/#Firewall%20Rule%20Modification"> Firewall Rule Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001"> <a href="/datasources/DS0001/"> Firmware </a> <div class="expand-button collapsed" id="DS0001-header" data-toggle="collapse" data-target="#DS0001-body" aria-expanded="false" aria-controls="#DS0001-body"></div> </div> <div class="sidenav-body collapse" id="DS0001-body" aria-labelledby="DS0001-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001-Firmware Modification"> <a href="/datasources/DS0001/#Firmware%20Modification"> Firmware Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036"> <a href="/datasources/DS0036/"> Group </a> <div class="expand-button collapsed" id="DS0036-header" data-toggle="collapse" data-target="#DS0036-body" aria-expanded="false" aria-controls="#DS0036-body"></div> </div> <div class="sidenav-body collapse" id="DS0036-body" aria-labelledby="DS0036-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Enumeration"> <a href="/datasources/DS0036/#Group%20Enumeration"> Group Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Metadata"> <a href="/datasources/DS0036/#Group%20Metadata"> Group Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Modification"> <a href="/datasources/DS0036/#Group%20Modification"> Group Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007"> <a href="/datasources/DS0007/"> Image </a> <div class="expand-button collapsed" id="DS0007-header" data-toggle="collapse" data-target="#DS0007-body" aria-expanded="false" aria-controls="#DS0007-body"></div> </div> <div class="sidenav-body collapse" id="DS0007-body" aria-labelledby="DS0007-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Creation"> <a href="/datasources/DS0007/#Image%20Creation"> Image Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Deletion"> <a href="/datasources/DS0007/#Image%20Deletion"> Image Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Metadata"> <a href="/datasources/DS0007/#Image%20Metadata"> Image Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Modification"> <a href="/datasources/DS0007/#Image%20Modification"> Image Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030"> <a href="/datasources/DS0030/"> Instance </a> <div class="expand-button collapsed" id="DS0030-header" data-toggle="collapse" data-target="#DS0030-body" aria-expanded="false" aria-controls="#DS0030-body"></div> </div> <div class="sidenav-body collapse" id="DS0030-body" aria-labelledby="DS0030-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Creation"> <a href="/datasources/DS0030/#Instance%20Creation"> Instance Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Deletion"> <a href="/datasources/DS0030/#Instance%20Deletion"> Instance Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Enumeration"> <a href="/datasources/DS0030/#Instance%20Enumeration"> Instance Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Metadata"> <a href="/datasources/DS0030/#Instance%20Metadata"> Instance Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Modification"> <a href="/datasources/DS0030/#Instance%20Modification"> Instance Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Start"> <a href="/datasources/DS0030/#Instance%20Start"> Instance Start </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Stop"> <a href="/datasources/DS0030/#Instance%20Stop"> Instance Stop </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035"> <a href="/datasources/DS0035/"> Internet Scan </a> <div class="expand-button collapsed" id="DS0035-header" data-toggle="collapse" data-target="#DS0035-body" aria-expanded="false" aria-controls="#DS0035-body"></div> </div> <div class="sidenav-body collapse" id="DS0035-body" aria-labelledby="DS0035-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Content"> <a href="/datasources/DS0035/#Response%20Content"> Response Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Metadata"> <a href="/datasources/DS0035/#Response%20Metadata"> Response Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008"> <a href="/datasources/DS0008/"> Kernel </a> <div class="expand-button collapsed" id="DS0008-header" data-toggle="collapse" data-target="#DS0008-body" aria-expanded="false" aria-controls="#DS0008-body"></div> </div> <div class="sidenav-body collapse" id="DS0008-body" aria-labelledby="DS0008-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008-Kernel Module Load"> <a href="/datasources/DS0008/#Kernel%20Module%20Load"> Kernel Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028"> <a href="/datasources/DS0028/"> Logon Session </a> <div class="expand-button collapsed" id="DS0028-header" data-toggle="collapse" data-target="#DS0028-body" aria-expanded="false" aria-controls="#DS0028-body"></div> </div> <div class="sidenav-body collapse" id="DS0028-body" aria-labelledby="DS0028-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Creation"> <a href="/datasources/DS0028/#Logon%20Session%20Creation"> Logon Session Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Metadata"> <a href="/datasources/DS0028/#Logon%20Session%20Metadata"> Logon Session Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004"> <a href="/datasources/DS0004/"> Malware Repository </a> <div class="expand-button collapsed" id="DS0004-header" data-toggle="collapse" data-target="#DS0004-body" aria-expanded="false" aria-controls="#DS0004-body"></div> </div> <div class="sidenav-body collapse" id="DS0004-body" aria-labelledby="DS0004-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Content"> <a href="/datasources/DS0004/#Malware%20Content"> Malware Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Metadata"> <a href="/datasources/DS0004/#Malware%20Metadata"> Malware Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011"> <a href="/datasources/DS0011/"> Module </a> <div class="expand-button collapsed" id="DS0011-header" data-toggle="collapse" data-target="#DS0011-body" aria-expanded="false" aria-controls="#DS0011-body"></div> </div> <div class="sidenav-body collapse" id="DS0011-body" aria-labelledby="DS0011-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011-Module Load"> <a href="/datasources/DS0011/#Module%20Load"> Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023"> <a href="/datasources/DS0023/"> Named Pipe </a> <div class="expand-button collapsed" id="DS0023-header" data-toggle="collapse" data-target="#DS0023-body" aria-expanded="false" aria-controls="#DS0023-body"></div> </div> <div class="sidenav-body collapse" id="DS0023-body" aria-labelledby="DS0023-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023-Named Pipe Metadata"> <a href="/datasources/DS0023/#Named%20Pipe%20Metadata"> Named Pipe Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033"> <a href="/datasources/DS0033/"> Network Share </a> <div class="expand-button collapsed" id="DS0033-header" data-toggle="collapse" data-target="#DS0033-body" aria-expanded="false" aria-controls="#DS0033-body"></div> </div> <div class="sidenav-body collapse" id="DS0033-body" aria-labelledby="DS0033-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033-Network Share Access"> <a href="/datasources/DS0033/#Network%20Share%20Access"> Network Share Access </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029"> <a href="/datasources/DS0029/"> Network Traffic </a> <div class="expand-button collapsed" id="DS0029-header" data-toggle="collapse" data-target="#DS0029-body" aria-expanded="false" aria-controls="#DS0029-body"></div> </div> <div class="sidenav-body collapse" id="DS0029-body" aria-labelledby="DS0029-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Connection Creation"> <a href="/datasources/DS0029/#Network%20Connection%20Creation"> Network Connection Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Content"> <a href="/datasources/DS0029/#Network%20Traffic%20Content"> Network Traffic Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Flow"> <a href="/datasources/DS0029/#Network%20Traffic%20Flow"> Network Traffic Flow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040"> <a href="/datasources/DS0040/"> Operational Databases </a> <div class="expand-button collapsed" id="DS0040-header" data-toggle="collapse" data-target="#DS0040-body" aria-expanded="false" aria-controls="#DS0040-body"></div> </div> <div class="sidenav-body collapse" id="DS0040-body" aria-labelledby="DS0040-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Device Alarm"> <a href="/datasources/DS0040/#Device%20Alarm"> Device Alarm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process History/Live Data"> <a href="/datasources/DS0040/#Process%20History/Live%20Data"> Process History/Live Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process/Event Alarm"> <a href="/datasources/DS0040/#Process/Event%20Alarm"> Process/Event Alarm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021"> <a href="/datasources/DS0021/"> Persona </a> <div class="expand-button collapsed" id="DS0021-header" data-toggle="collapse" data-target="#DS0021-body" aria-expanded="false" aria-controls="#DS0021-body"></div> </div> <div class="sidenav-body collapse" id="DS0021-body" aria-labelledby="DS0021-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021-Social Media"> <a href="/datasources/DS0021/#Social%20Media"> Social Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014"> <a href="/datasources/DS0014/"> Pod </a> <div class="expand-button collapsed" id="DS0014-header" data-toggle="collapse" data-target="#DS0014-body" aria-expanded="false" aria-controls="#DS0014-body"></div> </div> <div class="sidenav-body collapse" id="DS0014-body" aria-labelledby="DS0014-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Creation"> <a href="/datasources/DS0014/#Pod%20Creation"> Pod Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Enumeration"> <a href="/datasources/DS0014/#Pod%20Enumeration"> Pod Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Modification"> <a href="/datasources/DS0014/#Pod%20Modification"> Pod Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009"> <a href="/datasources/DS0009/"> Process </a> <div class="expand-button collapsed" id="DS0009-header" data-toggle="collapse" data-target="#DS0009-body" aria-expanded="false" aria-controls="#DS0009-body"></div> </div> <div class="sidenav-body collapse" id="DS0009-body" aria-labelledby="DS0009-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0009-OS API Execution"> <a href="/datasources/DS0009/#OS%20API%20Execution"> OS API Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Access"> <a href="/datasources/DS0009/#Process%20Access"> Process Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Creation"> <a href="/datasources/DS0009/#Process%20Creation"> Process Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Metadata"> <a href="/datasources/DS0009/#Process%20Metadata"> Process Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Modification"> <a href="/datasources/DS0009/#Process%20Modification"> Process Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Termination"> <a href="/datasources/DS0009/#Process%20Termination"> Process Termination </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003"> <a href="/datasources/DS0003/"> Scheduled Job </a> <div class="expand-button collapsed" id="DS0003-header" data-toggle="collapse" data-target="#DS0003-body" aria-expanded="false" aria-controls="#DS0003-body"></div> </div> <div class="sidenav-body collapse" id="DS0003-body" aria-labelledby="DS0003-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Creation"> <a href="/datasources/DS0003/#Scheduled%20Job%20Creation"> Scheduled Job Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0003-Scheduled Job Metadata"> <a href="/datasources/DS0003/#Scheduled%20Job%20Metadata"> Scheduled Job Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Modification"> <a href="/datasources/DS0003/#Scheduled%20Job%20Modification"> Scheduled Job Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012"> <a href="/datasources/DS0012/"> Script </a> <div class="expand-button collapsed" id="DS0012-header" data-toggle="collapse" data-target="#DS0012-body" aria-expanded="false" aria-controls="#DS0012-body"></div> </div> <div class="sidenav-body collapse" id="DS0012-body" aria-labelledby="DS0012-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012-Script Execution"> <a href="/datasources/DS0012/#Script%20Execution"> Script Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013"> <a href="/datasources/DS0013/"> Sensor Health </a> <div class="expand-button collapsed" id="DS0013-header" data-toggle="collapse" data-target="#DS0013-body" aria-expanded="false" aria-controls="#DS0013-body"></div> </div> <div class="sidenav-body collapse" id="DS0013-body" aria-labelledby="DS0013-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013-Host Status"> <a href="/datasources/DS0013/#Host%20Status"> Host Status </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019"> <a href="/datasources/DS0019/"> Service </a> <div class="expand-button collapsed" id="DS0019-header" data-toggle="collapse" data-target="#DS0019-body" aria-expanded="false" aria-controls="#DS0019-body"></div> </div> <div class="sidenav-body collapse" id="DS0019-body" aria-labelledby="DS0019-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Creation"> <a href="/datasources/DS0019/#Service%20Creation"> Service Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Metadata"> <a href="/datasources/DS0019/#Service%20Metadata"> Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Modification"> <a href="/datasources/DS0019/#Service%20Modification"> Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020"> <a href="/datasources/DS0020/"> Snapshot </a> <div class="expand-button collapsed" id="DS0020-header" data-toggle="collapse" data-target="#DS0020-body" aria-expanded="false" aria-controls="#DS0020-body"></div> </div> <div class="sidenav-body collapse" id="DS0020-body" aria-labelledby="DS0020-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Creation"> <a href="/datasources/DS0020/#Snapshot%20Creation"> Snapshot Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Deletion"> <a href="/datasources/DS0020/#Snapshot%20Deletion"> Snapshot Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Enumeration"> <a href="/datasources/DS0020/#Snapshot%20Enumeration"> Snapshot Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Metadata"> <a href="/datasources/DS0020/#Snapshot%20Metadata"> Snapshot Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Modification"> <a href="/datasources/DS0020/#Snapshot%20Modification"> Snapshot Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002"> <a href="/datasources/DS0002/"> User Account </a> <div class="expand-button collapsed" id="DS0002-header" data-toggle="collapse" data-target="#DS0002-body" aria-expanded="false" aria-controls="#DS0002-body"></div> </div> <div class="sidenav-body collapse" id="DS0002-body" aria-labelledby="DS0002-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002-User Account Authentication"> <a href="/datasources/DS0002/#User%20Account%20Authentication"> User Account Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Creation"> <a href="/datasources/DS0002/#User%20Account%20Creation"> User Account Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Deletion"> <a href="/datasources/DS0002/#User%20Account%20Deletion"> User Account Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Metadata"> <a href="/datasources/DS0002/#User%20Account%20Metadata"> User Account Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Modification"> <a href="/datasources/DS0002/#User%20Account%20Modification"> User Account Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042"> <a href="/datasources/DS0042/"> User Interface </a> <div class="expand-button collapsed" id="DS0042-header" data-toggle="collapse" data-target="#DS0042-body" aria-expanded="false" aria-controls="#DS0042-body"></div> </div> <div class="sidenav-body collapse" id="DS0042-body" aria-labelledby="DS0042-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-Permissions Request"> <a href="/datasources/DS0042/#Permissions%20Request"> Permissions Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Notifications"> <a href="/datasources/DS0042/#System%20Notifications"> System Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Settings"> <a href="/datasources/DS0042/#System%20Settings"> System Settings </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034"> <a href="/datasources/DS0034/"> Volume </a> <div class="expand-button collapsed" id="DS0034-header" data-toggle="collapse" data-target="#DS0034-body" aria-expanded="false" aria-controls="#DS0034-body"></div> </div> <div class="sidenav-body collapse" id="DS0034-body" aria-labelledby="DS0034-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Creation"> <a href="/datasources/DS0034/#Volume%20Creation"> Volume Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Deletion"> <a href="/datasources/DS0034/#Volume%20Deletion"> Volume Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Enumeration"> <a href="/datasources/DS0034/#Volume%20Enumeration"> Volume Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Metadata"> <a href="/datasources/DS0034/#Volume%20Metadata"> Volume Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Modification"> <a href="/datasources/DS0034/#Volume%20Modification"> Volume Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006"> <a href="/datasources/DS0006/"> Web Credential </a> <div class="expand-button collapsed" id="DS0006-header" data-toggle="collapse" data-target="#DS0006-body" aria-expanded="false" aria-controls="#DS0006-body"></div> </div> <div class="sidenav-body collapse" id="DS0006-body" aria-labelledby="DS0006-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Creation"> <a href="/datasources/DS0006/#Web%20Credential%20Creation"> Web Credential Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Usage"> <a href="/datasources/DS0006/#Web%20Credential%20Usage"> Web Credential Usage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024"> <a href="/datasources/DS0024/"> Windows Registry </a> <div class="expand-button collapsed" id="DS0024-header" data-toggle="collapse" data-target="#DS0024-body" aria-expanded="false" aria-controls="#DS0024-body"></div> </div> <div class="sidenav-body collapse" id="DS0024-body" aria-labelledby="DS0024-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Access"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Access"> Windows Registry Key Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Creation"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Creation"> Windows Registry Key Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Deletion"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Deletion"> Windows Registry Key Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Modification"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification"> Windows Registry Key Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005"> <a href="/datasources/DS0005/"> WMI </a> <div class="expand-button collapsed" id="DS0005-header" data-toggle="collapse" data-target="#DS0005-body" aria-expanded="false" aria-controls="#DS0005-body"></div> </div> <div class="sidenav-body collapse" id="DS0005-body" aria-labelledby="DS0005-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005-WMI Creation"> <a href="/datasources/DS0005/#WMI%20Creation"> WMI Creation </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/datasources/">Data Sources</a></li> <li class="breadcrumb-item">Application Vetting</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Application Vetting </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Application vetting report generated by an external cloud service.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>DS0041 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Android, iOS </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="A description of where the data source may be physically collected (ex: Host, Network, Cloud Control Plane, etc.)">&#9432;</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Collection Layer:&nbsp;</span>Report </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Version</span>: 1.0 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>13 March 2023 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>13 March 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of DS0041" href="/versions/v16/datasources/DS0041/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of DS0041" href="/versions/v16/datasources/DS0041/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id="datacomponents">Data Components</h2> <div class="row no-techniques-in-data-source-message" style="display: none"> <div class="col-md-12 description-body"> <p>This data source does not have any techniques in the selected domain(s)</p> </div> </div> <div class="row"> <div class="col-md-12 section-view mobile "> <a class="anchor" id="API Calls"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Application Vetting: API Calls</h4> <div class="description-body"> <p>API calls utilized by an application that could indicate malicious activity</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Application Vetting: API Calls</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>API calls utilized by an application that could indicate malicious activity</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1661">T1661</a> </td> <td> <a href="/techniques/T1661">Application Versioning</a> </td> <td> <p>Application vetting services may look for indications that the application鈥檚 update includes malicious code at runtime. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1414">T1414</a> </td> <td> <a href="/techniques/T1414">Clipboard Data</a> </td> <td> <p>Application vetting services could detect usage of standard clipboard APIs.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1623">T1623</a> </td> <td> <a href="/techniques/T1623">Command and Scripting Interpreter</a> </td> <td> <p>Application vetting services could detect the invocations of methods that could be used to execute shell commands.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022."data-reference="Samsung Knox Mobile Threat Defense">^{<a href="https://partner.samsungknox.com/mtd" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1623/001">.001</a> </td> <td> <a href="/techniques/T1623/001">Unix Shell</a> </td> <td> <p>Application vetting services could detect the invocations of methods that could be used to execute shell commands.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022."data-reference="Samsung Knox Mobile Threat Defense">^{<a href="https://partner.samsungknox.com/mtd" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1645">T1645</a> </td> <td> <a href="/techniques/T1645">Compromise Client Software Binary</a> </td> <td> <p>Application vetting services could detect applications trying to modify files in protected parts of the operating system.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1634">T1634</a> </td> <td> <a href="/techniques/T1634">Credentials from Password Store</a> </td> <td> <p>Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1634/001">.001</a> </td> <td> <a href="/techniques/T1634/001">Keychain</a> </td> <td> <p>Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1662">T1662</a> </td> <td> <a href="/techniques/T1662">Data Destruction</a> </td> <td> <p>Application vetting services may detect API calls for deleting files. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1471">T1471</a> </td> <td> <a href="/techniques/T1471">Data Encrypted for Impact</a> </td> <td> <p>Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1641">T1641</a> </td> <td> <a href="/techniques/T1641">Data Manipulation</a> </td> <td> <p>Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1641/001">.001</a> </td> <td> <a href="/techniques/T1641/001">Transmitted Data Manipulation</a> </td> <td> <p>Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1407">T1407</a> </td> <td> <a href="/techniques/T1407">Download New Code at Runtime</a> </td> <td> <p>Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of <code>DexClassLoader</code>, <code>System.load</code>, or the WebView <code>JavaScriptInterface</code> capability; on iOS, use of JSPatch or similar capabilities).</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1627">T1627</a> </td> <td> <a href="/techniques/T1627">Execution Guardrails</a> </td> <td> <p>Application vetting services can detect unnecessary and potentially abused API calls.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1627/001">.001</a> </td> <td> <a href="/techniques/T1627/001">Geofencing</a> </td> <td> <p>Application vetting services can detect unnecessary and potentially abused API calls.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1404">T1404</a> </td> <td> <a href="/techniques/T1404">Exploitation for Privilege Escalation</a> </td> <td> <p>Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1541">T1541</a> </td> <td> <a href="/techniques/T1541">Foreground Persistence</a> </td> <td> <p>Applications could be vetted for their use of the <code>startForeground()</code> API, and could be further scrutinized if usage is found.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1628">T1628</a> </td> <td> <a href="/techniques/T1628">Hide Artifacts</a> </td> <td> <p>Application vetting services could potentially detect the usage of APIs intended for artifact hiding.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1628/001">.001</a> </td> <td> <a href="/techniques/T1628/001">Suppress Application Icon</a> </td> <td> <p>Application vetting services could potentially detect the usage of APIs intended for suppressing the application鈥檚 icon.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1629">T1629</a> </td> <td> <a href="/techniques/T1629">Impair Defenses</a> </td> <td> <p>Application vetting can detect many techniques associated with impairing device defenses.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022."data-reference="Samsung Knox Mobile Threat Defense">^{<a href="https://partner.samsungknox.com/mtd" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1629/001">.001</a> </td> <td> <a href="/techniques/T1629/001">Prevent Application Removal</a> </td> <td> <p>Application vetting services may detect API calls to <code>performGlobalAction(int)</code>. </p> </td> </tr> <tr class="sub technique noparent mobile" id="mobile"> <td> Mobile </td> <td> <a href="/techniques/T1630">T1630</a> </td> <td> <a href="/techniques/T1630/001">.001</a> </td> <td> <a href="/techniques/T1630">Indicator Removal on Host</a>: <a href="/techniques/T1630/001">Uninstall Malicious Application</a> </td> <td> <p>Application vetting services could look for use of the accessibility service or features that typically require root access.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1655">T1655</a> </td> <td> <a href="/techniques/T1655">Masquerading</a> </td> <td> <p>Application vetting services may potentially determine if an application contains suspicious code and/or metadata.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1655/001">.001</a> </td> <td> <a href="/techniques/T1655/001">Match Legitimate Name or Location</a> </td> <td> <p>Application vetting services may potentially determine if an application contains suspicious code and/or metadata.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1406">T1406</a> </td> <td> <a href="/techniques/T1406">Obfuscated Files or Information</a> </td> <td> <p>Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1406/002">.002</a> </td> <td> <a href="/techniques/T1406/002">Software Packing</a> </td> <td> <p>Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1424">T1424</a> </td> <td> <a href="/techniques/T1424">Process Discovery</a> </td> <td> <p>Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of <code>ps</code> or inspection of the <code>/proc</code> directory.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1631">T1631</a> </td> <td> <a href="/techniques/T1631">Process Injection</a> </td> <td> <p>Application vetting services could look for misuse of dynamic libraries.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1631/001">.001</a> </td> <td> <a href="/techniques/T1631/001">Ptrace System Calls</a> </td> <td> <p>Application vetting services could look for misuse of dynamic libraries.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1513">T1513</a> </td> <td> <a href="/techniques/T1513">Screen Capture</a> </td> <td> <p>Application vetting services can look for the use of the Android <code>MediaProjectionManager</code> class, applying extra scrutiny to applications that use the class.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1418">T1418</a> </td> <td> <a href="/techniques/T1418">Software Discovery</a> </td> <td> <p>Application vetting services could look for the Android permission <code>android.permission.QUERY_ALL_PACKAGES</code>, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API <code>LSApplicationWorkspace</code> and apply extra scrutiny to applications that employ it.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1418/001">.001</a> </td> <td> <a href="/techniques/T1418/001">Security Software Discovery</a> </td> <td> <p>Application vetting services could look for the Android permission <code>android.permission.QUERY_ALL_PACKAGES</code>, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API <code>LSApplicationWorkspace</code> and apply extra scrutiny to applications that employ it.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1635">T1635</a> </td> <td> <a href="/techniques/T1635">Steal Application Access Token</a> </td> <td> <p>When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018."data-reference="IETF-OAuthNativeApps">^{<a href="https://tools.ietf.org/html/rfc8252" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Android. (n.d.). Handling App Links. Retrieved December 21, 2016."data-reference="Android-AppLinks">^{<a href="https://developer.android.com/training/app-links/index.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1635/001">.001</a> </td> <td> <a href="/techniques/T1635/001">URI Hijacking</a> </td> <td> <p>When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018."data-reference="IETF-OAuthNativeApps">^{<a href="https://tools.ietf.org/html/rfc8252" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Android. (n.d.). Handling App Links. Retrieved December 21, 2016."data-reference="Android-AppLinks">^{<a href="https://developer.android.com/training/app-links/index.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1409">T1409</a> </td> <td> <a href="/techniques/T1409">Stored Application Data</a> </td> <td> <p>Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1474">T1474</a> </td> <td> <a href="/techniques/T1474">Supply Chain Compromise</a> </td> <td> <p>Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1474/001">.001</a> </td> <td> <a href="/techniques/T1474/001">Compromise Software Dependencies and Development Tools</a> </td> <td> <p>Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1474/003">.003</a> </td> <td> <a href="/techniques/T1474/003">Compromise Software Supply Chain</a> </td> <td> <p>Application vetting services can detect malicious code in applications.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1633">T1633</a> </td> <td> <a href="/techniques/T1633">Virtualization/Sandbox Evasion</a> </td> <td> <p>Application vetting services could look for applications attempting to get <code>android.os.SystemProperties</code> or <code>getprop</code> with the runtime <code>exec()</code> commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1633/001">.001</a> </td> <td> <a href="/techniques/T1633/001">System Checks</a> </td> <td> <p>Application vetting services could look for applications attempting to get <code>android.os.SystemProperties</code> or <code>getprop</code> with the runtime <code>exec()</code> commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view mobile "> <a class="anchor" id="Application Assets"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Application Vetting: Application Assets</h4> <div class="description-body"> <p>Additional assets included with an application</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Application Vetting: Application Assets</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Additional assets included with an application</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> </tr> </thead> <tbody> <tr class="sub technique noparent mobile" id="mobile"> <td> Mobile </td> <td> <a href="/techniques/T1521">T1521</a> </td> <td> <a href="/techniques/T1521/003">.003</a> </td> <td> <a href="/techniques/T1521">Encrypted Channel</a>: <a href="/techniques/T1521/003">SSL Pinning</a> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view mobile "> <a class="anchor" id="Network Communication"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Application Vetting: Network Communication</h4> <div class="description-body"> <p>Network requests made by an application or domains contacted</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Application Vetting: Network Communication</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Network requests made by an application or domains contacted</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1661">T1661</a> </td> <td> <a href="/techniques/T1661">Application Versioning</a> </td> <td> <p>Application vetting services may be able to list domains and/or IP addresses that applications communicate with.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1407">T1407</a> </td> <td> <a href="/techniques/T1407">Download New Code at Runtime</a> </td> <td> <p>Application vetting services may be able to list domains and/or IP addresses that applications communicate with. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1637">T1637</a> </td> <td> <a href="/techniques/T1637">Dynamic Resolution</a> </td> <td> <p>Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019."data-reference="Data Driven Security DGA">^{<a href="https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023."data-reference="unit42_strat_aged_domain_det">^{<a href="https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1637/001">.001</a> </td> <td> <a href="/techniques/T1637/001">Domain Generation Algorithms</a> </td> <td> <p>Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019."data-reference="Data Driven Security DGA">^{<a href="https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023."data-reference="unit42_strat_aged_domain_det">^{<a href="https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1658">T1658</a> </td> <td> <a href="/techniques/T1658">Exploitation for Client Execution</a> </td> <td> <p>Network traffic analysis may reveal processes communicating with malicious domains. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1428">T1428</a> </td> <td> <a href="/techniques/T1428">Exploitation of Remote Services</a> </td> <td> <p>Application vetting may be able to identify applications that perform <a href="https://attack.mitre.org/tactics/TA0032">Discovery</a> or utilize existing connectivity to remotely access hosts within an internal enterprise network. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1544">T1544</a> </td> <td> <a href="/techniques/T1544">Ingress Tool Transfer</a> </td> <td> <p>Application vetting services could look for connections to unknown domains or IP addresses. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1509">T1509</a> </td> <td> <a href="/techniques/T1509">Non-Standard Port</a> </td> <td> <p>Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1481">T1481</a> </td> <td> <a href="/techniques/T1481">Web Service</a> </td> <td> <p>Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1481/001">.001</a> </td> <td> <a href="/techniques/T1481/001">Dead Drop Resolver</a> </td> <td> <p>Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1481/002">.002</a> </td> <td> <a href="/techniques/T1481/002">Bidirectional Communication</a> </td> <td> <p>Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1481/003">.003</a> </td> <td> <a href="/techniques/T1481/003">One-Way Communication</a> </td> <td> <p>Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view mobile "> <a class="anchor" id="Permissions Requests"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Application Vetting: Permissions Requests</h4> <div class="description-body"> <p>Permissions declared in an application's manifest or property list file</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Application Vetting: Permissions Requests</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Permissions declared in an application's manifest or property list file</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1626">T1626</a> </td> <td> <a href="/techniques/T1626">Abuse Elevation Control Mechanism</a> </td> <td> <p>Application vetting services can detect when an application requests administrator permission.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1626/001">.001</a> </td> <td> <a href="/techniques/T1626/001">Device Administrator Permissions</a> </td> <td> <p>Application vetting services can check for the string <code>BIND_DEVICE_ADMIN</code> in the application鈥檚 manifest. This indicates it can prompt the user for device administrator permissions.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1517">T1517</a> </td> <td> <a href="/techniques/T1517">Access Notifications</a> </td> <td> <p>Application vetting services can look for applications requesting the <code>BIND_NOTIFICATION_LISTENER_SERVICE</code> permission in a service declaration. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1640">T1640</a> </td> <td> <a href="/techniques/T1640">Account Access Removal</a> </td> <td> <p>Application vetting services could closely scrutinize applications that request Device Administrator permissions.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1661">T1661</a> </td> <td> <a href="/techniques/T1661">Application Versioning</a> </td> <td> <p>Application vetting services may detect when an application requests permissions after an application update.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1429">T1429</a> </td> <td> <a href="/techniques/T1429">Audio Capture</a> </td> <td> <p>Android applications using the <code>RECORD_AUDIO</code> permission and iOS applications using <code>RequestRecordPermission</code> should be carefully reviewed and monitored. If the <code>CAPTURE_AUDIO_OUTPUT</code> permission is found in a third-party Android application, the application should be heavily scrutinized.</p><p>In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1662">T1662</a> </td> <td> <a href="/techniques/T1662">Data Destruction</a> </td> <td> <p>Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1642">T1642</a> </td> <td> <a href="/techniques/T1642">Endpoint Denial of Service</a> </td> <td> <p>Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1624">T1624</a> </td> <td> <a href="/techniques/T1624">Event Triggered Execution</a> </td> <td> <p>Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1624/001">.001</a> </td> <td> <a href="/techniques/T1624/001">Broadcast Receivers</a> </td> <td> <p>Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1627">T1627</a> </td> <td> <a href="/techniques/T1627">Execution Guardrails</a> </td> <td> <p>Application vetting services can detect unnecessary and potentially abused permissions.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1627/001">.001</a> </td> <td> <a href="/techniques/T1627/001">Geofencing</a> </td> <td> <p>Application vetting services can detect unnecessary and potentially abused location permissions.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1643">T1643</a> </td> <td> <a href="/techniques/T1643">Generate Traffic from Victim</a> </td> <td> <p>Application vetting services can detect when applications request the <code>SEND_SMS</code> permission, which should be infrequently used.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1630">T1630</a> </td> <td> <a href="/techniques/T1630">Indicator Removal on Host</a> </td> <td> <p>Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1630/002">.002</a> </td> <td> <a href="/techniques/T1630/002">File Deletion</a> </td> <td> <p>Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1544">T1544</a> </td> <td> <a href="/techniques/T1544">Ingress Tool Transfer</a> </td> <td> <p>Application vetting services may indicate precisely what content was requested during application execution.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1417">T1417</a> </td> <td> <a href="/techniques/T1417">Input Capture</a> </td> <td> <p>Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1417/001">.001</a> </td> <td> <a href="/techniques/T1417/001">Keylogging</a> </td> <td> <p>Application vetting services can look for applications requesting the <code>android.permission.BIND_ACCESSIBILITY_SERVICE</code> permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1417/002">.002</a> </td> <td> <a href="/techniques/T1417/002">GUI Input Capture</a> </td> <td> <p>Application vetting services can look for applications requesting the <code>android.permission.SYSTEM_ALERT_WINDOW</code> permission in the list of permissions in the app manifest. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1430">T1430</a> </td> <td> <a href="/techniques/T1430">Location Tracking</a> </td> <td> <p>Android applications requesting the <code>ACCESS_COARSE_LOCATION</code>, <code>ACCESS_FINE_LOCATION</code>, or <code>ACCESS_BACKGROUND_LOCATION</code> permissions and iOS applications including the <code>NSLocationWhenInUseUsageDescription</code>, <code>NSLocationAlwaysAndWhenInUseUsageDescription</code>, and/or <code>NSLocationAlwaysUsageDescription</code> keys in their <code>Info.plist</code> file could be scrutinized during the application vetting process. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1636">T1636</a> </td> <td> <a href="/techniques/T1636">Protected User Data</a> </td> <td> <p>Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as <code>RECEIVE_SMS</code>, could receive additional scrutiny.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1636/001">.001</a> </td> <td> <a href="/techniques/T1636/001">Calendar Entries</a> </td> <td> <p>Application vetting services could look for <code>android.permission.READ_CALENDAR</code> or <code>android.permission.WRITE_CALENDAR</code> in an Android application鈥檚 manifest, or <code>NSCalendarsUsageDescription</code> in an iOS application鈥檚 <code>Info.plist</code> file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1636/002">.002</a> </td> <td> <a href="/techniques/T1636/002">Call Log</a> </td> <td> <p>Application vetting services could look for <code>android.permission.READ_CALL_LOG</code> in an Android application鈥檚 manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1636/003">.003</a> </td> <td> <a href="/techniques/T1636/003">Contact List</a> </td> <td> <p>Application vetting services could look for <code>android.permission.READ_CONTACTS</code> in an Android application鈥檚 manifest, or <code>NSContactsUsageDescription</code> in an iOS application鈥檚 <code>Info.plist</code> file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1636/004">.004</a> </td> <td> <a href="/techniques/T1636/004">SMS Messages</a> </td> <td> <p>Application vetting services could look for <code>android.permission.READ_SMS</code> in an Android application鈥檚 manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. </p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1422">T1422</a> </td> <td> <a href="/techniques/T1422">System Network Configuration Discovery</a> </td> <td> <p>Application vetting services could look for usage of the <code>READ_PRIVILEGED_PHONE_STATE</code> Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1422/001">.001</a> </td> <td> <a href="/techniques/T1422/001">Internet Connection Discovery</a> </td> <td> <p>Application vetting services could look for usage of the <code>READ_PRIVILEGED_PHONE_STATE</code> Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. </p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1422/002">.002</a> </td> <td> <a href="/techniques/T1422/002">Wi-Fi Discovery</a> </td> <td> <p>Application vetting services could look for usage of the <code>READ_PRIVILEGED_PHONE_STATE</code> Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1512">T1512</a> </td> <td> <a href="/techniques/T1512">Video Capture</a> </td> <td> <p>During the vetting process, applications using the Android permission <code>android.permission.CAMERA</code>, or the iOS <code>NSCameraUsageDescription</code> plist entry could be given closer scrutiny. </p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view mobile "> <a class="anchor" id="Protected Configuration"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Application Vetting: Protected Configuration</h4> <div class="description-body"> <p>Device configuration options that are not typically utilized by benign applications</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Application Vetting: Protected Configuration</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Device configuration options that are not typically utilized by benign applications</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1638">T1638</a> </td> <td> <a href="/techniques/T1638">Adversary-in-the-Middle</a> </td> <td> <p>Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. </p> </td> </tr> </tbody> </table> </div> </div> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://partner.samsungknox.com/mtd" target="_blank"> Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://tools.ietf.org/html/rfc8252" target="_blank"> W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://developer.android.com/training/app-links/index.html" target="_blank"> Android. (n.d.). Handling App Links. Retrieved December 21, 2016. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="4.0"> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" target="_blank"> Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/" target="_blank"> Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/filter/filter.js?2861"></script> <script src="/theme/scripts/navigation.js"></script> <script src="/theme/scripts/mobileview-datasources.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>