ATT&CK Data SourcesΒΆ




Information about the Domain Name System (DNS) protocol that provides resources (Such as computers or services) names-to- IP address mapping name resolution services.


Information about file objects that represent computer resources that can be managed by the I/O system.

Logon session

Information about logon sessions being created or terminated by accounts (Local or Domain), interactively or over the network, in order to interact with network resources, applications, or services.


Information about portable executable files, such as a dll or an executable, consisting of one or more classes and interfaces.

Named pipe

Information about mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it.

Powershell log

Information about PowerShell operations related to PowerShell engine, providers, and cmdlets.


Information about instances of computer programs that are being executed by at least one thread.

Schedule Task

Information about scheduled work that the Task Scheduler service performs.


Information about software programs that run in the background and typically start with the operating system.

User Account

Security principal or entity that represents a person or machine and can be authenticated by an operating system or platform.

Windows active directory

Information about objects on a domain network such as a user, a group, or a workstation.

Windows registry

Information about configuration data used by applications and system components.

WMI object

Information about objects from the system classes, such as filters and consumers, that support Windows Management Instrumentation activitites.