Suspicious and Malicious Activity by MITRE ATT&CK

This catalog describes observable suspicious and malicious activity aligned to the current MITRE ATT&CK Enterprise tactics and techniques. Each activity links directly to the vendor-neutral log sources that can report it.

ATT&CK techniques describe how adversaries achieve an objective. A single activity can map to multiple techniques, and a single technique can produce several observable activities. The listed log sources indicate potential observability, not guaranteed detection. Collection, audit policy, retention, and field availability still determine whether the activity is visible.

Reconnaissance

Reconnaissance activity occurs before initial access and is often observable only at public-facing systems or through external monitoring.

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Repeated probing of public services, ports, and protocols	T1595 Active Scanning	Network Firewall Logs, Network Flow Logs, Network Intrusion Detection Logs, Web Application Firewall Logs
Enumeration of public web paths, APIs, parameters, and files	T1595.003 Wordlist Scanning	Web Server Access Logs, Web Application Firewall Logs, API Gateway Logs
DNS enumeration and attempted zone transfer	T1590 Gather Victim Network Information	Authoritative DNS Logs, Network Intrusion Detection Logs
Scraping public applications, repositories, or exposed documents	T1593 Search Open Websites/Domains	Web Server Access Logs, API Gateway Logs, Source-Code Management Audit Logs
Discovery of newly exposed public assets and services	T1595 Active Scanning	Attack-Surface Management Logs, Network Firewall Logs

Resource Development

Most resource-development activity occurs outside the target environment. It becomes observable when adversary-controlled infrastructure or capabilities interact with monitored systems.

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Lookalike domain, certificate, or external infrastructure begins interacting with the environment	T1583 Acquire Infrastructure	DNS Resolver Logs, TLS and Certificate Metadata Logs, Threat-Intelligence Platform Logs
Staged malicious files or tools are delivered from external hosting	T1608 Stage Capabilities	Proxy and Secure Web Gateway Logs, Email Gateway Logs, Content Inspection and Malware Scanning Logs
Compromised accounts or infrastructure are used to distribute content	T1584 Compromise Infrastructure	Identity Provider Sign-In Logs, Email Gateway Logs, Web Server Access Logs

Initial Access

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Malicious attachment, link, or message delivered to a user	T1566 Phishing	Email Gateway Logs, Mailbox Audit Logs, Content Inspection and Malware Scanning Logs
User opens a delivered file or follows a malicious link	T1566 Phishing	Endpoint Detection and Response Telemetry, Process Execution Logs, Proxy and Secure Web Gateway Logs
Public-facing application receives exploit-like requests	T1190 Exploit Public-Facing Application	Web Application Firewall Logs, Web Server Access Logs, Application Runtime Logs, Network Intrusion Detection Logs
Valid credentials are used from an unusual source or context	T1078 Valid Accounts	Identity Provider Sign-In Logs, Directory-Service Authentication Logs, Remote Access and VPN Authentication Logs
Remote service accepts an external login or session	T1133 External Remote Services	Remote Access and VPN Authentication Logs, Remote Desktop and Remote Support Logs, Network Firewall Logs
Malicious content is injected into an online traffic channel	T1659 Content Injection	Packet-Capture Data, Network Metadata Logs, TLS and Certificate Metadata Logs
Compromised software or update package is installed	T1195 Supply Chain Compromise	Package and Software Installation Logs, Application-Control Logs, Artifact Repository Logs, Continuous Integration and Continuous Delivery/Deployment Logs

Execution

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Command shell or interpreter executes commands	T1059 Command and Scripting Interpreter	Process Execution Logs, Command-Line and Shell History Logs, Script-Execution Logs
PowerShell executes scripts, encoded content, or remote commands	T1059.001 PowerShell	Windows PowerShell Logs, Process Execution Logs, Endpoint Detection and Response Telemetry
A user launches or approves execution of malicious content	T1204 User Execution	Process Execution Logs, File-System Activity Logs, Email Gateway Logs
Client application behavior changes immediately after exploitation	T1203 Exploitation for Client Execution	Endpoint Detection and Response Telemetry, Memory-Protection and Exploit-Mitigation Logs, Application Runtime Logs
Trusted or signed system binary launches unexpected content	T1218 System Binary Proxy Execution	Process Execution Logs, Application-Control Logs, Module, Library, and Image-Load Logs
Scheduled job, service, or automation executes a payload	T1053 Scheduled Task/Job	Scheduled Task and Job Logs, Service and Daemon Management Logs, Process Execution Logs
Container administration interface executes a command in a workload	T1609 Container Administration Command	Orchestrator Audit Logs, Container Runtime Logs, Container Runtime Security Logs
Serverless function or cloud workload is invoked unexpectedly	T1648 Serverless Execution	Cloud Function and Serverless Logs, Cloud Control-Plane Audit Logs, Cloud Identity and Access Management Logs

Persistence

Suspicious or malicious activity	ATT&CK	Log sources that can report it
New local, domain, cloud, or service account is created	T1136 Create Account	Windows Security Event Logs, Directory-Service Audit Logs, Identity Provider Audit Logs, Cloud Identity and Access Management Logs
Credentials, group memberships, roles, or account properties are modified	T1098 Account Manipulation	Directory-Service Audit Logs, Identity Provider Audit Logs, Cloud Identity and Access Management Logs
Startup, logon, or shell configuration is changed to launch code	T1547 Boot or Logon Autostart Execution	Registry and Configuration-Store Logs, File-System Activity Logs, Process Execution Logs
New or modified system service launches an executable	T1543 Create or Modify System Process	Service and Daemon Management Logs, Windows System Event Logs, Linux System Logs
Scheduled task or job is created or modified for recurring execution	T1053 Scheduled Task/Job	Scheduled Task and Job Logs, Windows Task Scheduler Logs, Linux Service-Manager Logs
Email forwarding or mailbox rule is created	T1114.003 Email Forwarding Rule	Mailbox Audit Logs, Identity Provider Audit Logs, Application Audit Logs
New cloud role, key, token, application, or service identity is added	T1098 Account Manipulation	Cloud Identity and Access Management Logs, Cloud Control-Plane Audit Logs, Cloud Key-Management Logs
New privileged or long-running container workload is deployed	T1610 Deploy Container	Orchestrator Audit Logs, Container Runtime Logs, Container Image Registry Logs

Privilege Escalation

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Process or account invokes an elevation-control mechanism	T1548 Abuse Elevation Control Mechanism	Process Execution Logs, Linux Authentication Logs, Windows Security Event Logs
Exploit causes a process to gain elevated privileges	T1068 Exploitation for Privilege Escalation	Endpoint Detection and Response Telemetry, System-Call Telemetry, Memory-Protection and Exploit-Mitigation Logs
Permissions, roles, or group memberships grant new administrative access	T1098 Account Manipulation	Directory-Service Audit Logs, Identity Provider Audit Logs, Cloud Identity and Access Management Logs
Access token, process token, or security context is manipulated	T1134 Access Token Manipulation	Windows Security Event Logs, Process Execution Logs, Endpoint Detection and Response Telemetry
Privileged container or workload is created	T1610 Deploy Container	Orchestrator Audit Logs, Container Runtime Security Logs, Container Runtime Logs

Defense Evasion (TA0005) — Evasion Behaviors

Suspicious or malicious activity	ATT&CK	Log sources that can report it
File, process, service, account, or resource is renamed or made to resemble a trusted object	T1036 Masquerading	Process Execution Logs, File-System Activity Logs, Application-Control Logs
Payload, script, command, or file content is encoded, packed, or obfuscated	T1027 Obfuscated Files or Information	Script-Execution Logs, Content Inspection and Malware Scanning Logs, Sandbox Analysis Logs
Existing trusted software or native functionality is abused	T1218 System Binary Proxy Execution	Process Execution Logs, Application-Control Logs, Endpoint Detection and Response Telemetry
File timestamps, metadata, or indicators are modified	T1070 Indicator Removal	File-System Activity Logs, File-Integrity Monitoring Logs, Operating-System Audit Logs
Process injection or in-memory execution changes another process	T1055 Process Injection	Endpoint Detection and Response Telemetry, Memory-Protection and Exploit-Mitigation Logs, System-Call Telemetry
Social interaction manipulates a user into taking an unsafe action	T1566 Phishing	Email Gateway Logs, Collaboration Platform Audit Logs, Mailbox Audit Logs
Security capability is downgraded to an older or weaker version	T1562.010 Impair Defenses: Downgrade Attack	Package and Software Installation Logs, Configuration and Compliance Scanner Logs, Application Audit Logs

Defense Evasion (TA0005) — Defense Impairment Behaviors

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Security agent, monitoring process, or protection tool is stopped, disabled, or modified	T1562.001 Impair Defenses: Disable or Modify Tools	Endpoint Sensor Health Logs, Service and Daemon Management Logs, Antivirus and Antimalware Logs
Audit, logging, or telemetry collection is disabled or reduced	T1562.001 Impair Defenses: Disable or Modify Tools	Central Log Collector Logs, Security Information and Event Management Logs, Operating-System Audit Logs
Security or system logs are cleared or deleted	T1070.001 Clear Windows Event Logs	Windows Security Event Logs, Central Log Collector Logs, Security Information and Event Management Logs
Host, cloud, or network firewall policy is disabled or weakened	T1562.004 Impair Defenses: Disable or Modify System Firewall	Local Firewall Logs, Network Firewall Logs, Cloud Firewall and Security-Group Logs
Security policy, access control, or monitoring configuration is modified	T1562 Impair Defenses	Identity Provider Audit Logs, Cloud Control-Plane Audit Logs, Network Configuration Change Logs
Vulnerability is exploited specifically to disable or bypass defenses	T1562 Impair Defenses	Memory-Protection and Exploit-Mitigation Logs, Endpoint Detection and Response Telemetry, Application Runtime Logs

Credential Access

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Repeated password guessing, spraying, or credential stuffing	T1110 Brute Force	Identity Provider Sign-In Logs, Directory-Service Authentication Logs, Application Authentication Logs, Remote Access and VPN Authentication Logs
MFA prompts are repeatedly generated or denied	T1621 Multi-Factor Authentication Request Generation	Multi-Factor Authentication Logs, Identity Provider Sign-In Logs
Password stores, browser credentials, keychains, or vaults are accessed	T1555 Credentials from Password Stores	File-System Activity Logs, Endpoint Detection and Response Telemetry, Password-Management and Credential-Vault Logs
Operating-system credential material or protected memory is accessed	T1003 OS Credential Dumping	Endpoint Detection and Response Telemetry, Process Execution Logs, Memory-Protection and Exploit-Mitigation Logs
Kerberos tickets are requested or manipulated abnormally	T1558 Steal or Forge Kerberos Tickets	Directory-Service Authentication Logs, Windows Security Event Logs
Input, clipboard, or screen content is captured	T1056 Input Capture	Endpoint Detection and Response Telemetry, Mobile Endpoint Security Logs, Remote Desktop and Remote Support Logs
Cloud secrets, keys, certificates, or tokens are retrieved	T1552 Unsecured Credentials	Cloud Secrets-Manager Logs, Cloud Key-Management Logs, Secrets-Management Logs, Certificate-Authority and Public-Key Infrastructure Logs

Discovery

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Accounts, groups, roles, or permissions are enumerated	T1087 Account Discovery	Directory-Service Audit Logs, Cloud Identity and Access Management Logs, Process Execution Logs
Files, directories, shares, or storage objects are enumerated	T1083 File and Directory Discovery	File-System Activity Logs, Cloud Object-Storage Access Logs, Process Execution Logs
Network services, ports, systems, or subnets are scanned internally	T1046 Network Service Discovery	Network Flow Logs, Network Firewall Logs, Network Detection and Response Telemetry
Running processes, services, software, or security tools are enumerated	T1057 Process Discovery	Process Execution Logs, Endpoint Detection and Response Telemetry, Asset Inventory and Discovery Logs
System, host, domain, or operating-system information is collected	T1082 System Information Discovery	Process Execution Logs, Operating-System Logs, Endpoint Detection and Response Telemetry
Cloud resources, services, regions, or configurations are enumerated	T1580 Cloud Infrastructure Discovery	Cloud Control-Plane Audit Logs, Cloud Resource-Configuration Inventory, Cloud Identity and Access Management Logs
Container, cluster, namespace, secret, or workload information is enumerated	T1613 Container and Resource Discovery	Orchestrator Audit Logs, Container Runtime Logs, Orchestrator Control-Plane Component Logs

Lateral Movement

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Remote desktop, shell, management, or administrative service is used between systems	T1021 Remote Services	Remote Desktop and Remote Support Logs, Windows Remote Management Logs, Linux Authentication Logs, Network Flow Logs
Valid credentials or alternate authentication material are reused on another system	T1550 Use Alternate Authentication Material	Directory-Service Authentication Logs, Windows Security Event Logs, Identity Provider Sign-In Logs
Tool, payload, or file is transferred to another internal system	T1570 Lateral Tool Transfer	File-System Activity Logs, Network Flow Logs, File Transfer Service Logs
Remote service, task, or process is created on another host	T1021 Remote Services	Service and Daemon Management Logs, Scheduled Task and Job Logs, Process Execution Logs
Internal host begins connecting broadly to peers or new administrative paths	T1021 Remote Services	Network Flow Logs, Network Detection and Response Telemetry, Network Firewall Logs
Container or workload identity accesses another namespace, node, or service	T1021 Remote Services	Container Network Logs, Service Mesh Logs, Orchestrator Audit Logs

Collection

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Files, records, messages, or objects are accessed in bulk	T1119 Automated Collection	File-System Activity Logs, Database Audit Logs, Cloud Object-Storage Access Logs, Mailbox Audit Logs
Data is collected from local files, network shares, or repositories	T1005 Data from Local System	File-System Activity Logs, Storage-System Audit Logs, Source-Code Management Audit Logs
Email messages, attachments, or mailbox content are collected	T1114 Email Collection	Mailbox Audit Logs, Mail Transport Logs, Application Audit Logs
Database contents are queried, copied, or exported	T1213 Data from Information Repositories	Database Audit Logs, Data Warehouse Audit Logs, Application Audit Logs
Cloud-hosted documents, objects, snapshots, or backups are accessed	T1530 Data from Cloud Storage	Cloud Object-Storage Access Logs, Cloud Data-Plane Access Logs, Backup and Recovery Logs
Data is staged, compressed, encrypted, or archived before transfer	T1074 Data Staged	File-System Activity Logs, Process Execution Logs, Endpoint Detection and Response Telemetry
Screens, input, audio, or video are captured	T1113 Screen Capture	Endpoint Detection and Response Telemetry, Mobile Endpoint Security Logs, Application Audit Logs

Command and Control

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Endpoint or workload communicates periodically with an external destination	T1071 Application Layer Protocol	Network Flow Logs, Network Detection and Response Telemetry, Proxy and Secure Web Gateway Logs
DNS queries or responses carry command, control, or encoded data	T1071.004 DNS	DNS Resolver Logs, Packet-Capture Data, Network Detection and Response Telemetry
Encrypted or obfuscated network channel is established	T1573 Encrypted Channel	TLS and Certificate Metadata Logs, Network Flow Logs, Network Metadata Logs
Web, cloud, social, or collaboration service is used as a control channel	T1102 Web Service	Proxy and Secure Web Gateway Logs, Collaboration Platform Audit Logs, Cloud Data-Plane Access Logs
Tool or payload is downloaded into the environment	T1105 Ingress Tool Transfer	Proxy and Secure Web Gateway Logs, File-System Activity Logs, Content Inspection and Malware Scanning Logs
Proxy, relay, tunnel, or port forwarding is configured	T1090 Proxy	Process Execution Logs, Network Flow Logs, Network Configuration Change Logs
Multiple staged communication channels are used	T1104 Multi-Stage Channels	Network Detection and Response Telemetry, DNS Resolver Logs, Proxy and Secure Web Gateway Logs

Exfiltration

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Large or unusual outbound transfer leaves the environment	T1041 Exfiltration Over C2 Channel	Network Flow Logs, Network Firewall Logs, Data Loss Prevention Logs
Data is uploaded to cloud storage, web service, or external repository	T1567 Exfiltration Over Web Service	Proxy and Secure Web Gateway Logs, Cloud Data-Plane Access Logs, Source-Code Management Audit Logs, Data Loss Prevention Logs
Data leaves through DNS, email, file transfer, or another alternate protocol	T1048 Exfiltration Over Alternative Protocol	DNS Resolver Logs, Email Gateway Logs, File Transfer Service Logs, Network Metadata Logs
Removable media receives copied data	T1052 Exfiltration Over Physical Medium	Removable-Media and Peripheral Device Logs, File-System Activity Logs, Data Loss Prevention Logs
Automated process repeatedly transfers staged data	T1020 Automated Exfiltration	Process Execution Logs, Network Flow Logs, Scheduled Task and Job Logs
Transfer size, timing, or channel is deliberately limited to evade controls	T1030 Data Transfer Size Limits	Network Flow Logs, Proxy and Secure Web Gateway Logs, Data Loss Prevention Logs

Impact

Suspicious or malicious activity	ATT&CK	Log sources that can report it
Files, records, cloud objects, or resources are deleted or destroyed	T1485 Data Destruction	File-System Activity Logs, Database Audit Logs, Cloud Control-Plane Audit Logs, Cloud Object-Storage Access Logs
Files or systems are encrypted for impact	T1486 Data Encrypted for Impact	File-System Activity Logs, Endpoint Detection and Response Telemetry, File-Integrity Monitoring Logs
Service, host, network, or account availability is disrupted	T1499 Endpoint Denial of Service	Metrics and Monitoring-System Logs, Network Firewall Logs, Application Runtime Logs, Operating-System Crash and Diagnostic Logs
Accounts, roles, or access are removed to lock out legitimate users	T1531 Account Access Removal	Identity Provider Audit Logs, Directory-Service Audit Logs, Cloud Identity and Access Management Logs
Backup, snapshot, or recovery capability is deleted or impaired	T1490 Inhibit System Recovery	Backup and Recovery Logs, Process Execution Logs, Cloud Control-Plane Audit Logs
Configuration, firmware, or device state is modified to cause operational impact	T1495 Firmware Corruption	Infrastructure Management Interface Logs, Hardware and Environmental Monitoring Logs, Industrial Control System Logs
Data or application content is manipulated to undermine integrity	T1565 Data Manipulation	Database Audit Logs, Application Audit Logs, File-Integrity Monitoring Logs
Resource use rises sharply due to unauthorized computation or abuse	T1496 Resource Hijacking	Metrics and Monitoring-System Logs, Cloud Billing and Usage Logs, Process Execution Logs, Container Runtime Logs

Observability Notes

A linked source can report an activity only when the relevant audit or collection capability is enabled.
Several sources are often required to establish actor, action, target, timing, and outcome.
Some ATT&CK activities occur outside defender-controlled infrastructure and may have no direct internal log source.
Aggregation platforms such as EDR, NDR, SIEM, XDR, and UEBA derive activity from underlying sources and should not replace source-level collection.
ATT&CK mappings should be validated against the exact technique and platform before being used in production detection content.

Reconnaissance​

Resource Development​

Initial Access​

Execution​

Persistence​

Privilege Escalation​

Defense Evasion (TA0005) — Evasion Behaviors​

Defense Evasion (TA0005) — Defense Impairment Behaviors​

Credential Access​

Discovery​

Lateral Movement​

Collection​

Command and Control​

Exfiltration​

Impact​

Observability Notes​

MITRE ATT&CK References​