File Access

To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples:

File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.
File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).
Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., /etc/passwd on Linux or System32 files on Windows).
File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).
File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).

This data component can be collected through the following measures:

Windows

Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name.
Sysmon:
- Event ID 11: Logs file creation time changes.
- Event ID 1 (process creation): Can provide insight into files executed.
PowerShell: Commands to monitor file access in real-time: Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}

Linux

Auditd: Monitor file access events using audit rules: auditctl -w /path/to/file -p rwxa -k file_access
View logs: ausearch -k file_access
Inotify: Use inotify to track file access on Linux: inotifywait -m /path/to/watch -e access

macOS

Unified Logs: Monitor file access using the macOS Unified Logging System.
FSEvents: File System Events can track file accesses: fs_usage | grep open

Network Devices

SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol.
NAS Logs: Collect logs from network-attached storage systems for file access events.

SIEM Integration

Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis.

ID: DC0055

Domains: ICS, Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
auditd:FILE	/home//.mozilla/firefox//logins.json OR /home//.config/google-chrome//Login Data
auditd:FILE	/proc/*/mem read attempt
auditd:FS	read: File access to /proc/modules or /sys/module/
auditd:PATH	Read access to known backup software configuration files (e.g., /etc/rsnapshot.conf, /opt/veeam/config.ini)
auditd:PATH	open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog)
auditd:PATH	path
auditd:PATH	PATH
auditd:PATH	file read
auditd:SYSCALL	open, read, or stat of browser config files
auditd:SYSCALL	open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache
auditd:SYSCALL	openat
auditd:SYSCALL	open
auditd:SYSCALL	open, read
auditd:SYSCALL	open, flock, fcntl, unlink
auditd:SYSCALL	read/open of sensitive files
auditd:SYSCALL	Unusual processes accessing or modifying cookie databases
auditd:SYSCALL	PATH records referencing /dev/video*
auditd:SYSCALL	open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/
auditd:SYSCALL	Processes reading credential or token cache files
auditd:SYSCALL	read/open of sensitive file directories
auditd:SYSCALL	open/read of sensitive config or secret files
auditd:SYSCALL	open/read of sensitive directories
auditd:SYSCALL	open/read: Access to /proc/self/status with focus on TracerPID field
auditd:SYSCALL	open/read access to ~/.bash_history
auditd:SYSCALL	open,read
auditd:SYSCALL	open/read system calls to ~/.bash_history or /etc/shadow
auditd:SYSCALL	read of /run/secrets or docker volumes by non-entrypoint process
auditd:SYSCALL	Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input
auditd:SYSCALL	open/read
auditd:SYSCALL	open: Access to named pipes or FIFO in /tmp or /dev/shm by unexpected processes
auditd:SYSCALL	open or read to browser cookie storage
auditd:SYSCALL	open, read, mount
auditd:SYSCALL	file
auditd:SYSCALL	Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey
auditd:SYSCALL	open/read of sensitive directories (/etc, /home/*)
auditd:SYSCALL	PATH
auditd:SYSCALL	open/read on ~/.local/share/keepassxc/* OR ~/.password-store/*
azure:activity	CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows
CloudTrail:GetObject	sensitive credential files in buckets or local image storage
desktop:file_manager	nautilus, dolphin, or gvfs logs
ebpf:syscalls	container_file_activity
ebpf:syscalls	open/read on secret mount paths
esxi:hostd	datastore file access
esxi:hostd	read: Access to sensitive log files by non-admin users
esxi:hostd	datastore/log file access
esxi:hostd	vSphere File API Access
esxi:hostd	file copy or datastore upload via HTTPS
esxi:syslog	guest OS outbound transfer logs
esxi:vmkernel	VMFS access logs
esxis:vmkernel	Datastore Access
File	None
fs:fileevents	File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)
fs:fsevents	file system events indicating access to system configuration files and environmental information sources
fs:fsusage	file
fs:fsusage	File Access Monitor
fs:fsusage	Disk Activity Tracing
fs:fsusage	filesystem activity
fs:fsusage	Filesystem Call Monitoring
fs:fsusage	read/write
fs:fsusage	file open for known browser cookie paths
fs:fsusage	file reads/writes from /Volumes/
fs:quarantine	/var/log/quarantine.log
gcp:audit	Write operations to storage
kubernetes:audit	GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server
linux:osquery	/proc/*/maps access
linux:osquery	None
linux:syslog	auth.log or custom tool logs
linux:syslog	/var/log/syslog
linux:syslog	kernel messages related to cryptographic operations, module loading, and filesystem access patterns
m365:unified	FileAccessed, MailboxAccessed
m365:unified	Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365)
macos:endpointsecurity	ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations
macos:endpointsecurity	open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks
macos:endpointsecurity	open or read syscall to ~/.bash_history
macos:endpointsecurity	es_event_open, es_event_exec
macos:keychain	Access to Keychain DB or system.keychain
macos:keychain	~/Library/Keychains, /Library/Keychains
macos:osquery	file_events
macos:osquery	None
macos:unifiedlog	Access to ~/Library/*/Safari or Chrome directories by non-browser processes
macos:unifiedlog	file events
macos:unifiedlog	Kerberos framework calls to API:{uuid} cache outside normal process lineage
macos:unifiedlog	~/Library/Application Support/Google/Chrome//Login Data OR ~/Library/Application Support/Firefox//logins.json
macos:unifiedlog	Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/
macos:unifiedlog	log stream - file subsystem
macos:unifiedlog	file read of sensitive directories
macos:unifiedlog	Abnormal process access to Safari or Chrome cookie storage
macos:unifiedlog	open: Access to /var/log/system.log or related security event logs
macos:unifiedlog	open/read of *.plist or .env files
macos:unifiedlog	read of user document directories
macos:unifiedlog	read access to ~/Library/Keychains/login.keychain-db
macos:unifiedlog	filesystem and process events
macos:unifiedlog	read access to ~/Library/Keychains or history files by terminal processes
macos:unifiedlog	access to /Volumes/SharePoint or network mount
macos:unifiedlog	Access to ~/Library/Safari/Bookmarks.plist or recent files
macos:unifiedlog	access to keychain database
macos:unifiedlog	log stream - file provider subsystem
macos:unifiedlog	read/write of user documents prior to upload
macos:unifiedlog	open/read access to private key files (id_rsa, .pem, .p12)
macos:unifiedlog	read: File access to /System/Library/Extensions/ or related kernel extension paths
macos:unifiedlog	.opvault OR .ldb OR *.kdbx
WinEventLog:Microsoft-Windows-Windows Defender/Operational	Suspicious file execution on removable media path
WinEventLog:Security	EventCode=4663
WinEventLog:Security	EventCode=4656, 4663
WinEventLog:Security	EventCode=4656,4663
WinEventLog:Security	EventCode=4670, 4663
WinEventLog:Security	EventCode=4656
WinEventLog:Security	EventCode=5145, 4663

Detection Strategy

ID	Name	Technique Detected
DET0413	Abuse of Information Repositories for Data Collection	T1213
DET0186	Automated File and API Collection Detection Across Platforms	T1119
DET0088	Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)	T1518.002
DET0197	Behavior-chain, platform-aware detection strategy for T1125 Video Capture	T1125
DET0018	Behavior-chain, platform-aware detection strategy for T1129 Shared Modules	T1129
DET0102	Behavioral Detection of Input Capture Across Platforms	T1056
DET0089	Behavioral Detection of Keylogging Activity Across Platforms	T1056.001
DET0140	Behavioral Detection of Malicious File Deletion	T1070.004
DET0508	Behavioral Detection of Process Injection Across Platforms	T1055
DET0008	Behavioral Detection of Remote Cloud Logins via Valid Accounts	T1021.007
DET0464	Behavioral Detection of Wi-Fi Discovery Activity	T1016.002
DET0131	Behavioral Detection Strategy for Exfiltration Over Alternative Protocol	T1048
DET0221	Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS	T1123
DET0112	Boot or Logon Initialization Scripts Detection Strategy	T1037
DET0446	Credential Access via /etc/passwd and /etc/shadow Parsing	T1003.008
DET0234	Credential Dumping via Sensitive Memory and Registry Access Correlation	T1003
DET0591	Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering	T1070.006
DET0493	Detect Abuse of Inter-Process Communication (T1559)	T1559
DET0385	Detect Access and Parsing of .bash_history Files for Credential Harvesting	T1552.003
DET0412	Detect Access or Search for Unsecured Credentials Across Platforms	T1552
DET0396	Detect Access to macOS Keychain for Credential Theft	T1555.001
DET0307	Detect Access to Unsecured Credential Files Across Platforms	T1552.001
DET0430	Detect Credentials Access from Password Stores	T1555
DET0024	Detect Kerberos Ccache File Theft or Abuse (T1558.005)	T1558.005
DET0522	Detect Kerberos Ticket Theft or Forgery (T1558)	T1558
DET0047	Detect Local Email Collection via Outlook Data File Access and Command Line Tooling	T1114.001
DET0072	Detect Logon Script Modifications and Execution	T1037.001
DET0257	Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files	T1553.005
DET0037	Detect Suspicious Access to Browser Credential Stores	T1555.003
DET0549	Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms	T1552.004
DET0057	Detect Suspicious Access to securityd Memory for Credential Extraction	T1555.002
DET0597	Detect Unauthorized Access to Password Managers	T1555.005
DET0420	Detect User Activity Based Sandbox Evasion via Input & Artifact Probing	T1497.002
DET0044	Detecting Malicious Browser Extensions Across Platforms	T1176.001
DET0593	Detecting OS Credential Dumping via /proc Filesystem Access on Linux	T1003.007
DET0034	Detection of Adversarial Process Discovery Behavior	T1057
DET0734	Detection of Automated Collection	T0802
DET0554	Detection of Bluetooth-Based Data Exfiltration	T1011.001
DET0513	Detection of Cached Domain Credential Dumping via Local Hash Cache Access	T1003.005
DET0139	Detection of Credential Harvesting via API Hooking	T1056.004
DET0511	Detection of Data Access and Collection from Removable Media	T1025
DET0123	Detection of Data Exfiltration via Removable Media	T1052
DET0749	Detection of Data from Local System	T0893
DET0014	Detection of Data Staging Prior to Exfiltration	T1074
DET0512	Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	T1048.002
DET0149	Detection of Exfiltration Over Unencrypted Non-C2 Protocol	T1048.003
DET0013	Detection of Local Browser Artifact Access for Reconnaissance	T1217
DET0380	Detection of Local Data Collection Prior to Exfiltration	T1005
DET0261	Detection of Local Data Staging Prior to Exfiltration	T1074.001
DET0132	Detection of Mutex-Based Execution Guardrails Across Platforms	T1480.002
DET0071	Detection of Remote Data Staging Prior to Exfiltration	T1074.002
DET0739	Detection of Remote System Discovery	T0846
DET0787	Detection of Remote System Information Discovery	T0888
DET0733	Detection of Replication Through Removable Media	T0847
DET0220	Detection of USB-Based Data Exfiltration	T1052.001
DET0791	Detection of User Execution	T0863
DET0509	Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts	T1539
DET0541	Detection Strategy for /proc Memory Injection on Linux	T1055.009
DET0281	Detection Strategy for Compressed Payload Creation and Execution	T1027.015
DET0410	Detection Strategy for Data from Network Shared Drive	T1039
DET0059	Detection Strategy for Data Manipulation	T1565
DET0371	Detection Strategy for Debugger Evasion (T1622)	T1622
DET0579	Detection Strategy for Device Driver Discovery	T1652
DET0214	Detection Strategy for Embedded Payloads	T1027.009
DET0369	Detection Strategy for Event Triggered Execution via Trap (T1546.005)	T1546.005
DET0348	Detection Strategy for Exfiltration Over C2 Channel	T1041
DET0548	Detection Strategy for Exfiltration Over Web Service	T1567
DET0153	Detection Strategy for Exfiltration Over Webhook	T1567.004
DET0570	Detection Strategy for Exfiltration to Cloud Storage	T1567.002
DET0318	Detection Strategy for Exfiltration to Code Repository	T1567.001
DET0284	Detection Strategy for Exfiltration to Text Storage Sites	T1567.003
DET0051	Detection Strategy for File/Path Exclusions	T1564.012
DET0171	Detection Strategy for Forged Web Cookies	T1606.001
DET0260	Detection Strategy for Forged Web Credentials	T1606
DET0255	Detection Strategy for Log Enumeration	T1654
DET0347	Detection Strategy for Masquerading via Legitimate Resource Name or Location	T1036.005
DET0553	Detection Strategy for Obfuscated Files or Information: Binary Padding	T1027.001
DET0574	Detection Strategy for Remote System Enumeration Behavior	T1018
DET0240	Detection Strategy for Steal or Forge Authentication Certificates	T1649
DET0119	Detection Strategy for Steganographic Abuse in File & Script Execution	T1027.003
DET0515	Detection Strategy for T1528 - Steal Application Access Token	T1528
DET0476	Email Collection via Local Email Access and Auto-Forwarding Behavior	T1114
DET0587	Enumeration of User or Account Information Across Platforms	T1087
DET0474	Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy	T1480.001
DET0287	Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps)	T1203
DET0082	Internal Website and System Content Defacement via UI or Messaging Modifications	T1491.001
DET0390	Linux Detection Strategy for T1547.013 - XDG Autostart Entries	T1547.013
DET0303	Local Account Enumeration Across Host Platforms	T1087.001
DET0292	Masquerading via Space After Filename - Behavioral Detection Strategy	T1036.006
DET0562	Multi-Platform Execution Guardrails Environmental Validation Detection Strategy	T1480
DET0491	Peripheral Device Enumeration via System Utilities and API Calls	T1120
DET0105	Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools	T1110.002
DET0370	Recursive Enumeration of Files and Directories Across Privilege Contexts	T1083
DET0301	Removable Media Execution Chain Detection via File and Process Activity	T1091
DET0527	Right-to-Left Override Masquerading Detection via Filename and Execution Context	T1036.002
DET0242	Suspicious Database Access and Dump Activity Across Environments (T1213.006)	T1213.006
DET0478	User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)	T1204