File Metadata

contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples:

File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows.
Timestamps: Analyzing the creation, modification, and access timestamps of a file.
File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.
File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.
File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.
File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.

This data component can be collected through the following measures:

Windows

Sysinternals Tools: Use AccessEnum or PSFile to retrieve metadata about file access and permissions.
Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed).
PowerShell: Use Get-Item or Get-ChildItem cmdlets: Get-ChildItem -Path "C:\Path\To\Directory" -Recurse | Select-Object Name, Length, LastWriteTime, Attributes

Linux

File System Commands: Use ls -l or stat to retrieve file metadata: stat /path/to/file
Auditd: Configure audit rules to log metadata access: auditctl -w /path/to/file -p wa -k file_metadata
Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes.

macOS

FSEvents: Use FSEvents to track file metadata changes.
Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs.
Command-Line Tools: Use ls -l or xattr for file attributes: ls -l@ /path/to/file

SIEM Integration

Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis.

ID: DC0059

Domains: ICS, Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
auditd:CONFIG_CHANGE	chmod or chown of hook files indicating privilege escalation or execution permission change
auditd:PATH	file path matches exclusion directories
auditd:PATH	PATH
auditd:PATH	file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)
auditd:SYSCALL	Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/
auditd:SYSCALL	path
auditd:SYSCALL	file write after sleep delay
auditd:SYSCALL	syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)
auditd:SYSCALL	setuid or setgid bit changes
auditd:SYSCALL	syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)
auditd:SYSCALL	setxattr or getxattr system call
auditd:SYSCALL	chmod, chown, setxattr, or file writes to /etc/ssl/* or /usr/local/share/ca-certificates/*
ebpf:syscalls	Unexpected container volume unmount + file deletion
EDR:detection	App reputation telemetry
EDR:file	File Metadata Inspection (Low String Entropy, Missing PDB)
EDR:file	File Metadata Analysis (PE overlays, entropy)
esxi:hostd	host daemon events related to file or VM permission changes
esxi:syslog	Datastore file hidden or renamed unexpectedly
esxi:vmkernel	Upload of file to datastore
esxi:vmkernel	Storage access and file ops
esxi:vmkernel	VMware kernel events for file system permission modifications
esxi:vmkernel	Datastore modification events
File	None
fs:fileevents	/var/log/install.log
fs:filesystem	Binary file hash changes outside of update/patch cycles
fs:fsevents	file system events indicating permission or attribute changes
fs:fsusage	filesystem monitoring of exec/open
fwupd:logs	Firmware updates applied or failed
gatekeeper/quarantine database	LaunchServices quarantine
journald:package	dpkg/apt or yum/dnf transaction logs (install/update of build tools)
journald:package	dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals
journald:package	dpkg/apt install, remove, upgrade events
journald:package	yum/dnf install or update transactions
linux:osquery	event-based
linux:osquery	file_events, hash
linux:osquery	hash, elf_info, file_metadata
linux:osquery	file_events
linux:osquery	elf_info, hash, yara_matches
linux:osquery	Read headers and detect MIME type mismatch
linux:osquery	file_events.path
linux:osquery	Filesystem modifications to trusted paths
linux:osquery	Write or modify .desktop file in XDG autostart path
linux:osquery	hash, rpm_packages, deb_packages, file_events
linux:syslog	Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp
linux:syslog	application or system execution logs
linux:syslog	file permission modification events in kernel messages
linux:syslog	kernel messages related to file system permission changes and security violations
macos:endpointsecurity	es_event_file_rename_t or es_event_file_write_t
macos:endpointsecurity	es_event_authentication
macos:osquery	code_signing, file_metadata
macos:osquery	file_events
macos:osquery	mach_o_info, file_metadata
macos:unifiedlog	softwareupdated/homebrew/install logs, pkginstalld events
macos:unifiedlog	AMFI or Gatekeeper signature/notarization failures for newly installed dev components
macos:unifiedlog	Detection of altered _VBA_PROJECT or PerformanceCache streams
macos:unifiedlog	subsystem:syspolicyd
macos:unifiedlog	File metadata updated with UF_HIDDEN flag
macos:unifiedlog	Code signature validation fails or is absent post-binary modification
macos:unifiedlog	Code signing verification failures or bypassed trust decisions
macos:unifiedlog	Creation of new LaunchAgent or LoginItem plist files in ~/Library/LaunchAgents/
macos:unifiedlog	filesystem events
macos:unifiedlog	xattr -d com.apple.quarantine or similar attribute removal commands
macos:unifiedlog	Gatekeeper quarantine policy decision anomalies recorded in com.apple.LaunchServices.QuarantineEventsV2
macos:unifiedlog	pkginstalld/softwareupdated/Homebrew install transactions
macos:unifiedlog	AMFI/Gatekeeper code signature or notarization failures
macos:unifiedlog	kernel extension and system extension logs related to file system security violations or SIP bypass attempts
macos:unifiedlog	Unexpected application binary modifications or altered signing status
macos:unifiedlog	extended attribute write or modification
macos:unifiedlog	New certificate trust settings added by unexpected process
macos:unifiedlog	subsystem=com.apple.lsd
macos:unifiedlog	installer or system_installd 'PackageKit: install succeeded/failed' with non-notarized or unknown signer
macos:unifiedlog	Gatekeeper/AMFI 'code signature invalid' / 'not notarized' messages
macos:unifiedlog	File creation or modification with com.apple.ResourceFork extended attribute
networkdevice:syslog	OS version query results inconsistent with expected or approved version list
NSM:Flow	Observed File Transfers
OpenBSM:AuditTrail	BSM audit events for file permission modifications
OpenBSM:AuditTrail	BSM audit events for file permission, ownership, and attribute modifications with user context
saas:RepoEvents	New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)
WinEventLog:Microsoft-Windows-CodeIntegrity/Operational	Invalid/Unsigned image when developer tool launches newly installed binaries
WinEventLog:Microsoft-Windows-CodeIntegrity/Operational	Unsigned or invalid image for newly installed/updated binaries
WinEventLog:Microsoft-Windows-CodeIntegrity/Operational	Code integrity violations in boot-start drivers or firmware
WinEventLog:Microsoft-Windows-CodeIntegrity/Operational	CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries
WinEventLog:Microsoft-Windows-Windows Defender/Operational	SmartScreen or ASR blocks on newly downloaded installer/updater
WinEventLog:Security	EventCode=4670
WinEventLog:Security	EventCode=4663, 4656, 4658
WinEventLog:Security	EventCode=4663
WinEventLog:Setup	MSI/Product install, repair or update events
WinEventLog:Sysmon	EventCode=15
WinEventLog:Sysmon	EventCode=15
WinEventLog:Windows Defender	Operational log
WinEventLog:Windows Defender	Operational

Detection Strategy

ID	Name	Technique Detected
DET0537	Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run)	T1195
DET0010	Behavioral Detection of Event Triggered Execution Across Platforms	T1546
DET0184	Behavioral Detection of Indicator Removal Across Platforms	T1070
DET0127	Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy	T1036
DET0378	Behavioral Detection of Obfuscated Files or Information	T1027
DET0112	Boot or Logon Initialization Scripts Detection Strategy	T1037
DET0309	Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)	T1195.002
DET0591	Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering	T1070.006
DET0288	Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation	T1553.001
DET0257	Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files	T1553.005
DET0519	Detect Persistence via Office Template Macro Injection or Registry Hijack	T1137.001
DET0125	Detect persistence via reopened application plist modification (macOS)	T1547.007
DET0452	Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation	T1553
DET0134	Detect Suspicious Access to Windows Credential Manager	T1555.004
DET0230	Detect Suspicious or Malicious Code Signing Abuse	T1553.002
DET0141	Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution	T1497.003
DET0597	Detect Unauthorized Access to Password Managers	T1555.005
DET0235	Detecting Steganographic Command and Control via File + Network Correlation	T1001.002
DET0750	Detection of Indicator Removal on Host	T0872
DET0745	Detection of Lateral Tool Transfer	T0867
DET0725	Detection of Masquerading	T0849
DET0730	Detection of Supply Chain Compromise	T0862
DET0345	Detection Strategy for Abuse Elevation Control Mechanism (T1548)	T1548
DET0033	Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification	T1546.008
DET0281	Detection Strategy for Compressed Payload Creation and Execution	T1027.015
DET0059	Detection Strategy for Data Manipulation	T1565
DET0569	Detection Strategy for Downgrade System Image on Network Devices	T1601.002
DET0214	Detection Strategy for Embedded Payloads	T1027.009
DET0406	Detection Strategy for Extended Attributes Abuse	T1564.014
DET0051	Detection Strategy for File/Path Exclusions	T1564.012
DET0344	Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory	T1027.011
DET0502	Detection Strategy for Hidden Artifacts Across Platforms	T1564
DET0032	Detection Strategy for Hidden Files and Directories	T1564.001
DET0201	Detection Strategy for Hijack Execution Flow for DLLs	T1574.001
DET0064	Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path	T1574.009
DET0436	Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness.	T1574.010
DET0038	Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness	T1574.005
DET0564	Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking	T1574.008
DET0313	Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop	T1027.006
DET0189	Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification	T1027.005
DET0183	Detection Strategy for Lateral Tool Transfer across OS platforms	T1570
DET0216	Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS	T1546.006
DET0405	Detection Strategy for LNK Icon Smuggling	T1027.012
DET0101	Detection Strategy for Lua Scripting Abuse	T1059.011
DET0226	Detection Strategy for Masquerading via File Type Modification	T1036.008
DET0347	Detection Strategy for Masquerading via Legitimate Resource Name or Location	T1036.005
DET0432	Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)	T1564.004
DET0533	Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows	T1677
DET0584	Detection Strategy for Resource Forking on macOS	T1564.009
DET0391	Detection Strategy for Runtime Data Manipulation.	T1565.003
DET0193	Detection Strategy for Stored Data Manipulation across OS Platforms.	T1565.001
DET0019	Detection Strategy for Stripped Payloads Across Platforms	T1027.008
DET0180	Detection Strategy for T1547.009 – Shortcut Modification (Windows)	T1547.009
DET0012	Detection Strategy for VBA Stomping	T1564.007
DET0254	Detection Strategy of Transmitted Data Manipulation	T1565.002
DET0368	Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks	T1195.003
DET0031	Invalid Code Signature Execution Detection via Metadata and Behavioral Context	T1036.001
DET0390	Linux Detection Strategy for T1547.013 - XDG Autostart Entries	T1547.013
DET0258	Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018)	T1546.018
DET0292	Masquerading via Space After Filename - Behavioral Detection Strategy	T1036.006
DET0299	Multi-Platform File and Directory Permissions Modification Detection Strategy	T1222
DET0005	Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path	T1036.003
DET0527	Right-to-Left Override Masquerading Detection via Filename and Execution Context	T1036.002
DET0009	Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)	T1195.001
DET0351	Unix-like File Permission Manipulation Behavioral Chain Detection Strategy	T1222.002
DET0294	User Execution – Malicious File via download/open → spawn chain (T1204.002)	T1204.002
DET0252	User-Initiated Malicious Library Installation via Package Manager (T1204.005)	T1204.005
DET0418	Windows DACL Manipulation Behavioral Chain Detection Strategy	T1222.001