Process execution that probes user activity artifacts (e.g., desktop files, registry history) following recent user login/unlock events.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4800, 4801 |
| Field | Description |
|---|---|
| TimeWindow | Window between user unlock and access to user history |
| UserContext | Focus on non-system accounts doing user activity probing |
Access to shell history or GUI input state (xdotool, xinput) for presence validation prior to payload execution.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input |
| Command Execution (DC0064) | auditd:SYSCALL | Execution of xev, xdotool, or input activity emulators |
| Field | Description |
|---|---|
| ArtifactCountThreshold | Number of distinct user files accessed before trigger |
| KnownToolSignatures | Suppress expected automation tools |
API usage or filesystem access revealing user state or browser artifacts (e.g., Safari bookmarks, CGEventState).
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | macos:unifiedlog | Execution of input detection APIs (e.g., CGEventSourceKeyState) |
| File Access (DC0055) | macos:unifiedlog | Access to ~/Library/Safari/Bookmarks.plist or recent files |
| Field | Description |
|---|---|
| TimeWindow | Temporal correlation between login and file access |
| UserContext | Exclude expected UI activity from login agents |