Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.
Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.
Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.
Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | File | None |
| Process Creation (DC0032) | Process | None |
| Script Execution (DC0029) | Script | None |
| OS API Execution (DC0021) | Process | None |
| Command Execution (DC0064) | Command | None |