A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).[1]
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1087 | Account Discovery |
Monitor access to file resources that contain local accounts and groups information such as If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources. |
|
.001 | Local Account |
Monitor access to file resources that contain local accounts and groups information such as If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources. |
||
Enterprise | T1119 | Automated Collection |
Monitor for unexpected files (i.e. .pdf, .docx, .jpg, etc.) viewed for collecting internal data. |
|
Enterprise | T1020 | Automated Exfiltration |
Monitor for abnormal access to files (i.e. .pdf, .docx, .jpg, etc.), especially sensitive documents, through the use of automated processing after being gathered during Collection. |
|
Enterprise | T1217 | Browser Bookmark Discovery |
Monitor for unexpected browser bookmarks viewed in isolation, this showcases part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
|
Enterprise | T1555 | Credentials from Password Stores |
Monitor for files being accessed that may search for common password storage locations to obtain user credentials. |
|
.001 | Keychain |
Monitor for Keychain files being accessed that may be related to malicious credential collection. |
||
.003 | Credentials from Web Browsers |
Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: |
||
.004 | Windows Credential Manager |
Consider monitoring file reads to Vault locations, |
||
.005 | Password Managers |
Monitor file reads that may acquire user credentials from third-party password managers.[3] |
||
Enterprise | T1005 | Data from Local System |
Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases. |
|
Enterprise | T1039 | Data from Network Shared Drive |
Monitor for unexpected files (i.e. .pdf, .docx, .jpg, etc.) interacting with network shares. |
|
Enterprise | T1025 | Data from Removable Media |
Monitor for unexpected/abnormal file accesses to removable media (optical disk drive, USB memory, etc.) connected to the compromised system. |
|
Enterprise | T1074 | Data Staged |
Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. |
|
.001 | Local Data Staging |
Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. |
||
.002 | Remote Data Staging |
Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. |
||
Enterprise | T1114 | Email Collection |
Monitor for unusual processes access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity. |
|
.001 | Local Email Collection |
Monitor for unusual processes accessing local email files that may target user email on local systems to collect sensitive information. |
||
Enterprise | T1048 | Exfiltration Over Alternative Protocol |
Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. |
|
.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Monitor for files viewed in isolation that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. |
||
.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Monitor files viewed in isolation that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. |
||
.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Monitor files viewed in isolation that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. |
||
Enterprise | T1041 | Exfiltration Over C2 Channel |
Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel. |
|
Enterprise | T1011 | Exfiltration Over Other Network Medium |
Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection. |
|
.001 | Exfiltration Over Bluetooth |
Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection. Also monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces. |
||
Enterprise | T1052 | Exfiltration Over Physical Medium |
Monitor file access on removable media that may attempt to exfiltrate data via a physical medium, such as a removable drive. |
|
.001 | Exfiltration over USB |
Monitor file access on removable media that may attempt to exfiltrate data over a USB connected physical device. |
||
Enterprise | T1567 | Exfiltration Over Web Service |
Monitor for files being accessed by an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
|
.001 | Exfiltration to Code Repository |
Monitor for files being accessed to exfiltrate data to a code repository rather than over their primary command and control channel. |
||
.002 | Exfiltration to Cloud Storage |
Monitor for files being accessed to exfiltrate data to a cloud storage service rather than over their primary command and control channel. |
||
Enterprise | T1187 | Forced Authentication |
Monitor for unexpected files used to gather credentials when the files are rendered |
|
Enterprise | T1003 | OS Credential Dumping |
Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system ( |
|
.002 | Security Account Manager |
Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system ( |
||
.003 | NTDS |
Monitor for access or copy of the NTDS.dit. |
||
.007 | Proc Filesystem |
Monitor for unexpected access to passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path |
||
.008 | /etc/passwd and /etc/shadow |
Monitor for files being accessed that may attempt to dump the contents of |
||
Enterprise | T1018 | Remote System Discovery |
Monitor for files (such as |
|
Enterprise | T1091 | Replication Through Removable Media |
Monitor for unexpected files accessed on removable media. |
|
Enterprise | T1558 | Steal or Forge Kerberos Tickets |
Monitor for unexpected processes interacting with lsass.exe.[4] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored. Monitor for unusual processes accessing |
|
Enterprise | T1539 | Steal Web Session Cookie |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials to cloud service management consoles. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console. |
|
Enterprise | T1033 | System Owner/User Discovery |
Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system ( |
|
Enterprise | T1552 | Unsecured Credentials |
Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's |
|
.001 | Credentials In Files |
Monitor for files being accessed that may search local file systems and remote file shares for files containing insecurely stored credentials. While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. |
||
.003 | Bash History |
Monitoring when the user's |
||
.004 | Private Keys |
Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. |
||
.006 | Group Policy Preferences |
Monitor for attempts to access SYSVOL that involve searching for XML files. |
Initial construction of a new file (ex: Sysmon EID 11)
Initial construction of a new file (ex: Sysmon EID 11)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1560 | Archive Collected Data |
Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers. |
|
.001 | Archive via Utility |
Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers. |
||
.002 | Archive via Library |
Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers. |
||
.003 | Archive via Custom Method |
Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers. |
||
Enterprise | T1547 | Boot or Logon Autostart Execution |
Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
|
.006 | Kernel Modules and Extensions |
Monitor for newly constructed files that may modify the kernel to automatically execute programs on system boot. |
||
.008 | LSASS Driver |
Monitor newly constructed files that may modify or add LSASS drivers to obtain persistence on compromised systems. |
||
.009 | Shortcut Modification |
Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.[5] Analysis should attempt to relate shortcut creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections. |
||
.010 | Port Monitors |
Monitor newly constructed files that may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. |
||
.012 | Print Processors |
Monitor for newly constructed files that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. |
||
.013 | XDG Autostart Entries |
Malicious XDG autostart entries may be detected by auditing file creation events within the |
||
.015 | Login Items |
All login items created via shared file lists are viewable by using the System Preferences GUI or in the |
||
Enterprise | T1037 | Boot or Logon Initialization Scripts |
Monitor for newly constructed files that may use scripts automatically executed at boot or logon initialization to establish persistence |
|
.002 | Login Hook |
Monitor for the creation of and/or changes to login hook files ( |
||
.003 | Network Logon Script |
Monitor for newly constructed files by unusual accounts outside of normal administration duties |
||
.004 | RC Scripts |
Monitor for newly constructed /etc/rc.local file |
||
.005 | Startup Items |
Monitor for newly constructed files by unusual accounts outside of normal administration duties |
||
Enterprise | T1176 | Browser Extensions |
Monitor for newly constructed files and/or all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions |
|
Enterprise | T1554 | Compromise Client Software Binary |
Monitor for newly constructed files that may modify client software binaries to establish persistent access to systems. |
|
Enterprise | T1543 | Create or Modify System Process |
Monitor for newly constructed files that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. |
|
.001 | Launch Agent |
Monitor for newly constructed files that may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. |
||
.002 | Systemd Service |
Systemd service unit files may be detected by auditing file creation and modification events within the |
||
.004 | Launch Daemon |
Monitor for new files added to the |
||
Enterprise | T1486 | Data Encrypted for Impact |
Monitor for newly constructed files in user directories. |
|
Enterprise | T1565 | Data Manipulation |
Monitor for newly constructed files in order to manipulate external outcomes or hide activity |
|
.001 | Stored Data Manipulation |
Monitor for newly constructed files in order to manipulate external outcomes or hide activity |
||
.003 | Runtime Data Manipulation |
Monitor for newly constructed files in order to manipulate external outcomes or hide activity |
||
Enterprise | T1074 | Data Staged |
Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. |
|
.001 | Local Data Staging |
Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. |
||
.002 | Remote Data Staging |
Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. |
||
Enterprise | T1491 | Defacement |
Monitor for newly constructed visual content for internal or external enterprise networks. |
|
.001 | Internal Defacement |
Monitor for newly constructed files that may deface systems internal to an organization in an attempt to intimidate or mislead users. |
||
.002 | External Defacement |
Monitor for newly constructed files that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. |
||
Enterprise | T1189 | Drive-by Compromise |
Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing. |
|
Enterprise | T1546 | Event Triggered Execution |
Monitor newly constructed files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
|
.002 | Screensaver |
Monitor newly constructed files that may establish persistence by executing malicious content triggered by user inactivity. |
||
.004 | Unix Shell Configuration Modification |
Monitor for newly constructed files that may establish persistence through executing malicious commands triggered by a user’s shell. For most Linux and macOS systems, a list of file paths for valid shell options available on a system are located in the |
||
.005 | Trap |
Monitor for newly constructed files that may establish persistence by executing malicious content triggered by an interrupt signal. |
||
.008 | Accessibility Features |
Monitor newly constructed files that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. |
||
.013 | PowerShell Profile |
Locations where |
||
.014 | Emond |
Monitor emond rules creation by checking for files created in |
||
Enterprise | T1187 | Forced Authentication |
Monitor for newly constructed .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources |
|
Enterprise | T1564 | Hide Artifacts |
Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
.001 | Hidden Files and Directories |
Monitor the file system and shell commands for files being created with a leading "." |
||
.006 | Run Virtual Instance |
Monitor for newly constructed files associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). |
||
.009 | Resource Forking |
Monitor for newly constructed files that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. |
||
Enterprise | T1574 | Hijack Execution Flow |
Monitor for newly constructed files that may execute their own malicious payloads by hijacking the way operating systems run programs. |
|
.001 | DLL Search Order Hijacking |
Monitor newly constructed .manifest and .local redirection files that do not correlate with software updates. |
||
.002 | DLL Side-Loading |
Monitor for newly constructed files in common folders on the computer system. |
||
.004 | Dylib Hijacking |
Monitor for newly constructed dylibs |
||
.005 | Executable Installer File Permissions Weakness |
Monitor for newly constructed files to match an existing service executable, it could be detected and correlated with other suspicious behavior. |
||
.006 | Dynamic Linker Hijacking |
Monitor for newly constructed files that are added to absolute paths of shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS. |
||
.007 | Path Interception by PATH Environment Variable |
Monitor for newly constructed files for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. |
||
.008 | Path Interception by Search Order Hijacking |
Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. |
||
.009 | Path Interception by Unquoted Path |
Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. |
||
.010 | Services File Permissions Weakness |
Monitor for creation of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. This behavior also considers files that are overwritten. |
||
Enterprise | T1105 | Ingress Tool Transfer |
Monitor for file creation and files transferred into the network |
|
Enterprise | T1570 | Lateral Tool Transfer |
Monitor newly constructed files to/from a lateral tool transfer |
|
Enterprise | T1036 | .007 | Masquerading: Double File Extension |
Monitor for files written to disk that contain two file extensions, particularly when the second is an executable. |
Enterprise | T1556 | Modify Authentication Process |
Monitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.[11] |
|
.002 | Password Filter DLL |
Monitor for newly constructed files that may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. |
||
Enterprise | T1027 | Obfuscated Files or Information |
Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). |
|
.004 | Compile After Delivery |
Monitor for newly constructed files for payloads |
||
.006 | HTML Smuggling |
Monitor for newly constructed files via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. |
||
Enterprise | T1137 | Office Application Startup |
Monitor for newly constructed files that may leverage Microsoft Office-based applications for persistence between startups. |
|
.001 | Office Template Macros |
Monitor for newly constructed files that may abuse Microsoft Office templates to obtain persistence on a compromised system. |
||
.002 | Office Test |
Monitor for newly constructed files that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. |
||
.006 | Add-ins |
Monitor for newly constructed files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. |
||
Enterprise | T1566 | Phishing |
Monitor for newly constructed files from a phishing messages to gain access to victim systems. |
|
.001 | Spearphishing Attachment |
Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. |
||
Enterprise | T1091 | Replication Through Removable Media |
Monitor for newly constructed files on removable media |
|
Enterprise | T1496 | Resource Hijacking |
Monitor for common cryptomining files on local systems that may indicate compromise and resource usage |
|
Enterprise | T1053 | Scheduled Task/Job |
Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. |
|
.007 | Container Orchestration Job |
Monitor for newly constructed files by using the logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments. |
||
Enterprise | T1505 | Server Software Component |
Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components. |
|
.002 | Transport Agent |
Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components. |
||
.003 | Web Shell |
File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.[12] |
||
.004 | IIS Components |
Monitor for creation of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. |
||
Enterprise | T1553 | .005 | Subvert Trust Controls: Mark-of-the-Web Bypass |
Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. |
Enterprise | T1218 | System Binary Proxy Execution |
Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity. |
|
.001 | Compiled HTML File |
Monitor presence and use of CHM files, especially if they are not typically used within an environment. |
||
.002 | Control Panel |
Monitor for newly constructed files that may forge web cookies that can be used to gain access to web applications or Internet services. |
||
.005 | Mshta |
Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious |
||
.014 | MMC |
Monitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as |
||
Enterprise | T1080 | Taint Shared Content |
Monitor for newly constructed files from files that write or overwrite many files to a network shared directory may be suspicious. |
|
Enterprise | T1204 | User Execution |
Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe). |
|
.001 | Malicious Link |
malicious documents and files that are downloaded from a link and executed on the user's computer |
||
.002 | Malicious File |
Monitor for newly constructed files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe). |
Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)
Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1554 | Compromise Client Software Binary |
Monitor for unexpected deletion of client software binaries to establish persistent access to systems. |
|
Enterprise | T1485 | Data Destruction |
Monitor for unexpected deletion to a file (ex: Sysmon EID 23) |
|
Enterprise | T1565 | Data Manipulation |
Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity |
|
.001 | Stored Data Manipulation |
Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity |
||
.003 | Runtime Data Manipulation |
Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity |
||
Enterprise | T1070 | Indicator Removal on Host |
Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
.001 | Clear Windows Event Logs |
Monitor for unexpected deletion of Windows event logs (via native binaries) and may also generate an alterable event (Event ID 1102: "The audit log was cleared") |
||
.002 | Clear Linux or Mac System Logs |
Monitor for unexpected deletion of a system log file, typically stored in /var/logs or /Library/Logs. |
||
.003 | Clear Command History |
Monitor for unexpected deletion of a command history file, such as ConsoleHost_history.txt, ~/.zsh_history, or ~/.bash_history. |
||
.004 | File Deletion |
Monitor for unexpected deletion of files from the system |
||
Enterprise | T1490 | Inhibit System Recovery |
The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity. |
Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.
Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Monitor the file system for files that have the setuid or setgid bits set. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). |
|
.001 | Setuid and Setgid |
Monitor the file system for files that have the setuid or setgid bits set. |
||
Enterprise | T1554 | Compromise Client Software Binary |
Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment |
|
Enterprise | T1565 | Data Manipulation |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc that would aid in the manipulation of data to hide activity |
|
.003 | Runtime Data Manipulation |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc that would aid in the manipulation of data to hide activity |
||
Enterprise | T1546 | Event Triggered Execution |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc. |
|
.006 | LC_LOAD_DYLIB Addition |
Changes to binaries that do not line up with application updates or patches are also extremely suspicious. |
||
Enterprise | T1222 | File and Directory Permissions Modification |
Monitor and investigate attempts to modify ACLs and file/directory ownership. |
|
.001 | Windows File and Directory Permissions Modification |
Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified. |
||
.002 | Linux and Mac File and Directory Permissions Modification |
Monitor and investigate attempts to modify ACLs and file/directory ownership. Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. |
||
Enterprise | T1564 | Hide Artifacts |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
.001 | Hidden Files and Directories |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions may set files and directories to be hidden to evade detection mechanisms. |
||
.004 | NTFS File Attributes |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, may use NTFS file attributes to hide their malicious data in order to evade detection. Forensic techniques exist to identify information stored in NTFS EA. [13] |
||
.007 | VBA Stomping |
If the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the |
||
.009 | Resource Forking |
Identify files with the |
||
Enterprise | T1070 | Indicator Removal on Host |
Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
.006 | Timestomp |
Monitor for file modifications that collects information on file handle opens and can compare timestamp values |
||
Enterprise | T1570 | Lateral Tool Transfer |
Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. |
|
Enterprise | T1036 | Masquerading |
Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE". |
|
.001 | Invalid Code Signature |
Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers. |
||
.002 | Right-to-Left Override |
Monitor for common formats of RTLO characters within filenames such as \u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it. |
||
.003 | Rename System Utilities |
Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. |
||
.005 | Match Legitimate Name or Location |
Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. |
||
.006 | Space after Filename |
Monitor for spaces at the end of file names, that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious. |
||
.007 | Double File Extension |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc. |
||
Enterprise | T1027 | Obfuscated Files or Information |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc. |
|
.001 | Binary Padding |
Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. |
||
.002 | Software Packing |
Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code. |
||
.003 | Steganography |
Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography. |
||
.004 | Compile After Delivery |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc. |
||
Enterprise | T1055 | Process Injection |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc. |
|
.013 | Process Doppelgänging |
Scan file objects reported during the PsSetCreateProcessNotifyRoutine, [15] which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. [16] Also consider comparing file objects loaded in memory to the corresponding file on disk. [17] |
||
Enterprise | T1553 | Subvert Trust Controls |
Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. |
|
.001 | Gatekeeper Bypass |
Review QuarantineEvents is a SQLite database containing a list of all files assigned the |
||
.002 | Code Signing |
Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. |
||
.005 | Mark-of-the-Web Bypass |
Monitor files (especially those downloaded from untrusted locations) for MOTW attributes. Also consider inspecting and scanning file formats commonly abused to bypass MOTW (ex: .arj, .gzip, .iso, .vhd). |
||
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Analyze contextual data about executed DLL files, which may include information such as name, the content (ex: signature, headers, or data/media), age, user/ower, permissions, etc. |
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the |
|
.001 | Setuid and Setgid |
Monitor for changes made to files that may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. |
||
.003 | Sudo and Sudo Caching |
On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the |
||
Enterprise | T1098 | Account Manipulation |
Monitor for changes made to files related to account settings, such as /etc/ssh/sshd_config and the authorized_keys file for each user on a system. |
|
.004 | SSH Authorized Keys |
Monitor for changes made to detect changes made to the authorized_keys file for each user on a system. Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config. |
||
Enterprise | T1547 | Boot or Logon Autostart Execution |
Monitor for changes made to files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
|
.001 | Registry Run Keys / Startup Folder |
Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. [19] |
||
.006 | Kernel Modules and Extensions |
Monitor for changes made to files that may modify the kernel to automatically execute programs on system boot. |
||
.007 | Re-opened Applications |
Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened. |
||
.008 | LSASS Driver |
Monitor for changes made to files that may modify or add LSASS drivers to obtain persistence on compromised systems. |
||
.009 | Shortcut Modification |
Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections. |
||
.013 | XDG Autostart Entries |
Malicious XDG autostart entries may be detected by auditing file modification events within the |
||
.015 | Login Items |
All login items created via shared file lists are viewable by using the System Preferences GUI or in the |
||
Enterprise | T1037 | Boot or Logon Initialization Scripts |
Monitor for changes made to files that are modified by unusual accounts outside of normal administration duties. |
|
.002 | Login Hook |
Monitor for changes to login hook files ( |
||
.003 | Network Logon Script |
Monitor for changes made to files for unexpected modifications to unusual accounts outside of normal administration duties |
||
.004 | RC Scripts |
Monitor for changes made to files for unexpected modifications to RC scripts in the /etc/ directory |
||
.005 | Startup Items |
Monitor for changes made to files for unexpected modifications to /Library/StartupItem folder |
||
Enterprise | T1554 | Compromise Client Software Binary |
Monitor changes to client software that do not correlate with known software or patch cycles. |
|
Enterprise | T1543 | Create or Modify System Process |
Monitor for changes to files associated with system-level processes. |
|
.001 | Launch Agent |
Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications. |
||
.002 | Systemd Service |
Systemd service unit files may be detected by auditing file creation and modification events within the |
||
.004 | Launch Daemon |
Monitor files for changes that may create or modify Launch Daemons to execute malicious payloads as part of persistence. |
||
Enterprise | T1485 | Data Destruction |
Monitor for changes made to a large quantity of files for unexpected modifications in user directories and under C:\Windows\System32. |
|
Enterprise | T1486 | Data Encrypted for Impact |
Monitor for changes made to files in user directories. |
|
Enterprise | T1565 | Data Manipulation |
Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity |
|
.001 | Stored Data Manipulation |
Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity |
||
.003 | Runtime Data Manipulation |
Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity |
||
Enterprise | T1491 | Defacement |
Monitor for changes made to files for unexpected modifications to internal and external websites for unplanned content changes. |
|
.001 | Internal Defacement |
Monitor internal and websites for unplanned content changes. |
||
.002 | External Defacement |
Monitor external websites for unplanned content changes. |
||
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. |
|
Enterprise | T1546 | Event Triggered Execution |
Monitor for changes made to files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
|
.002 | Screensaver |
Monitor for changes made to files that may establish persistence by executing malicious content triggered by user inactivity. |
||
.004 | Unix Shell Configuration Modification |
Monitor for changes to |
||
.005 | Trap |
Monitor for changes made to files that may establish persistence by executing malicious content triggered by an interrupt signal. |
||
.006 | LC_LOAD_DYLIB Addition |
Monitor file systems for changes to application binaries and invalid checksums/signatures. |
||
.008 | Accessibility Features |
Monitor for changes made to files that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. |
||
.011 | Application Shimming |
Monitor for changes made to files that may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. |
||
.013 | PowerShell Profile |
Locations where |
||
.014 | Emond |
Monitor emond rules creation by checking for files modified in |
||
Enterprise | T1187 | Forced Authentication |
Monitor for changes made to the .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources |
|
Enterprise | T1564 | Hide Artifacts |
Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
.002 | Hidden Users |
Monitor for changes made to files that may use hidden users to mask the presence of user accounts they create or modify. Monitor for changes made to the |
||
.003 | Hidden Window |
Monitor for changes made to files that may use hidden windows to conceal malicious activity from the plain sight of users. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the |
||
.004 | NTFS File Attributes |
There are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: |
||
.005 | Hidden File System |
Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded. |
||
.008 | Email Hiding Rules |
On MacOS systems, monitor for modifications to the |
||
Enterprise | T1574 | Hijack Execution Flow |
Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious. |
|
.001 | DLL Search Order Hijacking |
Monitor for changed made to .manifest/.local redirection files, or file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. |
||
.002 | DLL Side-Loading |
Monitor for changes made to files for unexpected modifications to access permissions and attributes |
||
.004 | Dylib Hijacking |
Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. |
||
.005 | Executable Installer File Permissions Weakness |
Monitor for changes to binaries and service executables that may normally occur during software updates. |
||
.006 | Dynamic Linker Hijacking |
Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS. |
||
.008 | Path Interception by Search Order Hijacking |
Monitor for programs metadata modifications such as deletion of the path to an executable since it makes programs vulnerable to this type of technique. Also, monitor modifications of files such as renaming programs using Windows system utilities names. |
||
.009 | Path Interception by Unquoted Path |
Monitor for changes made to files that may execute their own malicious payloads by hijacking vulnerable file path references. |
||
.010 | Services File Permissions Weakness |
Monitor for modification of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. Modification of files considers actions such as renaming and directory moving. |
||
Enterprise | T1070 | Indicator Removal on Host |
Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
.002 | Clear Linux or Mac System Logs |
Monitor for changes made to system log files, typically stored in /var/log or /Library/Logs, for unexpected modifications to access permissions and attributes |
||
.003 | Clear Command History |
Monitor for changes made to command history files, such as ConsoleHost_history.txt, ~/.zsh_history, or ~/.bash_history, for unexpected modifications to contents, access permissions, and attributes. |
||
.006 | Timestomp |
Monitor for unexpected modifications to file timestamps |
||
Enterprise | T1056 | Input Capture |
Monitor for changes made to files for unexpected modifications to access permissions and attributes |
|
.003 | Web Portal Capture |
Monitor for changes made to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content. |
||
Enterprise | T1036 | Masquerading |
Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. |
|
.003 | Rename System Utilities |
Monitor for changes made to files for unexpected modifications to file names that are mismatched between the file name on disk and that of the binary's PE metadata. This is a likely indicator that a binary was renamed after it was compiled. |
||
Enterprise | T1556 | Modify Authentication Process |
Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files. |
|
.001 | Domain Controller Authentication |
Monitor for changes to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).[26] |
||
.003 | Pluggable Authentication Modules |
Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files. |
||
.004 | Network Device Authentication |
Monitor for changes made to the checksum of the operating system file and verifying the image of the operating system in memory.[27][28] Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as Modify System Image. |
||
Enterprise | T1601 | Modify System Image |
Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with Patch System Image, it may be appropriate to also verify the integrity of the vendor provided operating system image file. Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. [27] Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. [28] |
|
.001 | Patch System Image |
Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 |
||
.002 | Downgrade System Image |
Monitor for changes made to the operating system of a network device because image downgrade may be used in conjunction with Patch System Image, it may be appropriate to also verify the integrity of the vendor provided operating system image file. |
||
Enterprise | T1137 | Office Application Startup |
Monitor for changes made to files that may leverage Microsoft Office-based applications for persistence between startups. |
|
.001 | Office Template Macros |
Monitor for changes made to files that may abuse Microsoft Office templates to obtain persistence on a compromised system. Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated |
||
.002 | Office Test |
Monitor for changes made to files that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. |
||
.006 | Add-ins |
Monitor for changes made to files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. |
||
Enterprise | T1647 | Plist File Modification |
Monitor for plist file modification, especially if immediately followed by other suspicious events such as code execution from |
|
Enterprise | T1055 | Process Injection |
Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. |
|
.009 | Proc Memory |
Monitor for changes made to /proc files that may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Users should not have permission to modify these in most cases. |
||
Enterprise | T1014 | Rootkit |
Monitor for changes and the existence of unrecognized DLLs, drivers, devices, services, and to the MBR. [29] |
|
Enterprise | T1053 | Scheduled Task/Job |
Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. |
|
.002 | At |
On Windows, monitor Windows Task Scheduler stores in |
||
.003 | Cron |
Monitor for changes made to files for unexpected modifications to access permissions and attributes |
||
.005 | Scheduled Task |
Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. |
||
.006 | Systemd Timers |
Monitor for changes made to systemd timer unit files for unexpected modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links |
||
Enterprise | T1505 | Server Software Component |
Monitor for changes made to files that may abuse legitimate extensible development features of servers to establish persistent access to systems. |
|
.003 | Web Shell |
Monitor for changes made to files that may backdoor web servers with web shells to establish persistent access to systems. |
||
.004 | IIS Components |
Monitor for modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to |
||
.005 | Terminal Services DLL |
Monitor unexpected changes and/or interactions with |
||
Enterprise | T1489 | Service Stop |
Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users. |
|
Enterprise | T1553 | Subvert Trust Controls |
Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.[33] Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.[33] On macOS, the removal of the |
|
.001 | Gatekeeper Bypass |
The removal of the |
||
.003 | SIP and Trust Provider Hijacking |
Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.[33] Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.[33] |
||
Enterprise | T1569 | System Services |
Monitor for changes made to files that may abuse system services or daemons to execute commands or programs. |
|
.001 | Launchctl |
Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Plist files are located in the root, system, and users |
||
Enterprise | T1080 | Taint Shared Content |
Monitor for files that write or overwrite many files to a network shared directory may be suspicious. |
|
Enterprise | T1600 | Weaken Encryption |
File Modification |
|
.001 | Reduce Key Space |
There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image and Network Device CLI. Some detection methods require vendor support to aid in investigation. |
||
.002 | Disable Crypto Hardware |
There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image and Network Device CLI. Some detection methods require vendor support to aid in investigation. |