File, Data Source DS0022 | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>File, Data Source DS0022 | MITRE ATT&CK®</title>   <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" />  <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-expanded="true" aria-controls="#sidebar-collapse" aria-selected="false">DATA SOURCES <i class="fa-solid fa-fw fa-chevron-down"></i> <i class="fa-solid fa-fw fa-chevron-up"></i> </div> <div class="checkbox-div" id="v-home-tab" aria-selected="false"> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="enterpriseSwitch" onchange="filterTables(enterpriseSwitch, icsSwitch)"> <label class="custom-control-label" for="enterpriseSwitch">Enterprise</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="mobileSwitch" onchange="filterTables(mobileSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="mobileSwitch">Mobile</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="icsSwitch" onchange="filterTables(icsSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="icsSwitch">ICS</label> </div> </div> <br class="br-mobile"> <div class="sidenav-list collapse show" id="sidebar-collapse" aria-labelledby="v-home-tab"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026"> <a href="/versions/v16/datasources/DS0026/"> Active Directory </a> <div class="expand-button collapsed" id="DS0026-header" data-toggle="collapse" data-target="#DS0026-body" aria-expanded="false" aria-controls="#DS0026-body"></div> </div> <div class="sidenav-body collapse" id="DS0026-body" aria-labelledby="DS0026-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Credential Request"> <a href="/datasources/DS0026/#Active%20Directory%20Credential%20Request"> Active Directory Credential Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Access"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Access"> Active Directory Object Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Creation"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Creation"> Active Directory Object Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Deletion"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Deletion"> Active Directory Object Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Modification"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Modification"> Active Directory Object Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015"> <a href="/versions/v16/datasources/DS0015/"> Application Log </a> <div class="expand-button collapsed" id="DS0015-header" data-toggle="collapse" data-target="#DS0015-body" aria-expanded="false" aria-controls="#DS0015-body"></div> </div> <div class="sidenav-body collapse" id="DS0015-body" aria-labelledby="DS0015-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015-Application Log Content"> <a href="/datasources/DS0015/#Application%20Log%20Content"> Application Log Content </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041"> <a href="/versions/v16/datasources/DS0041/"> Application Vetting </a> <div class="expand-button collapsed" id="DS0041-header" data-toggle="collapse" data-target="#DS0041-body" aria-expanded="false" aria-controls="#DS0041-body"></div> </div> <div class="sidenav-body collapse" id="DS0041-body" aria-labelledby="DS0041-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-API Calls"> <a href="/datasources/DS0041/#API%20Calls"> API Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Application Assets"> <a href="/datasources/DS0041/#Application%20Assets"> Application Assets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Network Communication"> <a href="/datasources/DS0041/#Network%20Communication"> Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Permissions Requests"> <a href="/datasources/DS0041/#Permissions%20Requests"> Permissions Requests </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Protected Configuration"> <a href="/datasources/DS0041/#Protected%20Configuration"> Protected Configuration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039"> <a href="/versions/v16/datasources/DS0039/"> Asset </a> <div class="expand-button collapsed" id="DS0039-header" data-toggle="collapse" data-target="#DS0039-body" aria-expanded="false" aria-controls="#DS0039-body"></div> </div> <div class="sidenav-body collapse" id="DS0039-body" aria-labelledby="DS0039-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Asset Inventory"> <a href="/datasources/DS0039/#Asset%20Inventory"> Asset Inventory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Software"> <a href="/datasources/DS0039/#Software"> Software </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037"> <a href="/versions/v16/datasources/DS0037/"> Certificate </a> <div class="expand-button collapsed" id="DS0037-header" data-toggle="collapse" data-target="#DS0037-body" aria-expanded="false" aria-controls="#DS0037-body"></div> </div> <div class="sidenav-body collapse" id="DS0037-body" aria-labelledby="DS0037-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037-Certificate Registration"> <a href="/datasources/DS0037/#Certificate%20Registration"> Certificate Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025"> <a href="/versions/v16/datasources/DS0025/"> Cloud Service </a> <div class="expand-button collapsed" id="DS0025-header" data-toggle="collapse" data-target="#DS0025-body" aria-expanded="false" aria-controls="#DS0025-body"></div> </div> <div class="sidenav-body collapse" id="DS0025-body" aria-labelledby="DS0025-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Disable"> <a href="/datasources/DS0025/#Cloud%20Service%20Disable"> Cloud Service Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Enumeration"> <a href="/datasources/DS0025/#Cloud%20Service%20Enumeration"> Cloud Service Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Metadata"> <a href="/datasources/DS0025/#Cloud%20Service%20Metadata"> Cloud Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Modification"> <a href="/datasources/DS0025/#Cloud%20Service%20Modification"> Cloud Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010"> <a href="/versions/v16/datasources/DS0010/"> Cloud Storage </a> <div class="expand-button collapsed" id="DS0010-header" data-toggle="collapse" data-target="#DS0010-body" aria-expanded="false" aria-controls="#DS0010-body"></div> </div> <div class="sidenav-body collapse" id="DS0010-body" aria-labelledby="DS0010-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Access"> <a href="/datasources/DS0010/#Cloud%20Storage%20Access"> Cloud Storage Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Creation"> <a href="/datasources/DS0010/#Cloud%20Storage%20Creation"> Cloud Storage Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Deletion"> <a href="/datasources/DS0010/#Cloud%20Storage%20Deletion"> Cloud Storage Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Enumeration"> <a href="/datasources/DS0010/#Cloud%20Storage%20Enumeration"> Cloud Storage Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Metadata"> <a href="/datasources/DS0010/#Cloud%20Storage%20Metadata"> Cloud Storage Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Modification"> <a href="/datasources/DS0010/#Cloud%20Storage%20Modification"> Cloud Storage Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017"> <a href="/versions/v16/datasources/DS0017/"> Command </a> <div class="expand-button collapsed" id="DS0017-header" data-toggle="collapse" data-target="#DS0017-body" aria-expanded="false" aria-controls="#DS0017-body"></div> </div> <div class="sidenav-body collapse" id="DS0017-body" aria-labelledby="DS0017-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017-Command Execution"> <a href="/datasources/DS0017/#Command%20Execution"> Command Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032"> <a href="/versions/v16/datasources/DS0032/"> Container </a> <div class="expand-button collapsed" id="DS0032-header" data-toggle="collapse" data-target="#DS0032-body" aria-expanded="false" aria-controls="#DS0032-body"></div> </div> <div class="sidenav-body collapse" id="DS0032-body" aria-labelledby="DS0032-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Creation"> <a href="/datasources/DS0032/#Container%20Creation"> Container Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Enumeration"> <a href="/datasources/DS0032/#Container%20Enumeration"> Container Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Start"> <a href="/datasources/DS0032/#Container%20Start"> Container Start </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038"> <a href="/versions/v16/datasources/DS0038/"> Domain Name </a> <div class="expand-button collapsed" id="DS0038-header" data-toggle="collapse" data-target="#DS0038-body" aria-expanded="false" aria-controls="#DS0038-body"></div> </div> <div class="sidenav-body collapse" id="DS0038-body" aria-labelledby="DS0038-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Active DNS"> <a href="/datasources/DS0038/#Active%20DNS"> Active DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Domain Registration"> <a href="/datasources/DS0038/#Domain%20Registration"> Domain Registration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Passive DNS"> <a href="/datasources/DS0038/#Passive%20DNS"> Passive DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016"> <a href="/versions/v16/datasources/DS0016/"> Drive </a> <div class="expand-button collapsed" id="DS0016-header" data-toggle="collapse" data-target="#DS0016-body" aria-expanded="false" aria-controls="#DS0016-body"></div> </div> <div class="sidenav-body collapse" id="DS0016-body" aria-labelledby="DS0016-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Access"> <a href="/datasources/DS0016/#Drive%20Access"> Drive Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016-Drive Creation"> <a href="/datasources/DS0016/#Drive%20Creation"> Drive Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Modification"> <a href="/datasources/DS0016/#Drive%20Modification"> Drive Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027"> <a href="/versions/v16/datasources/DS0027/"> Driver </a> <div class="expand-button collapsed" id="DS0027-header" data-toggle="collapse" data-target="#DS0027-body" aria-expanded="false" aria-controls="#DS0027-body"></div> </div> <div class="sidenav-body collapse" id="DS0027-body" aria-labelledby="DS0027-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Load"> <a href="/datasources/DS0027/#Driver%20Load"> Driver Load </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Metadata"> <a href="/datasources/DS0027/#Driver%20Metadata"> Driver Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active enterprise ics " id="DS0022"> <a href="/versions/v16/datasources/DS0022/"> File </a> <div class="expand-button collapsed" id="DS0022-header" data-toggle="collapse" data-target="#DS0022-body" aria-expanded="false" aria-controls="#DS0022-body"></div> </div> <div class="sidenav-body collapse" id="DS0022-body" aria-labelledby="DS0022-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Access"> <a href="/datasources/DS0022/#File%20Access"> File Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Creation"> <a href="/datasources/DS0022/#File%20Creation"> File Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Deletion"> <a href="/datasources/DS0022/#File%20Deletion"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Metadata"> <a href="/datasources/DS0022/#File%20Metadata"> File Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Modification"> <a href="/datasources/DS0022/#File%20Modification"> File Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018"> <a href="/versions/v16/datasources/DS0018/"> Firewall </a> <div class="expand-button collapsed" id="DS0018-header" data-toggle="collapse" data-target="#DS0018-body" aria-expanded="false" aria-controls="#DS0018-body"></div> </div> <div class="sidenav-body collapse" id="DS0018-body" aria-labelledby="DS0018-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Disable"> <a href="/datasources/DS0018/#Firewall%20Disable"> Firewall Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Enumeration"> <a href="/datasources/DS0018/#Firewall%20Enumeration"> Firewall Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Metadata"> <a href="/datasources/DS0018/#Firewall%20Metadata"> Firewall Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Rule Modification"> <a href="/datasources/DS0018/#Firewall%20Rule%20Modification"> Firewall Rule Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001"> <a href="/versions/v16/datasources/DS0001/"> Firmware </a> <div class="expand-button collapsed" id="DS0001-header" data-toggle="collapse" data-target="#DS0001-body" aria-expanded="false" aria-controls="#DS0001-body"></div> </div> <div class="sidenav-body collapse" id="DS0001-body" aria-labelledby="DS0001-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001-Firmware Modification"> <a href="/datasources/DS0001/#Firmware%20Modification"> Firmware Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036"> <a href="/versions/v16/datasources/DS0036/"> Group </a> <div class="expand-button collapsed" id="DS0036-header" data-toggle="collapse" data-target="#DS0036-body" aria-expanded="false" aria-controls="#DS0036-body"></div> </div> <div class="sidenav-body collapse" id="DS0036-body" aria-labelledby="DS0036-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Enumeration"> <a href="/datasources/DS0036/#Group%20Enumeration"> Group Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Metadata"> <a href="/datasources/DS0036/#Group%20Metadata"> Group Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Modification"> <a href="/datasources/DS0036/#Group%20Modification"> Group Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007"> <a href="/versions/v16/datasources/DS0007/"> Image </a> <div class="expand-button collapsed" id="DS0007-header" data-toggle="collapse" data-target="#DS0007-body" aria-expanded="false" aria-controls="#DS0007-body"></div> </div> <div class="sidenav-body collapse" id="DS0007-body" aria-labelledby="DS0007-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Creation"> <a href="/datasources/DS0007/#Image%20Creation"> Image Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Deletion"> <a href="/datasources/DS0007/#Image%20Deletion"> Image Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Metadata"> <a href="/datasources/DS0007/#Image%20Metadata"> Image Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Modification"> <a href="/datasources/DS0007/#Image%20Modification"> Image Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030"> <a href="/versions/v16/datasources/DS0030/"> Instance </a> <div class="expand-button collapsed" id="DS0030-header" data-toggle="collapse" data-target="#DS0030-body" aria-expanded="false" aria-controls="#DS0030-body"></div> </div> <div class="sidenav-body collapse" id="DS0030-body" aria-labelledby="DS0030-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Creation"> <a href="/datasources/DS0030/#Instance%20Creation"> Instance Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Deletion"> <a href="/datasources/DS0030/#Instance%20Deletion"> Instance Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Enumeration"> <a href="/datasources/DS0030/#Instance%20Enumeration"> Instance Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Metadata"> <a href="/datasources/DS0030/#Instance%20Metadata"> Instance Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Modification"> <a href="/datasources/DS0030/#Instance%20Modification"> Instance Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Start"> <a href="/datasources/DS0030/#Instance%20Start"> Instance Start </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Stop"> <a href="/datasources/DS0030/#Instance%20Stop"> Instance Stop </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035"> <a href="/versions/v16/datasources/DS0035/"> Internet Scan </a> <div class="expand-button collapsed" id="DS0035-header" data-toggle="collapse" data-target="#DS0035-body" aria-expanded="false" aria-controls="#DS0035-body"></div> </div> <div class="sidenav-body collapse" id="DS0035-body" aria-labelledby="DS0035-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Content"> <a href="/datasources/DS0035/#Response%20Content"> Response Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Metadata"> <a href="/datasources/DS0035/#Response%20Metadata"> Response Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008"> <a href="/versions/v16/datasources/DS0008/"> Kernel </a> <div class="expand-button collapsed" id="DS0008-header" data-toggle="collapse" data-target="#DS0008-body" aria-expanded="false" aria-controls="#DS0008-body"></div> </div> <div class="sidenav-body collapse" id="DS0008-body" aria-labelledby="DS0008-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008-Kernel Module Load"> <a href="/datasources/DS0008/#Kernel%20Module%20Load"> Kernel Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028"> <a href="/versions/v16/datasources/DS0028/"> Logon Session </a> <div class="expand-button collapsed" id="DS0028-header" data-toggle="collapse" data-target="#DS0028-body" aria-expanded="false" aria-controls="#DS0028-body"></div> </div> <div class="sidenav-body collapse" id="DS0028-body" aria-labelledby="DS0028-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Creation"> <a href="/datasources/DS0028/#Logon%20Session%20Creation"> Logon Session Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Metadata"> <a href="/datasources/DS0028/#Logon%20Session%20Metadata"> Logon Session Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004"> <a href="/versions/v16/datasources/DS0004/"> Malware Repository </a> <div class="expand-button collapsed" id="DS0004-header" data-toggle="collapse" data-target="#DS0004-body" aria-expanded="false" aria-controls="#DS0004-body"></div> </div> <div class="sidenav-body collapse" id="DS0004-body" aria-labelledby="DS0004-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Content"> <a href="/datasources/DS0004/#Malware%20Content"> Malware Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Metadata"> <a href="/datasources/DS0004/#Malware%20Metadata"> Malware Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011"> <a href="/versions/v16/datasources/DS0011/"> Module </a> <div class="expand-button collapsed" id="DS0011-header" data-toggle="collapse" data-target="#DS0011-body" aria-expanded="false" aria-controls="#DS0011-body"></div> </div> <div class="sidenav-body collapse" id="DS0011-body" aria-labelledby="DS0011-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011-Module Load"> <a href="/datasources/DS0011/#Module%20Load"> Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023"> <a href="/versions/v16/datasources/DS0023/"> Named Pipe </a> <div class="expand-button collapsed" id="DS0023-header" data-toggle="collapse" data-target="#DS0023-body" aria-expanded="false" aria-controls="#DS0023-body"></div> </div> <div class="sidenav-body collapse" id="DS0023-body" aria-labelledby="DS0023-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023-Named Pipe Metadata"> <a href="/datasources/DS0023/#Named%20Pipe%20Metadata"> Named Pipe Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033"> <a href="/versions/v16/datasources/DS0033/"> Network Share </a> <div class="expand-button collapsed" id="DS0033-header" data-toggle="collapse" data-target="#DS0033-body" aria-expanded="false" aria-controls="#DS0033-body"></div> </div> <div class="sidenav-body collapse" id="DS0033-body" aria-labelledby="DS0033-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033-Network Share Access"> <a href="/datasources/DS0033/#Network%20Share%20Access"> Network Share Access </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029"> <a href="/versions/v16/datasources/DS0029/"> Network Traffic </a> <div class="expand-button collapsed" id="DS0029-header" data-toggle="collapse" data-target="#DS0029-body" aria-expanded="false" aria-controls="#DS0029-body"></div> </div> <div class="sidenav-body collapse" id="DS0029-body" aria-labelledby="DS0029-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Connection Creation"> <a href="/datasources/DS0029/#Network%20Connection%20Creation"> Network Connection Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Content"> <a href="/datasources/DS0029/#Network%20Traffic%20Content"> Network Traffic Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Flow"> <a href="/datasources/DS0029/#Network%20Traffic%20Flow"> Network Traffic Flow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040"> <a href="/versions/v16/datasources/DS0040/"> Operational Databases </a> <div class="expand-button collapsed" id="DS0040-header" data-toggle="collapse" data-target="#DS0040-body" aria-expanded="false" aria-controls="#DS0040-body"></div> </div> <div class="sidenav-body collapse" id="DS0040-body" aria-labelledby="DS0040-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Device Alarm"> <a href="/datasources/DS0040/#Device%20Alarm"> Device Alarm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process History/Live Data"> <a href="/datasources/DS0040/#Process%20History/Live%20Data"> Process History/Live Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process/Event Alarm"> <a href="/datasources/DS0040/#Process/Event%20Alarm"> Process/Event Alarm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021"> <a href="/versions/v16/datasources/DS0021/"> Persona </a> <div class="expand-button collapsed" id="DS0021-header" data-toggle="collapse" data-target="#DS0021-body" aria-expanded="false" aria-controls="#DS0021-body"></div> </div> <div class="sidenav-body collapse" id="DS0021-body" aria-labelledby="DS0021-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021-Social Media"> <a href="/datasources/DS0021/#Social%20Media"> Social Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014"> <a href="/versions/v16/datasources/DS0014/"> Pod </a> <div class="expand-button collapsed" id="DS0014-header" data-toggle="collapse" data-target="#DS0014-body" aria-expanded="false" aria-controls="#DS0014-body"></div> </div> <div class="sidenav-body collapse" id="DS0014-body" aria-labelledby="DS0014-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Creation"> <a href="/datasources/DS0014/#Pod%20Creation"> Pod Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Enumeration"> <a href="/datasources/DS0014/#Pod%20Enumeration"> Pod Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Modification"> <a href="/datasources/DS0014/#Pod%20Modification"> Pod Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009"> <a href="/versions/v16/datasources/DS0009/"> Process </a> <div class="expand-button collapsed" id="DS0009-header" data-toggle="collapse" data-target="#DS0009-body" aria-expanded="false" aria-controls="#DS0009-body"></div> </div> <div class="sidenav-body collapse" id="DS0009-body" aria-labelledby="DS0009-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0009-OS API Execution"> <a href="/datasources/DS0009/#OS%20API%20Execution"> OS API Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Access"> <a href="/datasources/DS0009/#Process%20Access"> Process Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Creation"> <a href="/datasources/DS0009/#Process%20Creation"> Process Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Metadata"> <a href="/datasources/DS0009/#Process%20Metadata"> Process Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Modification"> <a href="/datasources/DS0009/#Process%20Modification"> Process Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Termination"> <a href="/datasources/DS0009/#Process%20Termination"> Process Termination </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003"> <a href="/versions/v16/datasources/DS0003/"> Scheduled Job </a> <div class="expand-button collapsed" id="DS0003-header" data-toggle="collapse" data-target="#DS0003-body" aria-expanded="false" aria-controls="#DS0003-body"></div> </div> <div class="sidenav-body collapse" id="DS0003-body" aria-labelledby="DS0003-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Creation"> <a href="/datasources/DS0003/#Scheduled%20Job%20Creation"> Scheduled Job Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0003-Scheduled Job Metadata"> <a href="/datasources/DS0003/#Scheduled%20Job%20Metadata"> Scheduled Job Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Modification"> <a href="/datasources/DS0003/#Scheduled%20Job%20Modification"> Scheduled Job Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012"> <a href="/versions/v16/datasources/DS0012/"> Script </a> <div class="expand-button collapsed" id="DS0012-header" data-toggle="collapse" data-target="#DS0012-body" aria-expanded="false" aria-controls="#DS0012-body"></div> </div> <div class="sidenav-body collapse" id="DS0012-body" aria-labelledby="DS0012-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012-Script Execution"> <a href="/datasources/DS0012/#Script%20Execution"> Script Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013"> <a href="/versions/v16/datasources/DS0013/"> Sensor Health </a> <div class="expand-button collapsed" id="DS0013-header" data-toggle="collapse" data-target="#DS0013-body" aria-expanded="false" aria-controls="#DS0013-body"></div> </div> <div class="sidenav-body collapse" id="DS0013-body" aria-labelledby="DS0013-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013-Host Status"> <a href="/datasources/DS0013/#Host%20Status"> Host Status </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019"> <a href="/versions/v16/datasources/DS0019/"> Service </a> <div class="expand-button collapsed" id="DS0019-header" data-toggle="collapse" data-target="#DS0019-body" aria-expanded="false" aria-controls="#DS0019-body"></div> </div> <div class="sidenav-body collapse" id="DS0019-body" aria-labelledby="DS0019-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Creation"> <a href="/datasources/DS0019/#Service%20Creation"> Service Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Metadata"> <a href="/datasources/DS0019/#Service%20Metadata"> Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Modification"> <a href="/datasources/DS0019/#Service%20Modification"> Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020"> <a href="/versions/v16/datasources/DS0020/"> Snapshot </a> <div class="expand-button collapsed" id="DS0020-header" data-toggle="collapse" data-target="#DS0020-body" aria-expanded="false" aria-controls="#DS0020-body"></div> </div> <div class="sidenav-body collapse" id="DS0020-body" aria-labelledby="DS0020-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Creation"> <a href="/datasources/DS0020/#Snapshot%20Creation"> Snapshot Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Deletion"> <a href="/datasources/DS0020/#Snapshot%20Deletion"> Snapshot Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Enumeration"> <a href="/datasources/DS0020/#Snapshot%20Enumeration"> Snapshot Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Metadata"> <a href="/datasources/DS0020/#Snapshot%20Metadata"> Snapshot Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Modification"> <a href="/datasources/DS0020/#Snapshot%20Modification"> Snapshot Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002"> <a href="/versions/v16/datasources/DS0002/"> User Account </a> <div class="expand-button collapsed" id="DS0002-header" data-toggle="collapse" data-target="#DS0002-body" aria-expanded="false" aria-controls="#DS0002-body"></div> </div> <div class="sidenav-body collapse" id="DS0002-body" aria-labelledby="DS0002-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002-User Account Authentication"> <a href="/datasources/DS0002/#User%20Account%20Authentication"> User Account Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Creation"> <a href="/datasources/DS0002/#User%20Account%20Creation"> User Account Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Deletion"> <a href="/datasources/DS0002/#User%20Account%20Deletion"> User Account Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Metadata"> <a href="/datasources/DS0002/#User%20Account%20Metadata"> User Account Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Modification"> <a href="/datasources/DS0002/#User%20Account%20Modification"> User Account Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042"> <a href="/versions/v16/datasources/DS0042/"> User Interface </a> <div class="expand-button collapsed" id="DS0042-header" data-toggle="collapse" data-target="#DS0042-body" aria-expanded="false" aria-controls="#DS0042-body"></div> </div> <div class="sidenav-body collapse" id="DS0042-body" aria-labelledby="DS0042-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-Permissions Request"> <a href="/datasources/DS0042/#Permissions%20Request"> Permissions Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Notifications"> <a href="/datasources/DS0042/#System%20Notifications"> System Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Settings"> <a href="/datasources/DS0042/#System%20Settings"> System Settings </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034"> <a href="/versions/v16/datasources/DS0034/"> Volume </a> <div class="expand-button collapsed" id="DS0034-header" data-toggle="collapse" data-target="#DS0034-body" aria-expanded="false" aria-controls="#DS0034-body"></div> </div> <div class="sidenav-body collapse" id="DS0034-body" aria-labelledby="DS0034-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Creation"> <a href="/datasources/DS0034/#Volume%20Creation"> Volume Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Deletion"> <a href="/datasources/DS0034/#Volume%20Deletion"> Volume Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Enumeration"> <a href="/datasources/DS0034/#Volume%20Enumeration"> Volume Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Metadata"> <a href="/datasources/DS0034/#Volume%20Metadata"> Volume Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Modification"> <a href="/datasources/DS0034/#Volume%20Modification"> Volume Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006"> <a href="/versions/v16/datasources/DS0006/"> Web Credential </a> <div class="expand-button collapsed" id="DS0006-header" data-toggle="collapse" data-target="#DS0006-body" aria-expanded="false" aria-controls="#DS0006-body"></div> </div> <div class="sidenav-body collapse" id="DS0006-body" aria-labelledby="DS0006-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Creation"> <a href="/datasources/DS0006/#Web%20Credential%20Creation"> Web Credential Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Usage"> <a href="/datasources/DS0006/#Web%20Credential%20Usage"> Web Credential Usage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024"> <a href="/versions/v16/datasources/DS0024/"> Windows Registry </a> <div class="expand-button collapsed" id="DS0024-header" data-toggle="collapse" data-target="#DS0024-body" aria-expanded="false" aria-controls="#DS0024-body"></div> </div> <div class="sidenav-body collapse" id="DS0024-body" aria-labelledby="DS0024-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Access"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Access"> Windows Registry Key Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Creation"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Creation"> Windows Registry Key Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Deletion"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Deletion"> Windows Registry Key Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Modification"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification"> Windows Registry Key Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005"> <a href="/versions/v16/datasources/DS0005/"> WMI </a> <div class="expand-button collapsed" id="DS0005-header" data-toggle="collapse" data-target="#DS0005-body" aria-expanded="false" aria-controls="#DS0005-body"></div> </div> <div class="sidenav-body collapse" id="DS0005-body" aria-labelledby="DS0005-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005-WMI Creation"> <a href="/datasources/DS0005/#WMI%20Creation"> WMI Creation </a> </div> </div> </div> </div> </div> </div> </div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/datasources/">Data Sources</a></li> <li class="breadcrumb-item">File</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> File </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021."data-reference="Microsoft File Mgmt"><sup><a href="https://docs.microsoft.com/en-us/windows/win32/fileio/file-management" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">ID: </span>DS0022 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Platforms: </span>Linux, Network, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="A description of where the data source may be physically collected (ex: Host, Network, Cloud Control Plane, etc.)">ⓘ</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Collection Layer: </span>Host </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Contributors</span>: Center for Threat-Informed Defense (CTID) </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Version</span>: 1.0 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Created: </span>20 October 2021 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Last Modified: </span>07 December 2022 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of DS0022" href="/versions/v16/datasources/DS0022/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of DS0022" href="/datasources/DS0022/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id="datacomponents">Data Components</h2> <div class="row no-techniques-in-data-source-message" style="display: none"> <div class="col-md-12 description-body"> <p>This data source does not have any techniques in the selected domain(s)</p> </div> </div> <div class="row"> <div class="col-md-12 section-view enterprise ics "> <a class="anchor" id="File Access"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">File: File Access</h4> <div class="description-body"> <p>Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">File: File Access</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1087">T1087</a> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a> </td> <td> <p>Monitor access to file resources that contain local accounts and groups information such as <code>/etc/passwd</code>, <code>/Users</code> directories, and the SAM database. </p><p>If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1087/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1087/001">Local Account</a> </td> <td> <p>Monitor access to file resources that contain local accounts and groups information such as <code>/etc/passwd</code>, <code>/Users</code> directories, and the Windows SAM database. </p><p>If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1119">T1119</a> </td> <td> <a href="/versions/v16/techniques/T1119">Automated Collection</a> </td> <td> <p>Monitor for unexpected files (e.g., .pdf, .docx, .jpg, etc.) viewed for collecting internal data.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0802">T0802</a> </td> <td> <a href="/versions/v16/techniques/T0802">Automated Collection</a> </td> <td> <p>Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1020">T1020</a> </td> <td> <a href="/versions/v16/techniques/T1020">Automated Exfiltration</a> </td> <td> <p>Monitor for abnormal access to files (i.e. .pdf, .docx, .jpg, etc.), especially sensitive documents, through the use of automated processing after being gathered during Collection.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1217">T1217</a> </td> <td> <a href="/versions/v16/techniques/T1217">Browser Information Discovery</a> </td> <td> <p>Monitor for unusual access to stored browser data, such as local files and databases (e.g., <code>%APPDATA%/Google/Chrome</code>).<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023."data-reference="Chrome Roaming Profiles"><sup><a href="https://support.google.com/chrome/a/answer/7349337" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> Rather than viewing these events in isolation, this activity may highlight a chain of behavior that could lead to other activities, such as Collection and Exfiltration.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1555">T1555</a> </td> <td> <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a> </td> <td> <p>Monitor for files being accessed that may search for common password storage locations to obtain user credentials.</p><p>Analytic 1 - Unauthorized access to files containing credentials.</p><p><code>index=security sourcetype IN ("WinEventLog:Security", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")((sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("<em>passwords</em>", "<em>creds</em>", "<em>credentials</em>", "<em>secrets</em>")) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("<em>passwords</em>", "<em>creds</em>", "<em>credentials</em>", "<em>secrets</em>")) OR (sourcetype="linux_secure" action="open" filepath IN ("<em>/etc/shadow</em>", "<em>/etc/passwd</em>", "<em>/.aws/credentials</em>", "<em>/.ssh/id_rsa</em>")) OR (sourcetype="macos_secure" event_type="open" file_path IN ("<em>/Library/Keychains/</em>", "<em>/Users/</em>/Library/Keychains/<em>", "</em>/Users/<em>/.ssh/id_rsa</em>"))) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1555/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1555/001">Keychain</a> </td> <td> <p>Monitor for Keychain files being accessed that may be related to malicious credential collection.</p><p>Analytic 1 - Unauthorized access to Keychain files.</p><p><code> index=security sourcetype="macos_secure"(event_type="file_open" AND file_path IN ("~/Library/Keychains/<em>", "/Library/Keychains/</em>", "/Network/Library/Keychains/*"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1555/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p>Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code>. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser.</p><p>Analytic 1 - Unauthorized access to web browser credential files.</p><p><code>index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="file_open"((file_path IN ("<em>\AppData\Local\Google\Chrome\User Data\Default\Login Data", "</em>\AppData\Local\Microsoft\Edge\User Data\Default\Login Data", "<em>\AppData\Roaming\Mozilla\Firefox\Profiles\</em>\logins.json") AND Platform="Windows") OR (file_path IN ("/home/<em>/.mozilla/firefox/</em>/logins.json", "/home/<em>/.config/google-chrome/Default/Login Data") AND Platform="Linux") OR (file_path IN ("/Users/</em>/Library/Application Support/Google/Chrome/Default/Login Data", "/Users/<em>/Library/Application Support/Firefox/Profiles/</em>/logins.json") AND Platform="macOS")) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1555/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1555/004">Windows Credential Manager</a> </td> <td> <p>Consider monitoring file reads to Vault locations, <code>&percnt;Systemdrive&percnt;\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020."data-reference="Malwarebytes The Windows Vault"><sup><a href="https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p><p>Analytic 1 - Unauthorized access to Windows Vault credential files.</p><p><code> index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" event_type="file_access"(file_path IN ("%SystemDrive%\Users\<em>\AppData\Local\Microsoft\Vault\</em>\<em>.vcrd", "%SystemDrive%\Users\</em>\AppData\Local\Microsoft\Credentials\<em>\</em>.vcrd", "%SystemDrive%\Users\<em>\AppData\Local\Microsoft\Vault\</em>\Policy.vpol", "%SystemDrive%\Users\<em>\AppData\Local\Microsoft\Credentials\</em>\Policy.vpol"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1555/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1555/005">Password Managers</a> </td> <td> <p>Monitor file reads that may acquire user credentials from third-party password managers.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021."data-reference="ise Password Manager February 2019"><sup><a href="https://www.ise.io/casestudies/password-manager-hacking/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p><p>Analytic 1 - Unauthorized access to password manager files.</p><p><code> index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") EventCode IN (1, 4663)(file_path IN ("<em>\AppData\Local\Keepass\</em>.kdbx", "<em>\AppData\Local\LastPass\</em>.lpvault", "<em>\AppData\Local\1Password\</em>.agilekeychain", "<em>\AppData\Local\Bitwarden\</em>.json", "<em>\AppData\Local\Dashlane\</em>.db", "<em>\AppData\Local\PasswordSafe\</em>.psafe3", "/home/<em>/.keepass/</em>.kdbx", "/home/<em>/.lastpass/</em>.lpvault", "/home/<em>/.1password/</em>.agilekeychain", "/home/<em>/.bitwarden/</em>.json", "/home/<em>/.dashlane/</em>.db", "/home/<em>/.passwordsafe/</em>.psafe3"))</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1005">T1005</a> </td> <td> <a href="/versions/v16/techniques/T1005">Data from Local System</a> </td> <td> <p>Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0893">T0893</a> </td> <td> <a href="/versions/v16/techniques/T0893">Data from Local System</a> </td> <td> <p>Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1039">T1039</a> </td> <td> <a href="/versions/v16/techniques/T1039">Data from Network Shared Drive</a> </td> <td> <p>Monitor for unexpected files (i.e. .pdf, .docx, .jpg, etc.) interacting with network shares.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1025">T1025</a> </td> <td> <a href="/versions/v16/techniques/T1025">Data from Removable Media</a> </td> <td> <p>Monitor for unexpected/abnormal file accesses to removable media (optical disk drive, USB memory, etc.) connected to the compromised system. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1074">T1074</a> </td> <td> <a href="/versions/v16/techniques/T1074">Data Staged</a> </td> <td> <p>Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1074/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1074/001">Local Data Staging</a> </td> <td> <p>Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1074/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1074/002">Remote Data Staging</a> </td> <td> <p>Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1114">T1114</a> </td> <td> <a href="/versions/v16/techniques/T1114">Email Collection</a> </td> <td> <p>Monitor for unusual processes access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1114/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1114/001">Local Email Collection</a> </td> <td> <p>Monitor for unusual processes accessing local email files that may target user email on local systems to collect sensitive information.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1048">T1048</a> </td> <td> <a href="/versions/v16/techniques/T1048">Exfiltration Over Alternative Protocol</a> </td> <td> <p>Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1048/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1048/001">Exfiltration Over Symmetric Encrypted Non-C2 Protocol</a> </td> <td> <p>Monitor for files viewed in isolation that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1048/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1048/002">Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</a> </td> <td> <p>Monitor files viewed in isolation that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1048/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1048/003">Exfiltration Over Unencrypted Non-C2 Protocol</a> </td> <td> <p>Monitor files viewed in isolation that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1041">T1041</a> </td> <td> <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a> </td> <td> <p>Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1011">T1011</a> </td> <td> <a href="/versions/v16/techniques/T1011">Exfiltration Over Other Network Medium</a> </td> <td> <p>Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1011/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1011/001">Exfiltration Over Bluetooth</a> </td> <td> <p>Monitor for files being accessed that could be related to exfiltration, such as file reads by a process that also has an active network connection. Also monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1052">T1052</a> </td> <td> <a href="/versions/v16/techniques/T1052">Exfiltration Over Physical Medium</a> </td> <td> <p>Monitor file access on removable media that may attempt to exfiltrate data via a physical medium, such as a removable drive.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1052/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1052/001">Exfiltration over USB</a> </td> <td> <p>Monitor file access on removable media that may attempt to exfiltrate data over a USB connected physical device.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1567">T1567</a> </td> <td> <a href="/versions/v16/techniques/T1567">Exfiltration Over Web Service</a> </td> <td> <p>Monitor for files being accessed by an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1567/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1567/001">Exfiltration to Code Repository</a> </td> <td> <p>Monitor for files being accessed to exfiltrate data to a code repository rather than over their primary command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1567/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1567/002">Exfiltration to Cloud Storage</a> </td> <td> <p>Monitor for files being accessed to exfiltrate data to a cloud storage service rather than over their primary command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1567/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1567/004">Exfiltration Over Webhook</a> </td> <td> <p>Monitor for files being accessed to exfiltrate data to a webhook as a malicious command and control channel.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1187">T1187</a> </td> <td> <a href="/versions/v16/techniques/T1187">Forced Authentication</a> </td> <td> <p>Monitor for access to files that may indicate attempts to coerce a user into providing authentication information.</p><p>Analytic 1 - Suspicious access to files known to be used for forced authentication attacks.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="<em>\path\to\suspicious\file</em>" | where match(ObjectName, "(?i)\(.*\.)?(lnk|scf|url|doc|dot|xls|ppt|pdf|scf|html)$")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1654">T1654</a> </td> <td> <a href="/versions/v16/techniques/T1654">Log Enumeration</a> </td> <td> <p>Monitor for access to system and service log files, especially from unexpected and abnormal users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1003">T1003</a> </td> <td> <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a> </td> <td> <p>Monitor file accesses that may indicate attempts to dump credential data from various storage locations such as LSASS memory, SAM, NTDS.dit, LSA secrets, cached domain credentials, proc filesystem, /etc/passwd, and /etc/shadow.</p><p>Analytic 1 - Unauthorized access to credential storage files.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("<em>\config\SAM", "</em>\ntds.dit", "<em>\policy\secrets", "</em>\cache"))OR (index=security sourcetype="auditd" (key="path" (value IN ("/etc/passwd", "/etc/shadow")) OR key="proctitle" value IN ("<em>cat</em>", "<em>strings</em>", "<em>grep</em>", "<em>awk</em>", "<em>cut</em>", "<em>sed</em>", "<em>sort</em>", "<em>uniq</em>", "<em>head</em>", "<em>tail</em>", "<em>less</em>", "<em>more</em>")))OR(index=security sourcetype="macOS:UnifiedLog" (process IN ("cat", "grep", "awk", "cut", "sed", "sort", "uniq", "head", "tail", "less", "more") OR message IN ("/etc/passwd", "/etc/shadow", "/var/db/shadow/hash/*", "/private/etc/master.passwd")))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1003/002">Security Account Manager</a> </td> <td> <p>Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (<code>%SystemRoot%/system32/config/SAM</code>). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised <a href="/versions/v16/techniques/T1078">Valid Accounts</a> in-use by adversaries may help as well.</p><p>Analytic 1 - Unauthorized access to SAM database.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="*\config\SAM" | where ProcessName IN ("reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe", "rundll32.exe", "mimikatz.exe", "procdump.exe")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1003/003">NTDS</a> </td> <td> <p>Monitor for access or copy of the NTDS.dit.</p><p>Note: Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users requesting access or accessing file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. Access rights that allow read operations on file objects and its attributes are %%4416 Read file data, %%4419 Read extended file attributes, %%4423 Read file attributes. If you search for just the name of the file and not the entire directory, you may get access events related to the ntds.dit file within a snapshot or volume shadow copy. </p><p>Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users creating or copying file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. In order to filter file creation events, filter access rigths %%4417 Write data to the file and %%4424 Write file attributes.</p><p>Event 11 (Microsoft Windows Sysmon) provide context of processes and users creating or copying files. Unfortunately, this event provides context of the file being created or copied, but not the file being copied. A good starting point would be to look for new files created or copied with extension .dit.</p><p>Analytic 1 - Active Directory Dumping via NTDSUtil</p><p><code>(sourcetype=WinEventLog:Security EventCode IN (4656, 4663)) OR (sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="11") ANDObjectType="File" AND TargetFilename="*ntds.dit" AND (AccessList="%%4416" OR AccessList="%%4419" OR AccessList="%%4417" OR AccessList="%%4424")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1003/007">Proc Filesystem</a> </td> <td> <p>Monitor for unexpected access to passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path <code>/proc/\/maps</code>, where the <code>\</code> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.</p><p>Analytic 1 - Unauthorized access to /proc filesystem.</p><p><code> index=os sourcetype="linux_audit" command IN ("grep -E '^[0-9a-f-]<em> r' /proc/</em>/maps")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1003/008">/etc/passwd and /etc/shadow</a> </td> <td> <p>Monitor for files being accessed that may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid, process name, and arguments of such programs.</p><p>Analytic 1 - Unauthorized access to /etc/passwd and /etc/shadow.</p><p><code> index=os sourcetype="linux_audit" file IN ("/etc/passwd", "/etc/shadow") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1018">T1018</a> </td> <td> <a href="/versions/v16/techniques/T1018">Remote System Discovery</a> </td> <td> <p>Monitor for files (such as <code>/etc/hosts</code>) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.</p><p>For Windows, Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on access attempts of local files that store host data, including C:\Windows\System32\Drivers\etc\hosts.</p><p>For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on access attempts of local files that store host data, including /etc/hosts.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0846">T0846</a> </td> <td> <a href="/versions/v16/techniques/T0846">Remote System Discovery</a> </td> <td> <p>Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0888">T0888</a> </td> <td> <a href="/versions/v16/techniques/T0888">Remote System Information Discovery</a> </td> <td> <p>Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1091">T1091</a> </td> <td> <a href="/versions/v16/techniques/T1091">Replication Through Removable Media</a> </td> <td> <p>Monitor for unexpected files accessed on removable media.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0847">T0847</a> </td> <td> <a href="/versions/v16/techniques/T0847">Replication Through Removable Media</a> </td> <td> <p>Monitor for files accessed on removable media, particularly those with executable content.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1649">T1649</a> </td> <td> <a href="/versions/v16/techniques/T1649">Steal or Forge Authentication Certificates</a> </td> <td> <p>Monitor for attempts to access files that store information about certificates and their associated private keys. For example, personal certificates for users may be stored on disk in folders such as <code>%APPDATA%\Microsoft\SystemCertificates\My\Certificates\</code>.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022."data-reference="SpecterOps Certified Pre Owned"><sup><a href="https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022."data-reference="O365 Blog Azure AD Device IDs"><sup><a href="https://o365blog.com/post/deviceidentity/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1558">T1558</a> </td> <td> <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a> </td> <td> <p>Monitor for unexpected processes interacting with lsass.exe.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019."data-reference="Medium Detecting Attempts to Steal Passwords from Memory"><sup><a href="https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span> Common credential dumpers such as <a href="/versions/v16/software/S0002">Mimikatz</a> access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1558/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1558/005">Ccache Files</a> </td> <td> <p>Monitor for abnormal read access to ccache files located in the <code>/tmp</code> directory of a system from non-user processes. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1539">T1539</a> </td> <td> <a href="/versions/v16/techniques/T1539">Steal Web Session Cookie</a> </td> <td> <p>Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials to cloud service management consoles. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.</p><p>Analytic 1 - Unexpected access to web session cookies files.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="<em>\AppData\Roaming\</em>\Cookies\<em>" OR ObjectName="</em>\AppData\Local\<em>\Cookies\</em>") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject="<em>\AppData\Roaming\</em>\Cookies\<em>" OR TargetObject="</em>\AppData\Local\<em>\Cookies\</em>") OR(index=os sourcetype="linux_audit" (filepath="/home/<em>/.mozilla/firefox/</em>.default-release/cookies.sqlite" OR filepath="/home/<em>/.config/google-chrome/Default/Cookies")) OR(index=os sourcetype="macos_secure" file_path="/Users/</em>/Library/Application Support/Google/Chrome/Default/Cookies") OR(index=gsuite sourcetype="gsuite:admin" event_name="LOGIN" event_type="cookie_auth") OR(index=o365 sourcetype="o365:management:activity" Operation="UserLoginViaCookie")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1033">T1033</a> </td> <td> <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a> </td> <td> <p>Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (<code>%SystemRoot%/system32/config/SAM</code>). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised <a href="/versions/v16/techniques/T1078">Valid Accounts</a> in-use by adversaries may help as well.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1552">T1552</a> </td> <td> <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a> </td> <td> <p>Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's <code>.bash_history</code> is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.</p><p>Analytic 1 - Multiple file reads in a short period or searching for credential material.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="<em>password</em>" OR ObjectName="<em>credential</em>") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject="<em>password</em>" OR TargetObject="<em>credential</em>") OR(index=os sourcetype="linux_audit" action="open" filepath IN ("<em>password</em>", "<em>credential</em>", "<em>passwd</em>", "<em>shadow</em>", "<em>.pem", "</em>.key")) OR(index=os sourcetype="macos_secure" event_type="open" file_path IN ("<em>password</em>", "<em>credential</em>", "<em>passwd</em>", "<em>shadow</em>", "<em>.pem", "</em>.key"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1552/001">Credentials In Files</a> </td> <td> <p>Monitor for files being accessed that may search local file systems and remote file shares for files containing insecurely stored credentials. While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. </p><p>Analytic 1 - Unauthorized access to files containing credentials.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("<em>password</em>", "<em>credential</em>", "<em>secret</em>", "<em>token</em>")) OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("<em>password</em>", "<em>credential</em>", "<em>secret</em>", "<em>token</em>")) OR(index=os sourcetype="linux_audit" action="open" filepath IN ("<em>password</em>", "<em>credential</em>", "<em>passwd</em>", "<em>shadow</em>", "<em>.pem", "</em>.key", "<em>secret</em>", "<em>token</em>")) OR(index=os sourcetype="macos_secure" event_type="open" file_path IN ("<em>password</em>", "<em>credential</em>", "<em>passwd</em>", "<em>shadow</em>", "<em>.pem", "</em>.key", "<em>secret</em>", "<em>token</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1552/003">Bash History</a> </td> <td> <p>Monitoring when the user's <code>.bash_history</code> is read can help alert to suspicious activity.</p><p>Analytic 1 - Unauthorized access to .bash_history.</p><p><code> (index=os sourcetype="linux_secure" action="open" filepath="/home/<em>/.bash_history") OR(index=os sourcetype="macos_secure" event_type="open" file_path="/Users/</em>/.bash_history") | where User NOT IN ("root", "daemon", "bin", "nobody", "_spotlight", "_mbsetupuser")| where NOT match(User, "^[a-z]+$") # Filter out common service accounts</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1552/004">Private Keys</a> </td> <td> <p>Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. </p><p>Analytic 1 - Unauthorized access to cryptographic key files.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("<em>.key", "</em>.pgp", "<em>.gpg", "</em>.ppk", "<em>.p12", "</em>.pem", "<em>.pfx", "</em>.cer", "<em>.p7b", "</em>.asc", "<em>private key</em>", "<em>certificate</em>")) OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("<em>.key", "</em>.pgp", "<em>.gpg", "</em>.ppk", "<em>.p12", "</em>.pem", "<em>.pfx", "</em>.cer", "<em>.p7b", "</em>.asc", "<em>private key</em>", "<em>certificate</em>")) OR(index=os sourcetype="linux_secure" action="open" filepath IN ("<em>.key", "</em>.pgp", "<em>.gpg", "</em>.ppk", "<em>.p12", "</em>.pem", "<em>.pfx", "</em>.cer", "<em>.p7b", "</em>.asc", "<em>private key</em>", "<em>certificate</em>")) OR(index=os sourcetype="macos_secure" event_type="open" file_path IN ("<em>.key", "</em>.pgp", "<em>.gpg", "</em>.ppk", "<em>.p12", "</em>.pem", "<em>.pfx", "</em>.cer", "<em>.p7b", "</em>.asc", "<em>private key</em>", "<em>certificate</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1552/006">Group Policy Preferences</a> </td> <td> <p>Monitor for attempts to access SYSVOL that involve searching for XML files.</p><p>Analytic 1 - Unauthorized access to SYSVOL XML files.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="<em>SYSVOL</em>" ObjectName="*.xml"| eval AccessType=case( AccessMask="0x1", "Read", AccessMask="0x2", "Write", AccessMask="0x3", "Read/Write", AccessMask="0x4", "Delete", true(), "Unknown")</code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0863">T0863</a> </td> <td> <a href="/versions/v16/techniques/T0863">User Execution</a> </td> <td> <p>Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise ics "> <a class="anchor" id="File Creation"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">File: File Creation</h4> <div class="description-body"> <p>Initial construction of a new file (ex: Sysmon EID 11)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">File: File Creation</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Initial construction of a new file (ex: Sysmon EID 11)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1560">T1560</a> </td> <td> <a href="/versions/v16/techniques/T1560">Archive Collected Data</a> </td> <td> <p>Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1560/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1560/001">Archive via Utility</a> </td> <td> <p>Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1560/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1560/002">Archive via Library</a> </td> <td> <p>Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1560/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1560/003">Archive via Custom Method</a> </td> <td> <p>Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a> </td> <td> <p>Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1547/006">Kernel Modules and Extensions</a> </td> <td> <p>Monitor for newly constructed files that may modify the kernel to automatically execute programs on system boot.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1547/008">LSASS Driver</a> </td> <td> <p>Monitor newly constructed files that may modify or add LSASS drivers to obtain persistence on compromised systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1547/009">Shortcut Modification</a> </td> <td> <p>Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger Than Its Weakest LNK. Retrieved November 30, 2020."data-reference="BSidesSLC 2020 - LNK Elastic"><sup><a href="https://www.youtube.com/watch?v=nJ0UsyiUEqQ" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span> Analysis should attempt to relate shortcut creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1547/010">Port Monitors</a> </td> <td> <p>Monitor newly constructed files that may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1547/012">Print Processors</a> </td> <td> <p>Monitor for newly constructed files that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1547/013">XDG Autostart Entries</a> </td> <td> <p>Malicious XDG autostart entries may be detected by auditing file creation events within the <code>/etc/xdg/autostart</code> and <code>~/.config/autostart</code> directories. Depending on individual configurations, defenders may need to query the environment variables <code>$XDG_CONFIG_HOME</code> or <code>$XDG_CONFIG_DIRS</code> to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/015">.015</a> </td> <td> <a href="/versions/v16/techniques/T1547/015">Login Items</a> </td> <td> <p>All login items created via shared file lists are viewable by using the System Preferences GUI or in the <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code> file.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021."data-reference="Open Login Items Apple"><sup><a href="https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021."data-reference="Startup Items Eclectic"><sup><a href="https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021."data-reference="objsee block blocking login items"><sup><a href="https://objective-see.com/blog/blog_0x31.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019."data-reference="sentinelone macos persist Jun 2019"><sup><a href="https://www.sentinelone.com/blog/how-malware-persists-on-macos/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span> These locations should be monitored and audited.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1037">T1037</a> </td> <td> <a href="/versions/v16/techniques/T1037">Boot or Logon Initialization Scripts</a> </td> <td> <p>Monitor for newly constructed files that may use scripts automatically executed at boot or logon initialization to establish persistence.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1037/002">Login Hook</a> </td> <td> <p>Monitor for the creation of and/or changes to login hook files (<code>/Library/Preferences/com.apple.loginwindow.plist</code>), especially by unusual accounts outside of normal administration duties.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1037/003">Network Logon Script</a> </td> <td> <p>Monitor for newly constructed files by unusual accounts outside of normal administration duties</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1037/004">RC Scripts</a> </td> <td> <p>Monitor for newly constructed /etc/rc.local file </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1037/005">Startup Items</a> </td> <td> <p>Monitor for newly constructed files by unusual accounts outside of normal administration duties</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1176">T1176</a> </td> <td> <a href="/versions/v16/techniques/T1176">Browser Extensions</a> </td> <td> <p>Monitor for newly constructed files and/or all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1554">T1554</a> </td> <td> <a href="/versions/v16/techniques/T1554">Compromise Host Software Binary</a> </td> <td> <p>Monitor for newly constructed files that may modify client software binaries to establish persistent access to systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1659">T1659</a> </td> <td> <a href="/versions/v16/techniques/T1659">Content Injection</a> </td> <td> <p>Monitor for unexpected and abnormal file creations that may indicate malicious content injected through online network communications.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1543">T1543</a> </td> <td> <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a> </td> <td> <p>Monitor for newly constructed files that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1543/001">Launch Agent</a> </td> <td> <p>Monitor for newly constructed files that may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1543/002">Systemd Service</a> </td> <td> <p>Systemd service unit files may be detected by auditing file creation and modification events within the <code>/etc/systemd/system</code>, <code>/usr/lib/systemd/system/</code>, and <code>/home/<username>/.config/systemd/user/</code> directories, as well as associated symbolic links</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1543/004">Launch Daemon</a> </td> <td> <p>Monitor for new files added to the <code>/Library/LaunchDaemons/</code> folder. The System LaunchDaemons are protected by SIP.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1486">T1486</a> </td> <td> <a href="/versions/v16/techniques/T1486">Data Encrypted for Impact</a> </td> <td> <p>Monitor for newly constructed files in user directories.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1565">T1565</a> </td> <td> <a href="/versions/v16/techniques/T1565">Data Manipulation</a> </td> <td> <p>Monitor for newly constructed files in order to manipulate external outcomes or hide activity</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1565/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1565/001">Stored Data Manipulation</a> </td> <td> <p>Monitor for newly constructed files in order to manipulate external outcomes or hide activity</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1565/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1565/003">Runtime Data Manipulation</a> </td> <td> <p>Monitor for newly constructed files in order to manipulate external outcomes or hide activity</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1074">T1074</a> </td> <td> <a href="/versions/v16/techniques/T1074">Data Staged</a> </td> <td> <p>Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1074/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1074/001">Local Data Staging</a> </td> <td> <p>Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1074/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1074/002">Remote Data Staging</a> </td> <td> <p>Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1491">T1491</a> </td> <td> <a href="/versions/v16/techniques/T1491">Defacement</a> </td> <td> <p>Monitor for newly constructed visual content for internal or external enterprise networks. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1491/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1491/001">Internal Defacement</a> </td> <td> <p>Monitor for newly constructed files that may deface systems internal to an organization in an attempt to intimidate or mislead users.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1491/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1491/002">External Defacement</a> </td> <td> <p>Monitor for newly constructed files that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1006">T1006</a> </td> <td> <a href="/versions/v16/techniques/T1006">Direct Volume Access</a> </td> <td> <p>Monitor for the creation of volume shadow copy and backup files, especially unexpected and irregular activity (relative to time, user, etc.).</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1189">T1189</a> </td> <td> <a href="/versions/v16/techniques/T1189">Drive-by Compromise</a> </td> <td> <p>Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0817">T0817</a> </td> <td> <a href="/versions/v16/techniques/T0817">Drive-by Compromise</a> </td> <td> <p>Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a> </td> <td> <p>Monitor newly constructed files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1546/002">Screensaver</a> </td> <td> <p>Monitor newly constructed files that may establish persistence by executing malicious content triggered by user inactivity.</p><p>Analytic 1 - Created on disk that are being used as Screensaver files</p><p><code>(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="11") TargetObject="*\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE" </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a> </td> <td> <p>Monitor for MOF files outside of the <code>HKLM\SOFTWARE\Microsoft\WBEM</code> folder, as almost all legitimate MOF files will be stored in the WBEM folder.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Chad Tilbury. (2023, May 22). Finding Evil WMI Event Consumers with Disk Forensics. Retrieved February 9, 2024."data-reference="Evil WMI"><sup><a href="https://www.sans.org/blog/finding-evil-wmi-event-consumers-with-disk-forensics/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span> Adversaries may create modified MOF files to be complied into WMI event subscriptions. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1546/004">Unix Shell Configuration Modification</a> </td> <td> <p>Monitor for newly constructed files that may establish persistence through executing malicious commands triggered by a user’s shell. For most Linux and macOS systems, a list of file paths for valid shell options available on a system are located in the <code>/etc/shells</code> file.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1546/005">Trap</a> </td> <td> <p>Monitor for newly constructed files that may establish persistence by executing malicious content triggered by an interrupt signal.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1546/008">Accessibility Features</a> </td> <td> <p>Monitor newly constructed files that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1546/013">PowerShell Profile</a> </td> <td> <p>Locations where <code>profile.ps1</code> can be stored should be monitored for new profiles. <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016."data-reference="Malware Archaeology PowerShell Cheat Sheet"><sup><a href="http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> Example profile locations include:* <code>$PsHome\Profile.ps1</code>* <code>$PsHome\Microsoft.{HostProgram}_profile.ps1</code>* <code>$Home\My Documents\PowerShell\Profile.ps1</code>* <code>$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/014">.014</a> </td> <td> <a href="/versions/v16/techniques/T1546/014">Emond</a> </td> <td> <p>Monitor emond rules creation by checking for files created in <code>/etc/emond.d/rules/</code> and <code>/private/var/db/emondClients</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/016">.016</a> </td> <td> <a href="/versions/v16/techniques/T1546/016">Installer Packages</a> </td> <td> <p>Monitor creation of files associated with installer packages that may be abused for malicious execution.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1480">T1480</a> </td> <td> <a href="/versions/v16/techniques/T1480/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1480">Execution Guardrails</a>: <a href="/versions/v16/techniques/T1480/002">Mutual Exclusion</a> </td> <td> <p>Monitor for the suspicious creation of lock files – for example, in shared memory directories such as <code>/var/run</code>.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Elastic. (n.d.). Abnormal Process ID or Lock File Created. Retrieved September 19, 2024."data-reference="Elastic Abnormal Process ID or Lock File Created"><sup><a href="https://www.elastic.co/guide/en/security/current/abnormal-process-id-or-lock-file-created.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1187">T1187</a> </td> <td> <a href="/versions/v16/techniques/T1187">Forced Authentication</a> </td> <td> <p>Monitor for newly constructed .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources.</p><p>Analytic 1 - Creation of suspicious files in locations used for forced authentication attacks.</p><p><code>(index=security sourcetype="WinEventLog:Security" EventCode=4663) OR (index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11) | where match(ObjectName, "(?i)\(.*\.)?(lnk|scf|url|doc|dot|xls|ppt|pdf|html)$")| where match(ObjectName, "(?i)(desktop|public|downloads|temp|cache|start menu|startup)") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1564">T1564</a> </td> <td> <a href="/versions/v16/techniques/T1564">Hide Artifacts</a> </td> <td> <p>Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1564/001">Hidden Files and Directories</a> </td> <td> <p>Monitor the file system and shell commands for files being created with a leading "."</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1564/006">Run Virtual Instance</a> </td> <td> <p>Monitor for newly constructed files associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1564/009">Resource Forking</a> </td> <td> <p>Monitor for newly constructed files that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1564/012">File/Path Exclusions</a> </td> <td> <p>Monitor for newly constructed files, especially those that are unexpectedly created in folders associated with or spoofing that of trusted applications. Also, consider prioritizing monitoring and analyzing file activity in known file/path exclusions.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1574">T1574</a> </td> <td> <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a> </td> <td> <p>Monitor for newly constructed files that may execute their own malicious payloads by hijacking the way operating systems run programs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1574/001">DLL Search Order Hijacking</a> </td> <td> <p>Monitor newly constructed .manifest and .local redirection files that do not correlate with software updates.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1574/002">DLL Side-Loading</a> </td> <td> <p>Monitor for newly constructed files in common folders on the computer system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1574/004">Dylib Hijacking</a> </td> <td> <p>Monitor for newly constructed dylibs</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1574/005">Executable Installer File Permissions Weakness</a> </td> <td> <p>Monitor for newly constructed files to match an existing service executable, it could be detected and correlated with other suspicious behavior. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1574/006">Dynamic Linker Hijacking</a> </td> <td> <p>Monitor for newly constructed files that are added to absolute paths of shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1574/007">Path Interception by PATH Environment Variable</a> </td> <td> <p>Monitor for newly constructed files for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1574/008">Path Interception by Search Order Hijacking</a> </td> <td> <p>Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1574/009">Path Interception by Unquoted Path</a> </td> <td> <p>Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1574/010">Services File Permissions Weakness</a> </td> <td> <p>Monitor for creation of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. This behavior also considers files that are overwritten.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/014">.014</a> </td> <td> <a href="/versions/v16/techniques/T1574/014">AppDomainManager</a> </td> <td> <p>Monitor for newly constructed files, especially unknown .NET assemblies and configuration files in user writable folder paths.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p>Monitor for file creation and files transferred into the network</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1570">T1570</a> </td> <td> <a href="/versions/v16/techniques/T1570">Lateral Tool Transfer</a> </td> <td> <p>Monitor newly constructed files to/from a lateral tool transfer </p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0867">T0867</a> </td> <td> <a href="/versions/v16/techniques/T0867">Lateral Tool Transfer</a> </td> <td> <p>Monitor for file creation in conjunction with other techniques (e.g., file transfers using <a href="/versions/v16/techniques/T0886">Remote Services</a>).</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1036">T1036</a> </td> <td> <a href="/versions/v16/techniques/T1036/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/007">Double File Extension</a> </td> <td> <p>Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1556">T1556</a> </td> <td> <a href="/versions/v16/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Monitor for suspicious additions to the <code>/Library/Security/SecurityAgentPlugins</code> directory.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021."data-reference="Xorrior Authorization Plugins"><sup><a href="https://xorrior.com/persistent-credential-theft/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p><p>Monitor for newly created files that may be used to register malicious network provider dynamic link libraries (DLLs).</p><p>Analytic 1 - Unauthorized file creation in critical directories.</p><p><code> index=security sourcetype IN ("WinEventLog:Security", "wineventlog:sysmon", "linux_audit", "macos_secure")(EventCode=4663 OR EventCode=11 OR EventCode=13 OR (sourcetype="linux_audit" AND (syscall="creat" OR syscall="open" OR syscall="openat")) OR (sourcetype="macos_secure" AND action="file_write"))| eval TargetFile=coalesce(ObjectName, FileName, target_file)| search TargetFile IN ( "C:\Windows\System32\config\SAM", "C:\Windows\System32\config\system", "C:\Windows\System32\config\security", "C:\Windows\System32\lsass.exe", "/etc/passwd", "/etc/shadow", "/etc/pam.d/", "/Library/Preferences/com.apple.loginwindow.plist")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1556/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1556/002">Password Filter DLL</a> </td> <td> <p>Monitor for newly constructed files that may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.</p><p>Analytic 1 - Unauthorized DLL registration.</p><p><code> index=windows_logs sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"| search (EventCode=4688 AND (CommandLine="<em>regsvr32</em>" OR CommandLine="<em>rundll32</em>") AND CommandLine="<em>password.dll</em>")| join type=left Host [ search index=windows_logs sourcetype="WinEventLog:System" | eval File_Creation_Time=strftime(_time, "%Y-%m-%d %H:%M:%S") | where EventCode=7045 OR EventCode=2 | fields Host, File_Creation_Time, FileName, FilePath ]| eval suspected_dll=if(match(FilePath, ".<em>\System32\.</em>") OR match(FilePath, ".<em>\SysWOW64\.</em>"), "High", "Low")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1556/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1556/008">Network Provider DLL</a> </td> <td> <p>Monitor for newly created files that may be used to register malicious network provider dynamic link libraries (DLLs).</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p>Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1027/004">Compile After Delivery</a> </td> <td> <p>Monitor for newly constructed files for payloads</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1027/006">HTML Smuggling</a> </td> <td> <p>Monitor for newly constructed files via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1027/009">Embedded Payloads</a> </td> <td> <p>Monitor for newly constructed files containing large amounts of data. Abnormal file sizes may be an indicator of embedded content.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1027/012">LNK Icon Smuggling</a> </td> <td> <p>Monitor for downloaded malicious files, though developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by LNK Icon Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a> </td> <td> <p>Monitor for files with large entropy which don’t match what is normal/expected given the file type and location.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/014">.014</a> </td> <td> <a href="/versions/v16/techniques/T1027/014">Polymorphic Code</a> </td> <td> <p>Monitor for files with large entropy which don’t match what is normal/expected given the file type and location.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1137">T1137</a> </td> <td> <a href="/versions/v16/techniques/T1137">Office Application Startup</a> </td> <td> <p>Monitor for newly constructed files that may leverage Microsoft Office-based applications for persistence between startups.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1137/001">Office Template Macros</a> </td> <td> <p>Monitor for newly constructed files that may abuse Microsoft Office templates to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1137/002">Office Test</a> </td> <td> <p>Monitor for newly constructed files that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1137/006">Add-ins</a> </td> <td> <p>Monitor for newly constructed files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1003">T1003</a> </td> <td> <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a> </td> <td> <p>Monitor for the unexpected creation of memory dump files for processes that may contain credentials.</p><p>Analytic 1 - Unexpected memory dump file creation.</p><p><code>(index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("<em>lsass</em>.dmp", "<em>\config\SAM", "</em>\ntds.dit", "<em>\policy\secrets", "</em>\cache"))OR (index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")))OR (index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/*", "/private/etc/master.passwd"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a> </td> <td> <p>Monitor for the unexpected creation of memory dump files for the LSASS process (e.g., <code>lsass{*}.dmp</code>).</p><p>Analytic 1 - Unexpected creation of LSASS dump files.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="<em>\lsass</em>.dmp" | where ProcessName IN ("procdump.exe", "rundll32.exe", "taskmgr.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe", "comsvcs.dll") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1003/002">Security Account Manager</a> </td> <td> <p>Monitor newly constructed files being written with default names that have extracted credentials from the Security Account Manager.</p><p>Analytic 1 - Creation of files with extracted SAM credentials.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("<em>\config\SAM", "</em>\config\system", "<em>\config\security", "</em>\system32\config\sam", "<em>\system32\config\system", "</em>\system32\config\security") | where ProcessName IN ("reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe", "rundll32.exe", "mimikatz.exe", "procdump.exe") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v16/techniques/T1566">Phishing</a> </td> <td> <p>Monitor for newly constructed files from a phishing messages to gain access to victim systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1566/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p>Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1091">T1091</a> </td> <td> <a href="/versions/v16/techniques/T1091">Replication Through Removable Media</a> </td> <td> <p>Monitor for newly constructed files on removable media</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0847">T0847</a> </td> <td> <a href="/versions/v16/techniques/T0847">Replication Through Removable Media</a> </td> <td> <p>Monitor for newly constructed files copied to or from removable media.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1496">T1496</a> </td> <td> <a href="/versions/v16/techniques/T1496">Resource Hijacking</a> </td> <td> <p>Monitor for common cryptomining or proxyware files on local systems that may indicate compromise and resource usage.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1496/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1496/001">Compute Hijacking</a> </td> <td> <p>Monitor for common cryptomining files on local systems that may indicate compromise and resource usage.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1496/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1496/002">Bandwidth Hijacking</a> </td> <td> <p>Monitor for common proxyware files on local systems that may indicate compromise and resource usage. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1053">T1053</a> </td> <td> <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a> </td> <td> <p>Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.</p><p>Analytic 1 - Look for new task files with unusual parameters.</p><p><code> index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_create" AND (file_path="<em>/etc/cron.d/</em>" OR file_path="<em>/etc/systemd/system/</em>"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\<em>" OR ObjectName="C:\Windows\Tasks\</em>")) OR (platform="Linux" AND (file_path="/etc/cron.d/<em>" OR file_path="/etc/systemd/system/</em>")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/<em>" OR file_path="/Library/LaunchAgents/</em>")))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a> </td> <td> <p>Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.</p><p>Analytic 1 - Look for new task files in %systemroot%\System32\Tasks.</p><p><code>((source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11") OR (sourcetype=WinEventLog:Security EventCode=4663)) (TargetFilename= "C:\Windows\System32\Tasks\</em>" OR TargetFilename "C:\Windows\Tasks\*") AND Image!= "C:\WINDOWS\system32\svchost.exe"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1053/007">Container Orchestration Job</a> </td> <td> <p>Monitor for newly constructed files by using the logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments.</p><p>Note: This query monitors for .yaml configuration files that are used to define jobs and container behaviors within Kubernetes. Changes or creations of these files should be closely watched.</p><p>Analytic 1 - Look for new file creation events with unusual parameters.</p><p><code> sourcetype=kubernetes:file_creation file_path="/etc/kubernetes/manifests/*.yaml"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1505">T1505</a> </td> <td> <a href="/versions/v16/techniques/T1505">Server Software Component</a> </td> <td> <p>Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1505/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1505/002">Transport Agent</a> </td> <td> <p>Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1505/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1505/003">Web Shell</a> </td> <td> <p>File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title=" NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021."data-reference="NSA Cyber Mitigating Web Shells"><sup><a href="https://github.com/nsacyber/Mitigating-Web-Shells" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1505/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1505/004">IIS Components</a> </td> <td> <p>Monitor for creation of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0865">T0865</a> </td> <td> <a href="/versions/v16/techniques/T0865">Spearphishing Attachment</a> </td> <td> <p>Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1553">T1553</a> </td> <td> <a href="/versions/v16/techniques/T1553/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v16/techniques/T1553/005">Mark-of-the-Web Bypass</a> </td> <td> <p>Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1218">T1218</a> </td> <td> <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a> </td> <td> <p>Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1218/001">Compiled HTML File</a> </td> <td> <p>Monitor presence and use of CHM files, especially if they are not typically used within an environment.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1218/002">Control Panel</a> </td> <td> <p>Monitor for newly constructed files that may forge web cookies that can be used to gain access to web applications or Internet services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1218/005">Mshta</a> </td> <td> <p>Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/014">.014</a> </td> <td> <a href="/versions/v16/techniques/T1218/014">MMC</a> </td> <td> <p>Monitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as <code>services.msc</code> or <code>eventvwr.msc</code>. Invoking non-Microsoft .msc files may be an indicator of malicious activity.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1080">T1080</a> </td> <td> <a href="/versions/v16/techniques/T1080">Taint Shared Content</a> </td> <td> <p>Monitor for newly constructed files from files that write or overwrite many files to a network shared directory may be suspicious.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v16/techniques/T1204">User Execution</a> </td> <td> <p>Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1204/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1204/001">Malicious Link</a> </td> <td> <p>Monitor for files created on a system after a user clicks on a malicious link. Look for common download paths and suspicious files with executable extensions.</p><p>Analytic 1 - Files downloaded from links and then executed.</p><p><code> sourcetype=Sysmon EventCode=11| search file_path IN ("<em>/Downloads/</em>", "<em>/Temp/</em>")| stats count by file_name file_path user| where file_name LIKE "%.exe" OR file_name LIKE "%.zip" OR file_name LIKE "%.js" OR file_name LIKE "%.docm"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1204/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1204/002">Malicious File</a> </td> <td> <p>Monitor for files created in unusual directories or files with suspicious extensions. Focus on common locations like the Downloads folder, Temp directories, or the user’s Desktop, especially files that would be of interest from spearphishing attachments.</p><p>While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.</p><p>For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events.</p><p>Analytic 1 - Batch File Write to System32</p><p><code> (sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="11") file_path="<em>system32</em>" AND file_extension=".bat"</code></p><p>Analytic 2 - New file creation in unusual directories.</p><p><code>sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11| search file_path IN ("<em>/Downloads/</em>", "<em>/Temp/</em>", "<em>/Desktop/</em>")| stats count by file_name file_extension file_path user| where file_extension IN ("doc", "docx", "pdf", "xls", "rtf", "exe", "scr", "lnk", "pif", "cpl", "zip") </code></p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise ics "> <a class="anchor" id="File Deletion"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">File: File Deletion</h4> <div class="description-body"> <p>Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">File: File Deletion</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1554">T1554</a> </td> <td> <a href="/versions/v16/techniques/T1554">Compromise Host Software Binary</a> </td> <td> <p>Monitor for unexpected deletion of client software binaries to establish persistent access to systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1485">T1485</a> </td> <td> <a href="/versions/v16/techniques/T1485">Data Destruction</a> </td> <td> <p>Monitor for unexpected deletion to a file (ex: Sysmon EID 23) </p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0809">T0809</a> </td> <td> <a href="/versions/v16/techniques/T0809">Data Destruction</a> </td> <td> <p>Monitor for unexpected deletion of files.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1565">T1565</a> </td> <td> <a href="/versions/v16/techniques/T1565">Data Manipulation</a> </td> <td> <p>Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1565/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1565/001">Stored Data Manipulation</a> </td> <td> <p>Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1565/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1565/003">Runtime Data Manipulation</a> </td> <td> <p>Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1562">T1562</a> </td> <td> <a href="/versions/v16/techniques/T1562">Impair Defenses</a> </td> <td> <p>Monitor for missing log files hosts and services with known active periods.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1562/012">Disable or Modify Linux Audit System</a> </td> <td> <p>Monitor for missing log files from machines with known active periods.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v16/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1070/001">Clear Windows Event Logs</a> </td> <td> <p>Monitor for unexpected deletion of Windows event logs (via native binaries) and may also generate an alterable event (Event ID 1102: "The audit log was cleared"). When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For Security logs, its event code 1100 and 1102. For System logs, it is event code 104.</p><p>It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. </p><ol><li><p>This is often done using wevtutil, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. </p></li><li><p>Alerting when a Clear Event Log is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk. </p></li><li><p>Attackers may set the option of the sources of events with <code>Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite</code> to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104. </p></li><li><p>Attackers may delete .evtx with <code>del C:\Windows\System32\winevt\logs\Security.evtx</code> or <code>Remove-Item C:\Windows\System32\winevt\logs\Security.evtx</code> after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset. </p></li><li><p>Attackers may use the powershell command <code>Remove-EventLog -LogName Security</code> to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog. However logs generated between the command and the reboot are still available in the .evtx file.</p></li></ol><p>Analytic 1 - User Activity from Clearing Event Logs</p><p><code> (source="<em>WinEventLog:Security" EventCode IN (1100, 1102, 1104)) OR (source="</em>WinEventLog:System" EventCode IN (104))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1070/002">Clear Linux or Mac System Logs</a> </td> <td> <p>Monitor for unexpected deletion of a system log file, typically stored in /var/logs or /Library/Logs. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1070/003">Clear Command History</a> </td> <td> <p>Monitor for unexpected deletion of a command history file, such as ConsoleHost_history.txt, ~/.zsh_history, or ~/.bash_history.</p><p>Analytic 1 - Deletion of command history files</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="23") OR (source="</em>WinEventLog:Security" EventCode="4663") FilePath LIKE '%ConsoleHost_history.txt%' AND ObjectType == "File" AND (UserAccessList LIKE '%1537%' OR UserAccessList LIKE '%DELETE%'))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1070/004">File Deletion</a> </td> <td> <p>Monitor for unexpected deletion of files from the system</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1070/008">Clear Mailbox Data</a> </td> <td> <p>Monitor for deletion of generated artifacts on a host system, including logs or captured files such as quarantined emails. </p><p>On Windows 10, mail application data is stored in <code>C:\Users\Username\AppData\Local\Comms\Unistore\data</code>. On Linux, mail data is stored in <code>/var/spool/mail</code> or <code>/var/mail</code>. On macOS, mail data is stored in <code>~/Library/Mail</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1070/009">Clear Persistence</a> </td> <td> <p>Monitor for a file that may delete or alter generated artifacts associated with persistence on a host system.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0872">T0872</a> </td> <td> <a href="/versions/v16/techniques/T0872">Indicator Removal on Host</a> </td> <td> <p>Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1490">T1490</a> </td> <td> <a href="/versions/v16/techniques/T1490">Inhibit System Recovery</a> </td> <td> <p>The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise ics "> <a class="anchor" id="File Metadata"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">File: File Metadata</h4> <div class="description-body"> <p>Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">File: File Metadata</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1548">T1548</a> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>Monitor the file system for files that have the setuid or setgid bits set. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1548/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1548/001">Setuid and Setgid</a> </td> <td> <p>Monitor the file system for files that have the setuid or setgid bits set.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1554">T1554</a> </td> <td> <a href="/versions/v16/techniques/T1554">Compromise Host Software Binary</a> </td> <td> <p>Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1543">T1543</a> </td> <td> <a href="/versions/v16/techniques/T1543/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a> </td> <td> <p>Adversaries may modify the binary file for an existing service to achieve <a href="https://attack.mitre.org/tactics/TA0003">Persistence</a> while potentially <a href="https://attack.mitre.org/tactics/TA0005">Defense Evasion</a>. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications. Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as msiexec.exe, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1565">T1565</a> </td> <td> <a href="/versions/v16/techniques/T1565">Data Manipulation</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc that would aid in the manipulation of data to hide activity</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1565/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1565/003">Runtime Data Manipulation</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc that would aid in the manipulation of data to hide activity</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1546/006">LC_LOAD_DYLIB Addition</a> </td> <td> <p>Changes to binaries that do not line up with application updates or patches are also extremely suspicious.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1222">T1222</a> </td> <td> <a href="/versions/v16/techniques/T1222">File and Directory Permissions Modification</a> </td> <td> <p>Monitor and investigate attempts to modify ACLs and file/directory ownership.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1222/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1222/001">Windows File and Directory Permissions Modification</a> </td> <td> <p>Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.</p><p>Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions.</p><p>Windows environment logs can be noisy, so we take the following into consideration:</p><ul><li>We need to exclude events generated by the local system (subject security ID "NT AUTHORITY\SYSTEM") and focus on actual user events.</li><li>When a permission modification is made for a folder, a new event log is generated for each subfolder and file under that folder. It is advised to group logs based on handle ID or user ID.</li><li>The Windows security log (event ID 4670) also includes information about the process that modifies the file permissions. It is advised to focus on uncommon process names, and it is also uncommon for real-users to perform this task without a GUI.</li><li>Pseudocode Event ID is for Windows Security Log (Event ID 4670 - Permissions on an object were changed). </li><li>Windows Event ID 4719 (An Attempt Was Made to Access An Object) can also be used to alert on changes to Active Directory audit policy for a system.</li></ul><p>Analytic 1 - Access Permission Modification for Windows</p><p><code> (source="*WinEventLog:Security" EventCode IN (4670, 4719)) Object_Type="File" Security_ID!="NT AUTHORITY\SYSTEM" </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1222/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1222/002">Linux and Mac File and Directory Permissions Modification</a> </td> <td> <p>Monitor and investigate attempts to modify ACLs and file/directory ownership. Consider enabling file/directory permission change auditing on folders containing key binary/configuration files.</p><p>This looks for any invocations of chmod. Note that this is likely to be more noisy than the Windows-specific implementation, although Linux does not generate logs for system triggered activities like in Windows. In addition, it may be necessary to whitelist cron jobs that regularly run and execute chmod.</p><p>Linux environment logs can be more noisy than the Windows-specific implementation, although Linux does not generate logs for system triggered activities like in Windows. In addition, it may be necessary to whitelist cron jobs that regularly run and execute chmod.</p><p>Analytic 1 - Access Permission Modification for Linux</p><p><code>sourcetype=linux_logs CommandLine="chmod*"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1564">T1564</a> </td> <td> <a href="/versions/v16/techniques/T1564">Hide Artifacts</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions that may attempt to hide artifacts associated with their behaviors to evade detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1564/001">Hidden Files and Directories</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions may set files and directories to be hidden to evade detection mechanisms.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1564/004">NTFS File Attributes</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, may use NTFS file attributes to hide their malicious data in order to evade detection. Forensic techniques exist to identify information stored in NTFS EA. <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016."data-reference="Journey into IR ZeroAccess NTFS EA"><sup><a href="http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1564/007">VBA Stomping</a> </td> <td> <p>If the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the <code>PROJECT</code> stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the <code>PROJECT</code> stream will inhibit attempts of reading the VBA source code through the GUI.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020."data-reference="FireEye VBA stomp Feb 2020"><sup><a href="https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1564/009">Resource Forking</a> </td> <td> <p>Identify files with the <code>com.apple.ResourceFork</code> extended attribute and large data amounts stored in resource forks.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v16/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1070/006">Timestomp</a> </td> <td> <p>Monitor for modifications to file metadata. Compare the <code>$STANDARD_INFORMATION</code> and <code>$FILE_NAME</code> attributes in the Master File Table (MFT).<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection – NTFS Forensics. Retrieved September 30, 2024."data-reference="Inversecos Timestomping 2022"><sup><a href="https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span> Additionally, look for nanoseconds in a timestamp matching "0000000". This often shows the use of an automated tool such as Metasploit.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection – NTFS Forensics. Retrieved September 30, 2024."data-reference="Inversecos Timestomping 2022"><sup><a href="https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0872">T0872</a> </td> <td> <a href="/versions/v16/techniques/T0872">Indicator Removal on Host</a> </td> <td> <p>Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1570">T1570</a> </td> <td> <a href="/versions/v16/techniques/T1570">Lateral Tool Transfer</a> </td> <td> <p>Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0867">T0867</a> </td> <td> <a href="/versions/v16/techniques/T0867">Lateral Tool Transfer</a> </td> <td> <p>Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1036">T1036</a> </td> <td> <a href="/versions/v16/techniques/T1036">Masquerading</a> </td> <td> <p>Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE".</p><p>Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Li, V. (2019, October 2). Polyglot Files: a Hacker’s best friend. Retrieved September 27, 2022."data-reference="Polyglot Files: a Hacker’s best friend"><sup><a href="https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span> In Linux, the <code>file</code> command may be used to check the file signature.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kessler, G. (2022, December 9). GCK'S FILE SIGNATURES TABLE. Retrieved August 23, 2022."data-reference="file_sig_table"><sup><a href="https://www.garykessler.net/library/file_sigs.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1036/001">Invalid Code Signature</a> </td> <td> <p>Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1036/002">Right-to-Left Override</a> </td> <td> <p>Monitor for common formats of RTLO characters within filenames such as \u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1036/003">Rename System Utilities</a> </td> <td> <p>Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p>Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1036/006">Space after Filename</a> </td> <td> <p>Monitor for spaces at the end of file names, that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1036/007">Double File Extension</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0849">T0849</a> </td> <td> <a href="/versions/v16/techniques/T0849">Masquerading</a> </td> <td> <p>Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE". For added context on adversary procedures and background see <a href="/versions/v16/techniques/T1036">Masquerading</a> and applicable sub-techniques.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.</p><p>File-based signatures may be capable of detecting code obfuscation depending on the methods used.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022."data-reference="Huntress API Hash"><sup><a href="https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022."data-reference="BlackHat API Packers"><sup><a href="https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022."data-reference="MITRECND FindAPIHash"><sup><a href="https://github.com/MITRECND/malchive/blob/main/malchive/utilities/findapihash.py" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1027/001">Binary Padding</a> </td> <td> <p>Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1027/002">Software Packing</a> </td> <td> <p>Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1027/003">Steganography</a> </td> <td> <p>Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1027/004">Compile After Delivery</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1027/007">Dynamic API Resolution</a> </td> <td> <p>Depending on the method used to obfuscate API function calls, a file-based signature may be capable of detecting dynamical resolution.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022."data-reference="Huntress API Hash"><sup><a href="https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022."data-reference="BlackHat API Packers"><sup><a href="https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022."data-reference="MITRECND FindAPIHash"><sup><a href="https://github.com/MITRECND/malchive/blob/main/malchive/utilities/findapihash.py" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1027/008">Stripped Payloads</a> </td> <td> <p>Detecting the presence of stripped payloads may be difficult and unwarranted in real-time, though analyzing contextual data about files (such as content and character entropy) may highlight attempts at obfuscation.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1027/009">Embedded Payloads</a> </td> <td> <p>Monitor contextual data about a file that may highlight embedded payloads, which may include information such as name, the content (ex: signature, headers, or data/media), file size, etc.; correlate with other suspicious behavior to reduce false positives. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1027/010">Command Obfuscation</a> </td> <td> <p>Scripts containing obfuscated content may have higher entropy of characters/strings.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1027/012">LNK Icon Smuggling</a> </td> <td> <p>Monitor contextual data about a file that may highlight embedded malicious content, which may include information such as name, the content (ex: signature, headers, or data/media), file size, etc.; correlate with other suspicious behavior to reduce false positives.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a> </td> <td> <p>Monitor for and analyze files which contain content with large entropy, as this may indicate potentially malicious compressed or encrypted data.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/014">.014</a> </td> <td> <a href="/versions/v16/techniques/T1027/014">Polymorphic Code</a> </td> <td> <p>Monitor for and analyze files which contain content with large entropy, as this may indicate potentially malicious compressed or encrypted data.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1055">T1055</a> </td> <td> <a href="/versions/v16/techniques/T1055">Process Injection</a> </td> <td> <p>Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1055/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1055/013">Process Doppelgänging</a> </td> <td> <p>Scan file objects reported during the PsSetCreateProcessNotifyRoutine, <span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017."data-reference="Microsoft PsSetCreateProcessNotifyRoutine routine"><sup><a href="https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span> which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. <span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017."data-reference="BlackHat Process Doppelgänging Dec 2017"><sup><a href="https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span> Also consider comparing file objects loaded in memory to the corresponding file on disk. <span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017."data-reference="hasherezade Process Doppelgänging Dec 2017"><sup><a href="https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1553">T1553</a> </td> <td> <a href="/versions/v16/techniques/T1553">Subvert Trust Controls</a> </td> <td> <p>Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1553/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1553/001">Gatekeeper Bypass</a> </td> <td> <p>Review <code>false</code> values under the <code>LSFileQuarantineEnabled</code> entry in an application's <code>Info.plist</code> file (required by every application). <code>false</code> under <code>LSFileQuarantineEnabled</code> indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified <code>LSFileQuarantineEnabled</code> entry will default to not setting the quarantine flag.</p><p>QuarantineEvents is a SQLite database containing a list of all files assigned the <code>com.apple.quarantine</code> attribute, located at <code>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2</code>. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed. <span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021."data-reference="TheEclecticLightCompany Quarantine and the flag"><sup><a href="https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1553/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1553/002">Code Signing</a> </td> <td> <p>Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1553/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1553/005">Mark-of-the-Web Bypass</a> </td> <td> <p>Monitor files (especially those downloaded from untrusted locations) for MOTW attributes. Also consider inspecting and scanning file formats commonly abused to bypass MOTW (ex: .arj, .gzip, .iso, .vhd).</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1195">T1195</a> </td> <td> <a href="/versions/v16/techniques/T1195">Supply Chain Compromise</a> </td> <td> <p>Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1195/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1195/001">Compromise Software Dependencies and Development Tools</a> </td> <td> <p>Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1195/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1195/002">Compromise Software Supply Chain</a> </td> <td> <p>Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0862">T0862</a> </td> <td> <a href="/versions/v16/techniques/T0862">Supply Chain Compromise</a> </td> <td> <p>Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1218">T1218</a> </td> <td> <a href="/versions/v16/techniques/T1218/011">.011</a> </td> <td> <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a> </td> <td> <p>Analyze contextual data about executed DLL files, which may include information such as name, the content (ex: signature, headers, or data/media), age, user/owner, permissions, etc.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise ics "> <a class="anchor" id="File Modification"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">File: File Modification</h4> <div class="description-body"> <p>Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">File: File Modification</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1548">T1548</a> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the <code>LOG_INPUT</code> and <code>LOG_OUTPUT</code> directives in the <code>/etc/sudoers</code> file. Consider monitoring for <code>/usr/libexec/security_authtrampoline</code> executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1548/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1548/001">Setuid and Setgid</a> </td> <td> <p>Monitor for changes made to files that may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1548/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1548/003">Sudo and Sudo Caching</a> </td> <td> <p>On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the <code>LOG_INPUT</code> and <code>LOG_OUTPUT</code> directives in the <code>/etc/sudoers</code> file.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1548/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1548/006">TCC Manipulation</a> </td> <td> <p>Monitor for changes to files associated with TCC settings, such as <code>/Library/Application Support/com.apple.TCC/TCC.db</code> and the overwrites file.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1098">T1098</a> </td> <td> <a href="/versions/v16/techniques/T1098">Account Manipulation</a> </td> <td> <p>Monitor for changes made to files related to account settings, such as <code>/etc/ssh/sshd_config</code> and the authorized_keys file for each user on a system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1098/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1098/004">SSH Authorized Keys</a> </td> <td> <p>Monitor for changes made to detect changes made to the authorized_keys file for each user on a system. Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a> </td> <td> <p>Monitor for changes made to files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p>Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. <span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns"><sup><a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1547/006">Kernel Modules and Extensions</a> </td> <td> <p>Monitor for changes made to files that may modify the kernel to automatically execute programs on system boot.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1547/007">Re-opened Applications</a> </td> <td> <p>Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1547/008">LSASS Driver</a> </td> <td> <p>Monitor for changes made to files that may modify or add LSASS drivers to obtain persistence on compromised systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1547/009">Shortcut Modification</a> </td> <td> <p>Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1547/013">XDG Autostart Entries</a> </td> <td> <p>Malicious XDG autostart entries may be detected by auditing file modification events within the <code>/etc/xdg/autostart</code> and <code>~/.config/autostart</code> directories. Depending on individual configurations, defenders may need to query the environment variables <code>$XDG_CONFIG_HOME</code> or <code>$XDG_CONFIG_DIRS</code> to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/015">.015</a> </td> <td> <a href="/versions/v16/techniques/T1547/015">Login Items</a> </td> <td> <p>All login items created via shared file lists are viewable by using the System Preferences GUI or in the <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code> file.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021."data-reference="Open Login Items Apple"><sup><a href="https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021."data-reference="Startup Items Eclectic"><sup><a href="https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021."data-reference="objsee block blocking login items"><sup><a href="https://objective-see.com/blog/blog_0x31.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019."data-reference="sentinelone macos persist Jun 2019"><sup><a href="https://www.sentinelone.com/blog/how-malware-persists-on-macos/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span> These locations should be monitored and audited.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1037">T1037</a> </td> <td> <a href="/versions/v16/techniques/T1037">Boot or Logon Initialization Scripts</a> </td> <td> <p>Monitor for changes made to files that are modified by unusual accounts outside of normal administration duties.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1037/002">Login Hook</a> </td> <td> <p>Monitor for changes to login hook files (<code>/Library/Preferences/com.apple.loginwindow.plist</code>), especially by unusual accounts outside of normal administration duties.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1037/003">Network Logon Script</a> </td> <td> <p>Monitor for changes made to files for unexpected modifications to unusual accounts outside of normal administration duties </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1037/004">RC Scripts</a> </td> <td> <p>Monitor for changes made to files for unexpected modifications to RC scripts in the /etc/ directory</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1037/005">Startup Items</a> </td> <td> <p>Monitor for changes made to files for unexpected modifications to /Library/StartupItem folder</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1554">T1554</a> </td> <td> <a href="/versions/v16/techniques/T1554">Compromise Host Software Binary</a> </td> <td> <p>Monitor changes to client software that do not correlate with known software or patch cycles.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1543">T1543</a> </td> <td> <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a> </td> <td> <p>Monitor for changes to files associated with system-level processes.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1543/001">Launch Agent</a> </td> <td> <p>Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1543/002">Systemd Service</a> </td> <td> <p>Systemd service unit files may be detected by auditing file creation and modification events within the <code>/etc/systemd/system</code>, <code>/usr/lib/systemd/system/</code>, and <code>/home/<username>/.config/systemd/user/</code> directories, as well as associated symbolic links</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1543/004">Launch Daemon</a> </td> <td> <p>Monitor files for changes that may create or modify Launch Daemons to execute malicious payloads as part of persistence.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1485">T1485</a> </td> <td> <a href="/versions/v16/techniques/T1485">Data Destruction</a> </td> <td> <p>Monitor for changes made to a large quantity of files for unexpected modifications in user directories and under C:\Windows\System32.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0809">T0809</a> </td> <td> <a href="/versions/v16/techniques/T0809">Data Destruction</a> </td> <td> <p>Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\Windows\System32). </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1486">T1486</a> </td> <td> <a href="/versions/v16/techniques/T1486">Data Encrypted for Impact</a> </td> <td> <p>Monitor for changes made to files in user directories.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1565">T1565</a> </td> <td> <a href="/versions/v16/techniques/T1565">Data Manipulation</a> </td> <td> <p>Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1565/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1565/001">Stored Data Manipulation</a> </td> <td> <p>Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1565/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1565/003">Runtime Data Manipulation</a> </td> <td> <p>Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1491">T1491</a> </td> <td> <a href="/versions/v16/techniques/T1491">Defacement</a> </td> <td> <p>Monitor for changes made to files for unexpected modifications to internal and external websites for unplanned content changes.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1491/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1491/001">Internal Defacement</a> </td> <td> <p>Monitor internal and websites for unplanned content changes.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1491/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1491/002">External Defacement</a> </td> <td> <p>Monitor external websites for unplanned content changes.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1140">T1140</a> </td> <td> <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p>Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a> </td> <td> <p>Monitor for changes made to files that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1546/002">Screensaver</a> </td> <td> <p>Monitor for changes made to files that may establish persistence by executing malicious content triggered by user inactivity.</p><p>Note: Although there are no standard events for file modification, Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted accesses of screensaver files (typically ending in a file extension of .scr). </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1546/004">Unix Shell Configuration Modification</a> </td> <td> <p>Monitor for changes to <code>/etc/profile</code> and <code>/etc/profile.d</code>, these files should only be modified by system administrators. MacOS users can leverage Endpoint Security Framework file events monitoring these specific files.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020."data-reference="ESF_filemonitor"><sup><a href="https://objective-see.com/blog/blog_0x48.html" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1546/005">Trap</a> </td> <td> <p>Monitor for changes made to files that may establish persistence by executing malicious content triggered by an interrupt signal.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1546/006">LC_LOAD_DYLIB Addition</a> </td> <td> <p>Monitor file systems for changes to application binaries and invalid checksums/signatures.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1546/008">Accessibility Features</a> </td> <td> <p>Monitor for changes made to files that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/011">.011</a> </td> <td> <a href="/versions/v16/techniques/T1546/011">Application Shimming</a> </td> <td> <p>Monitor for changes made to files that may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1546/013">PowerShell Profile</a> </td> <td> <p>Locations where <code>profile.ps1</code> can be stored should be monitored for modifications. <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016."data-reference="Malware Archaeology PowerShell Cheat Sheet"><sup><a href="http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> Example profile locations include:* <code>$PsHome\Profile.ps1</code>* <code>$PsHome\Microsoft.{HostProgram}_profile.ps1</code>* <code>$Home\My Documents\PowerShell\Profile.ps1</code>* <code>$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/014">.014</a> </td> <td> <a href="/versions/v16/techniques/T1546/014">Emond</a> </td> <td> <p>Monitor emond rules creation by checking for files modified in <code>/etc/emond.d/rules/</code> and <code>/private/var/db/emondClients</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/017">.017</a> </td> <td> <a href="/versions/v16/techniques/T1546/017">Udev Rules</a> </td> <td> <p>Monitor the creation and modification of files in the directories where udev rules are located: <code>/etc/udev/rules.d/</code>, <code>/run/udev/rules.d/</code>, <code>/lib/udev/rules.d/</code>, <code>/usr/lib/udev/rules.d/</code>, and <code>/usr/local/lib/udev/rules.d/</code>. Analyze and monitor changes to <code>RUN</code> assignment key.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for persistence. Retrieved September 26, 2024."data-reference="Ignacio Udev research 2024"><sup><a href="https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a></sup></span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Ruben Groenewoud. (2024, August 29). Linux Detection Engineering - A Sequel on Persistence Mechanisms. Retrieved October 16, 2024."data-reference="Elastic Linux Persistence 2024"><sup><a href="https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1203">T1203</a> </td> <td> <a href="/versions/v16/techniques/T1203">Exploitation for Client Execution</a> </td> <td> <p>Monitor file system changes associated with exploitation, such as suspicious files dropped by browsers, Office apps, or third-party programs, which can be used for further stages of attack.</p><p>Analytic 1 - identifies file creations or modifications associated with commonly exploited software</p><p><code>sourcetype=linux_auditd| search file_path IN ("/Users/<em>/Library/", "C:\Users\</em>\AppData\Roaming\", "/home/*/.config/", "/var/tmp/")| stats count by file_path process_name user| where process_name IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe", "acrord32.exe", "flashplayer.exe") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1187">T1187</a> </td> <td> <a href="/versions/v16/techniques/T1187">Forced Authentication</a> </td> <td> <p>Monitor for changes made to the .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources. </p><p>Analytic 1 - Modifications to files known to be used for forced authentication attacks.</p><p><code>(index=security sourcetype="WinEventLog:Security" EventCode=4663) | where match(ObjectName, "(?i)\(.*\.)?(lnk|scf|url|doc|dot|xls|ppt|pdf|html)$")| where match(ObjectName, "(?i)(desktop|public|downloads|temp|cache|start menu|startup)")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1564">T1564</a> </td> <td> <a href="/versions/v16/techniques/T1564">Hide Artifacts</a> </td> <td> <p>Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1564/002">Hidden Users</a> </td> <td> <p>Monitor for changes made to files that may use hidden users to mask the presence of user accounts they create or modify. Monitor for changes made to the <code>/Library/Preferences/com.apple.loginwindow</code> plist file for unexpected modifications to the <code> Hide500Users</code> key value on macOS.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021."data-reference="Cybereason OSX Pirrit"><sup><a href="https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1564/003">Hidden Window</a> </td> <td> <p>Monitor for changes made to files that may use hidden windows to conceal malicious activity from the plain sight of users. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the <code>apple.awt.UIElement</code> or any other suspicious plist tag in plist files and flag them.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1564/004">NTFS File Attributes</a> </td> <td> <p>There are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: <code>file.ext:ads[.ext]</code>) is commonly associated with ADSs. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018."data-reference="Microsoft ADS Mar 2014"><sup><a href="https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a></sup></span> <span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018."data-reference="Oddvar Moe ADS1 Jan 2018"><sup><a href="https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a></sup></span> <span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018."data-reference="Oddvar Moe ADS2 Apr 2018"><sup><a href="https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a></sup></span> For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1564/005">Hidden File System</a> </td> <td> <p>Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1564/008">Email Hiding Rules</a> </td> <td> <p>On MacOS systems, monitor for modifications to the <code>RulesActiveState.plist</code>, <code>SyncedRules.plist</code>, <code>UnsyncedRules.plist</code>, and <code>MessageRules.plist</code> files.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021."data-reference="MacOS Email Rules"><sup><a href="https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1574">T1574</a> </td> <td> <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a> </td> <td> <p>Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1574/001">DLL Search Order Hijacking</a> </td> <td> <p>Monitor for changed made to .manifest/.local redirection files, or file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1574/002">DLL Side-Loading</a> </td> <td> <p>Monitor for changes made to files for unexpected modifications to access permissions and attributes </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1574/004">Dylib Hijacking</a> </td> <td> <p>Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1574/005">Executable Installer File Permissions Weakness</a> </td> <td> <p>Monitor for changes to binaries and service executables that may normally occur during software updates. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1574/006">Dynamic Linker Hijacking</a> </td> <td> <p>Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1574/008">Path Interception by Search Order Hijacking</a> </td> <td> <p>Monitor for programs metadata modifications such as deletion of the path to an executable since it makes programs vulnerable to this type of technique. Also, monitor modifications of files such as renaming programs using Windows system utilities names.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1574/009">Path Interception by Unquoted Path</a> </td> <td> <p>Monitor for changes made to files that may execute their own malicious payloads by hijacking vulnerable file path references.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1574/010">Services File Permissions Weakness</a> </td> <td> <p>Monitor for modification of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. Modification of files considers actions such as renaming and directory moving.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1562">T1562</a> </td> <td> <a href="/versions/v16/techniques/T1562">Impair Defenses</a> </td> <td> <p>Monitor changes made to configuration files that contain settings for logging and defensive tools.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1562/012">Disable or Modify Linux Audit System</a> </td> <td> <p>Monitor changes made to the <code>/etc/audit/audit.rules</code> file containing the sequence of <code>auditctl</code> commands loaded at boot time. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v16/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1070/002">Clear Linux or Mac System Logs</a> </td> <td> <p>Monitor for changes made to system log files, typically stored in /var/log or /Library/Logs, for unexpected modifications to access permissions and attributes </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1070/003">Clear Command History</a> </td> <td> <p>Monitor for changes made to command history files, such as ConsoleHost_history.txt, ~/.zsh_history, or ~/.bash_history, for unexpected modifications to contents, access permissions, and attributes.</p><p>Analytic 1 : Modification of access rights to command history files</p><p><code> (source="<em>WinEventLog:Security" EventCode IN (4663, 4670) AND Path="</em>ConsoleHost_history.txt<em>" AND ObjectType="File") AND (UserAccessList="</em>1539<em>" OR UserAccessList="</em>WRITE_DAC<em>") OR (ObjectNewSd="</em>;FA<em>" OR ObjectNewSd="</em>;FW<em>" OR ObjectNewSd="</em>;BU*")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1070/006">Timestomp</a> </td> <td> <p>Monitor for unexpected modifications to file timestamps.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1070/007">Clear Network Connection History and Configurations</a> </td> <td> <p>Monitor changes to files that may be indicators of deleting or altering malicious network configuration settings as well as generated artifacts on a host system that highlight network connection history, such as <code>Default.rdp</code> or <code>/var/log/</code>. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1070/008">Clear Mailbox Data</a> </td> <td> <p>Monitor for changes made to generated artifacts on a host system, including logs or captured files such as quarantined emails. </p><p>On Windows 10, mail application data is stored in <code>C:\Users\Username\AppData\Local\Comms\Unistore\data</code>. On Linux, mail data is stored in <code>/var/spool/mail</code> or <code>/var/mail</code>. On macOS, mail data is stored in <code>~/Library/Mail</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1070/009">Clear Persistence</a> </td> <td> <p>Monitor for changes made to a file may delete or alter generated artifacts associated with persistence on a host system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1070/010">Relocate Malware</a> </td> <td> <p>Monitor for changes to files that may highlight malware or otherwise potentially malicious payloads being copied between different file/folder locations on a host.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0872">T0872</a> </td> <td> <a href="/versions/v16/techniques/T0872">Indicator Removal on Host</a> </td> <td> <p>Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1056">T1056</a> </td> <td> <a href="/versions/v16/techniques/T1056">Input Capture</a> </td> <td> <p>Monitor for changes made to files for unexpected modifications to access permissions and attributes.</p><p>Analytic 1 - Unexpected file modifications.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4663 | where Object_Type="File" AND Access_Mask IN ("0x2", "0x4", "0x20", "0x80", "0x100") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1056/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1056/003">Web Portal Capture</a> </td> <td> <p>Monitor for changes made to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1036">T1036</a> </td> <td> <a href="/versions/v16/techniques/T1036">Masquerading</a> </td> <td> <p>Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1036/003">Rename System Utilities</a> </td> <td> <p>Monitor for changes made to files for unexpected modifications to file names that are mismatched between the file name on disk and that of the binary's PE metadata. This is a likely indicator that a binary was renamed after it was compiled. </p><p>Note: There are no standard Windows events for file modification. However, Event ID 4663 (An attempt was made to access an object) can be used to audit and alert on attempts to access system utility binaries; the "Accesses" field can be used to filter by type of access (e.g., MODIFY vs DELETE). </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1036/008">Masquerade File Type</a> </td> <td> <p>Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Li, V. (2019, October 2). Polyglot Files: a Hacker’s best friend. Retrieved September 27, 2022."data-reference="Polyglot Files: a Hacker’s best friend"><sup><a href="https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span> In Linux, the <code>file</code> command may be used to check the file signature.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kessler, G. (2022, December 9). GCK'S FILE SIGNATURES TABLE. Retrieved August 23, 2022."data-reference="file_sig_table"><sup><a href="https://www.garykessler.net/library/file_sigs.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0849">T0849</a> </td> <td> <a href="/versions/v16/techniques/T0849">Masquerading</a> </td> <td> <p>Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1556">T1556</a> </td> <td> <a href="/versions/v16/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Monitor for suspicious modification of files associated with authentication processes, such as configuration files and module paths (e.g. <code>/etc/pam.d/</code>). Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files. Also monitor for access to certificates and cryptographic keys material.</p><p>Analytic 1 - Unauthorized modifications to authentication-related files.</p><p><code> index=security sourcetype IN ("WinEventLog:Security", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_audit", "macos_secure")(EventCode=4663 OR EventCode=11 OR EventCode=13 OR (sourcetype="linux_audit" AND (syscall IN ("creat", "open", "openat", "write", "chmod", "chown", "unlink"))) OR (sourcetype="macos_secure" AND action="file_write"))| eval TargetFile=coalesce(ObjectName, FileName, target_file)| search TargetFile IN ( "C:\Windows\System32\config\SAM", "C:\Windows\System32\config\system", "C:\Windows\System32\config\security", "C:\Windows\System32\lsass.exe", "C:\Windows\System32\Drivers\etc\hosts", "/etc/passwd", "/etc/shadow", "/etc/pam.d/<em>", "/etc/security/</em>", "/etc/sshd_config", "/etc/ssh/sshd_config", "/Library/Preferences/com.apple.loginwindow.plist", "/Library/Security/authorization", "/etc/krb5.conf", "/etc/krb5.keytab", "/etc/pam.conf", "/etc/security/access.conf", "/etc/security/limits.conf", "/etc/security/namespace.conf", "/etc/security/sepermit.conf", "/etc/security/time.conf")| eval User=coalesce(Account_Name, user, uid, user_name)| eval Platform=case( sourcetype=="WinEventLog:Security", "Windows", sourcetype=="wineventlog:sysmon", "Windows", sourcetype=="linux_audit", "Linux", sourcetype=="macos_secure", "macOS", true(), "Unknown") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1556/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1556/001">Domain Controller Authentication</a> </td> <td> <p>Monitor for changes to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019."data-reference="Dell Skeleton"><sup><a href="https://www.secureworks.com/research/skeleton-key-malware-analysis" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a></sup></span></p><p>Analytic 1 - Unauthorized changes to authentication-related DLLs.</p><p><code>index=windows sourcetype=WinEventLog:Security ( (EventCode=4663 AND Object_Type="File" AND Object_Name IN ("C:\Windows\System32\lsass.exe", "C:\Windows\System32\samlib.dll", "C:\Windows\System32\cryptdll.dll", "C:\Windows\System32\samsrv.dll")) OR (EventCode=4662 AND Object_Type="File" AND Object_Name IN ("C:\Windows\System32\lsass.exe", "C:\Windows\System32\samlib.dll", "C:\Windows\System32\cryptdll.dll", "C:\Windows\System32\samsrv.dll")) OR (EventCode=4670 AND Object_Name IN ("C:\Windows\System32\lsass.exe", "C:\Windows\System32\samlib.dll", "C:\Windows\System32\cryptdll.dll", "C:\Windows\System32\samsrv.dll"))) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1556/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1556/003">Pluggable Authentication Modules</a> </td> <td> <p>Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.</p><p>Analytic 1 - Unauthorized changes to PAM configuration and module paths.</p><p><code>index=os sourcetype="linux_audit" OR sourcetype="auditd" (type="MODIFY" OR type="CREATE" OR type="DELETE") (file="/etc/pam.d/<em>" OR file="/usr/lib/security/</em>" OR file="/lib/security/*") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1556/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1556/004">Network Device Authentication</a> </td> <td> <p>Monitor for changes made to the checksum of the operating system file and verifying the image of the operating system in memory.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - Image File Verification"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a></sup></span><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - Run-Time Memory Verification"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a></sup></span> Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as Modify System Image.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1556/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1556/007">Hybrid Identity</a> </td> <td> <p>Monitor for suspicious modification of files associated with hybrid identity authentication processes, such as configuration files. Monitor for access to certificates and cryptographic keys material.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1601">T1601</a> </td> <td> <a href="/versions/v16/techniques/T1601">Modify System Image</a> </td> <td> <p>Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with <a href="/versions/v16/techniques/T1601/001">Patch System Image</a>, it may be appropriate to also verify the integrity of the vendor provided operating system image file.</p><p>Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. <span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - Image File Verification"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a></sup></span></p><p>Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. <span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - Run-Time Memory Verification"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1601/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1601/001">Patch System Image</a> </td> <td> <p>Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.https://tools.cisco.com/security/center/resources/integrity_assurance.html#7</p><p>Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. https://tools.cisco.com/security/center/resources/integrity_assurance.html#13</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1601/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1601/002">Downgrade System Image</a> </td> <td> <p>Monitor for changes made to the operating system of a network device because image downgrade may be used in conjunction with <a href="/versions/v16/techniques/T1601/001">Patch System Image</a>, it may be appropriate to also verify the integrity of the vendor provided operating system image file.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1137">T1137</a> </td> <td> <a href="/versions/v16/techniques/T1137">Office Application Startup</a> </td> <td> <p>Monitor for changes made to files that may leverage Microsoft Office-based applications for persistence between startups.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1137/001">Office Template Macros</a> </td> <td> <p>Monitor for changes made to files that may abuse Microsoft Office templates to obtain persistence on a compromised system. Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1137/002">Office Test</a> </td> <td> <p>Monitor for changes made to files that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1137/006">Add-ins</a> </td> <td> <p>Monitor for changes made to files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1647">T1647</a> </td> <td> <a href="/versions/v16/techniques/T1647">Plist File Modification</a> </td> <td> <p>Monitor for plist file modification, especially if immediately followed by other suspicious events such as code execution from <code>\~/Library/Scripts</code> or <code>\~/Library/Preferences</code>. Also, monitor for significant changes to any path pointers in a modified plist.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1653">T1653</a> </td> <td> <a href="/versions/v16/techniques/T1653">Power Settings</a> </td> <td> <p>Monitor for unexpected changes to configuration files associated with the power settings of a system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1055">T1055</a> </td> <td> <a href="/versions/v16/techniques/T1055">Process Injection</a> </td> <td> <p>Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1055/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1055/009">Proc Memory</a> </td> <td> <p>Monitor for changes made to /proc files that may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Users should not have permission to modify these in most cases. </p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0873">T0873</a> </td> <td> <a href="/versions/v16/techniques/T0873">Project File Infection</a> </td> <td> <p>Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1014">T1014</a> </td> <td> <a href="/versions/v16/techniques/T1014">Rootkit</a> </td> <td> <p>Monitor for changes and the existence of unrecognized DLLs, drivers, devices, services, and to the MBR. <span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016."data-reference="Wikipedia Rootkit"><sup><a href="https://en.wikipedia.org/wiki/Rootkit" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1053">T1053</a> </td> <td> <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a> </td> <td> <p>Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.</p><p>Analytic 1 - Look for task file modifications with unusual parameters.</p><p><code>index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_modify" AND (file_path="<em>/etc/cron.d/</em>" OR file_path="<em>/etc/systemd/system/</em>" OR file_path="/etc/crontab"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\<em>" OR ObjectName="C:\Windows\Tasks\</em>")) OR (platform="Linux" AND (file_path="/etc/cron.d/<em>" OR file_path="/etc/systemd/system/</em>" OR file_path="/etc/crontab")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/<em>" OR file_path="/Library/LaunchAgents/</em>"))) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1053/002">At</a> </td> <td> <p>On Windows, monitor Windows Task Scheduler stores in <code>%systemroot%\System32\Tasks</code> for change entries related to scheduled tasks, especially those that do not correlate with known software, patch cycles, etc. On Linux and macOS, all <a href="/versions/v16/software/S0110">at</a> jobs are stored in <code>/var/spool/cron/atjobs/</code>.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021."data-reference="rowland linux at 2019"><sup><a href="https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a></sup></span></p><p>Analytic 1 - Look for task file modifications with unusual parameters. (Linux)</p><p><code> index=linux_logs sourcetype=syslog "at" "/var/spool/cron/atjobs/"| rex "user=(?<user>\w+)"</code></p><p>Analytic 2 - Look for task file modifications with unusual parameters. (Windows) </p><p><code> index=windows_logs sourcetype=WinEventLog:System EventCode=4663 Object_Type="File"| rex field=_raw "Object_Name=(?<file_path>[^\r\n]+)"| search file_path="<em>at</em>"| where NOT (user="SYSTEM" AND file_path="C:\Windows\Tasks\allowed_task.job")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1053/003">Cron</a> </td> <td> <p>Monitor modifications to crontab files or system-wide cron directories. Monitor for changes made to files for unexpected modifications to access permissions and attributes.</p><p>Analytic 1 - Modified Files in Linux Cron Directories</p><p><code> index=linux sourcetype:cron_logs:scheduled_tasks" | search "modification" AND (file_path="/etc/crontab" OR file_path="/var/spool/cron/crontabs/<em>" OR file_path="/etc/cron.d/</em>")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a> </td> <td> <p>Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.</p><p>Analytic 1 - Look for task file modifications with unusual parameters.</p><p><code> sourcetype=WinEventLog:Security (EventCode=4663 OR file_path="C:\Windows\System32\Tasks\*")| stats count by user host file_path action| where action="Write" OR action="Create"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1053/006">Systemd Timers</a> </td> <td> <p>Monitor for changes made to systemd timer unit files for unexpected modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links.</p><p>Analytic 1 - Look for systemd timer file modifications with unusual parameters.</p><p><code>sourcetype=linux_file_audit (file_path="/etc/systemd/system/<em>.timer" OR file_path="/etc/systemd/system/</em>.service" OR file_path="~/.config/systemd/user/<em>.timer" OR file_path="/usr/lib/systemd/system/</em>.timer")| stats count by user host file_path action| where action="Create" OR action="Write" </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1505">T1505</a> </td> <td> <a href="/versions/v16/techniques/T1505">Server Software Component</a> </td> <td> <p>Monitor for changes made to files that may abuse legitimate extensible development features of servers to establish persistent access to systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1505/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1505/003">Web Shell</a> </td> <td> <p>Monitor for changes made to files that may backdoor web servers with web shells to establish persistent access to systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1505/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1505/004">IIS Components</a> </td> <td> <p>Monitor for modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to <code>%windir%\system32\inetsrv\config\applicationhost.config</code> could indicate an IIS module installation.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021."data-reference="Microsoft IIS Modules Overview 2007"><sup><a href="https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a></sup></span><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021."data-reference="ESET IIS Malware 2021"><sup><a href="https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1505/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1505/005">Terminal Services DLL</a> </td> <td> <p>Monitor unexpected changes and/or interactions with <code>termsrv.dll</code>, which is typically stored in <code>%SystemRoot%\System32\</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1489">T1489</a> </td> <td> <a href="/versions/v16/techniques/T1489">Service Stop</a> </td> <td> <p>Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0881">T0881</a> </td> <td> <a href="/versions/v16/techniques/T0881">Service Stop</a> </td> <td> <p>Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1553">T1553</a> </td> <td> <a href="/versions/v16/techniques/T1553">Subvert Trust Controls</a> </td> <td> <p>Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018."data-reference="SpectorOps Subverting Trust Sept 2017"><sup><a href="https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span> Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018."data-reference="SpectorOps Subverting Trust Sept 2017"><sup><a href="https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span></p><p>On macOS, the removal of the <code>com.apple.quarantine</code> flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1553/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1553/001">Gatekeeper Bypass</a> </td> <td> <p>The removal of the <code>com.apple.quarantine</code> flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1553/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1553/003">SIP and Trust Provider Hijacking</a> </td> <td> <p>Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018."data-reference="SpectorOps Subverting Trust Sept 2017"><sup><a href="https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span> Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018."data-reference="SpectorOps Subverting Trust Sept 2017"><sup><a href="https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1569">T1569</a> </td> <td> <a href="/versions/v16/techniques/T1569">System Services</a> </td> <td> <p>Track changes to critical service-related files (e.g., <code>/etc/systemd/system/</code>, <code>/etc/init.d/</code>, and service binaries on Linux, <code>C:\Windows\System32\services.exe`` on Windows, or</code>/Library/LaunchDaemons``` on macOS).</p><p>Analytic 1 - Unusual file modifications related to system services.</p><p><code>sourcetype=file_monitor| search file_path IN ("/etc/systemd/system/<em>", "/etc/init.d/</em>", "/Library/LaunchDaemons/*", "C:\Windows\System32\services.exe") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1569/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1569/001">Launchctl</a> </td> <td> <p>Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Plist files are located in the root, system, and users <code>/Library/LaunchAgents</code> or <code>/Library/LaunchDaemons</code> folders. <a href="/versions/v16/techniques/T1543/001">Launch Agent</a> or <a href="/versions/v16/techniques/T1543/004">Launch Daemon</a> with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious.</p><p>Analytic 1 - Suspicious plist file modifications.</p><p><code>sourcetype=osquery OR sourcetype=FSEvents| search file_path IN ("/Library/LaunchAgents/<em>", "/Library/LaunchDaemons/</em>")| where file_action="modified" AND new_executable_path IN ("/tmp/<em>", "/Shared/</em>") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1080">T1080</a> </td> <td> <a href="/versions/v16/techniques/T1080">Taint Shared Content</a> </td> <td> <p>Monitor for files that write or overwrite many files to a network shared directory may be suspicious.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1600">T1600</a> </td> <td> <a href="/versions/v16/techniques/T1600">Weaken Encryption</a> </td> <td> <p>File Modification</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1600/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1600/001">Reduce Key Space</a> </td> <td> <p>There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image and Network Device CLI. Some detection methods require vendor support to aid in investigation.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1600/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1600/002">Disable Crypto Hardware</a> </td> <td> <p>There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image and Network Device CLI. Some detection methods require vendor support to aid in investigation.</p> </td> </tr> </tbody> </table> </div> </div> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://docs.microsoft.com/en-us/windows/win32/fileio/file-management" target="_blank"> Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://support.google.com/chrome/a/answer/7349337" target="_blank"> Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/" target="_blank"> Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.ise.io/casestudies/password-manager-hacking/" target="_blank"> ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf" target="_blank"> Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://o365blog.com/post/deviceidentity/" target="_blank"> Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" target="_blank"> French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.youtube.com/watch?v=nJ0UsyiUEqQ" target="_blank"> French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger Than Its Weakest LNK. Retrieved November 30, 2020. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac" target="_blank"> Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/" target="_blank"> hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://objective-see.com/blog/blog_0x31.html" target="_blank"> Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.sentinelone.com/blog/how-malware-persists-on-macos/" target="_blank"> Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.sans.org/blog/finding-evil-wmi-event-consumers-with-disk-forensics/" target="_blank"> Chad Tilbury. (2023, May 22). Finding Evil WMI Event Consumers with Disk Forensics. Retrieved February 9, 2024. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf" target="_blank"> Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.elastic.co/guide/en/security/current/abnormal-process-id-or-lock-file-created.html" target="_blank"> Elastic. (n.d.). Abnormal Process ID or Lock File Created. Retrieved September 19, 2024. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://xorrior.com/persistent-credential-theft/" target="_blank"> Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://github.com/nsacyber/Mitigating-Web-Shells" target="_blank"> NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html" target="_blank"> Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html" target="_blank"> Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html" target="_blank"> Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection – NTFS Forensics. Retrieved September 30, 2024. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a" target="_blank"> Li, V. (2019, October 2). Polyglot Files: a Hacker’s best friend. Retrieved September 27, 2022. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.garykessler.net/library/file_sigs.html" target="_blank"> Kessler, G. (2022, December 9). GCK'S FILE SIGNATURES TABLE. Retrieved August 23, 2022. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection" target="_blank"> Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="24.0"> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf" target="_blank"> Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://github.com/MITRECND/malchive/blob/main/malchive/utilities/findapihash.py" target="_blank"> Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx" target="_blank"> Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf" target="_blank"> Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/" target="_blank"> hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/" target="_blank"> hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank"> Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://objective-see.com/blog/blog_0x48.html" target="_blank"> Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/" target="_blank"> Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for persistence. Retrieved September 26, 2024. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms" target="_blank"> Ruben Groenewoud. (2024, August 29). Linux Detection Engineering - A Sequel on Persistence Mechanisms. Retrieved October 16, 2024. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" target="_blank"> Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/" target="_blank"> Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/" target="_blank"> Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/" target="_blank"> Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac" target="_blank"> Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.secureworks.com/research/skeleton-key-malware-analysis" target="_blank"> Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" target="_blank"> Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" target="_blank"> Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://en.wikipedia.org/wiki/Rootkit" target="_blank"> Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/" target="_blank"> Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview" target="_blank"> Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf" target="_blank"> Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" target="_blank"> Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script>  <script src="/versions/v16/theme/scripts/resizer.js"></script>  <script src="/versions/v16/theme/scripts/filter/filter.js?3909"></script> <script src="/versions/v16/theme/scripts/navigation.js"></script> <script src="/versions/v16/theme/scripts/mobileview-datasources.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

CINXE.COM

File, Data Source DS0022 | MITRE ATT&CK®