Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
Sigma rule (View on GitHub)
1title: Use Of Hidden Paths Or Files
2id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
3related:
4 - id: d08722cd-3d09-449a-80b4-83ea2d9d4616
5 type: similar
6status: test
7description: Detects calls to hidden files or files located in hidden directories in NIX systems.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
10author: David Burkett, @signalblur
11date: 2022-12-30
12tags:
13 - attack.privilege-escalation
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.t1574.001
17logsource:
18 product: linux
19 service: auditd
20detection:
21 selection:
22 type: 'PATH'
23 name|contains: '/.'
24 filter:
25 name|contains:
26 - '/.cache/'
27 - '/.config/'
28 - '/.pyenv/'
29 - '/.rustup/toolchains'
30 condition: selection and not filter
31falsepositives:
32 - Unknown
33level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL