Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
Sigma rule (View on GitHub)
1title: Use Of Hidden Paths Or Files
2id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
3related:
4 - id: d08722cd-3d09-449a-80b4-83ea2d9d4616
5 type: similar
6status: test
7description: Detects calls to hidden files or files located in hidden directories in NIX systems.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
10author: David Burkett, @signalblur
11date: 2022-12-30
12tags:
13 - attack.privilege-escalation
14 - attack.persistence
15 - attack.execution
16 - attack.stealth
17 - attack.t1574.001
18logsource:
19 product: linux
20 service: auditd
21detection:
22 selection:
23 type: 'PATH'
24 name|contains: '/.'
25 filter:
26 name|contains:
27 - '/.cache/'
28 - '/.config/'
29 - '/.pyenv/'
30 - '/.rustup/toolchains'
31 condition: selection and not filter
32falsepositives:
33 - Unknown
34level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation