File and Directory Discovery - Linux

Aug 12, 2024 · attack.discovery attack.t1083 ·

Detects usage of system utilities to discover files and directories

Sigma rule (View on GitHub)

 1title: File and Directory Discovery - Linux
 2id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
 3status: test
 4description: Detects usage of system utilities to discover files and directories
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
 7author: Daniil Yugoslavskiy, oscd.community
 8date: 2020-10-19
 9modified: 2022-11-25
10tags:
11    - attack.discovery
12    - attack.t1083
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    select_file_with_asterisk:
18        Image|endswith: '/file'
19        CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
20    select_recursive_ls:
21        Image|endswith: '/ls'
22        CommandLine|contains: '-R'
23    select_find_execution:
24        Image|endswith: '/find'
25    select_tree_execution:
26        Image|endswith: '/tree'
27    condition: 1 of select*
28falsepositives:
29    - Legitimate activities
30level: informational

References

atomic-red-team/atomics/T1083/T1083.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

File and Directory Discovery - Linux

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1083/T1083.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules