File and Directory Discovery - MacOS

calendar Aug 12, 2024 · attack.discovery attack.t1083  ·
Share on: linkedin copy

Detects usage of system utilities to discover files and directories

Sigma rule (View on GitHub)

 1title: File and Directory Discovery - MacOS
 2id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
 3status: test
 4description: Detects usage of system utilities to discover files and directories
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
 7author: Daniil Yugoslavskiy, oscd.community
 8date: 2020-10-19
 9modified: 2022-11-25
10tags:
11    - attack.discovery
12    - attack.t1083
13logsource:
14    category: process_creation
15    product: macos
16detection:
17    select_file_with_asterisk:
18        Image: '/usr/bin/file'
19        CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
20    select_recursive_ls:
21        Image: '/bin/ls'
22        CommandLine|contains: '-R'
23    select_find_execution:
24        Image: '/usr/bin/find'
25    select_mdfind_execution:
26        Image: '/usr/bin/mdfind'
27    select_tree_execution|endswith:
28        Image: '/tree'
29    condition: 1 of select*
30falsepositives:
31    - Legitimate activities
32level: informational

References

Related rules

to-top