File

A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)[1]

ID: DS0022
Platforms: Linux, Network, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021

Data Components

File: File Access

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

File: File Access

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Domain ID Name
Enterprise T1087 Account Discovery
.001 Local Account
Enterprise T1119 Automated Collection
Enterprise T1020 Automated Exfiltration
Enterprise T1217 Browser Bookmark Discovery
Enterprise T1555 Credentials from Password Stores
.001 Keychain
.003 Credentials from Web Browsers
.004 Windows Credential Manager
.005 Password Managers
Enterprise T1005 Data from Local System
Enterprise T1039 Data from Network Shared Drive
Enterprise T1025 Data from Removable Media
Enterprise T1074 Data Staged
.001 Local Data Staging
.002 Remote Data Staging
Enterprise T1114 Email Collection
.001 Local Email Collection
Enterprise T1048 Exfiltration Over Alternative Protocol
.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Enterprise T1041 Exfiltration Over C2 Channel
Enterprise T1011 Exfiltration Over Other Network Medium
.001 Exfiltration Over Bluetooth
Enterprise T1052 Exfiltration Over Physical Medium
.001 Exfiltration over USB
Enterprise T1567 Exfiltration Over Web Service
.001 Exfiltration to Code Repository
.002 Exfiltration to Cloud Storage
Enterprise T1187 Forced Authentication
Enterprise T1003 OS Credential Dumping
.002 Security Account Manager
.003 NTDS
.007 Proc Filesystem
.008 /etc/passwd and /etc/shadow
Enterprise T1018 Remote System Discovery
Enterprise T1091 Replication Through Removable Media
Enterprise T1558 Steal or Forge Kerberos Tickets
Enterprise T1539 Steal Web Session Cookie
Enterprise T1552 Unsecured Credentials
.001 Credentials In Files
.003 Bash History
.004 Private Keys
.006 Group Policy Preferences
.007 Container API

File: File Creation

Initial construction of a new file (ex: Sysmon EID 11)

File: File Creation

Initial construction of a new file (ex: Sysmon EID 11)

Domain ID Name
Enterprise T1560 Archive Collected Data
.001 Archive via Utility
.002 Archive via Library
.003 Archive via Custom Method
Enterprise T1547 Boot or Logon Autostart Execution
.006 Kernel Modules and Extensions
.008 LSASS Driver
.009 Shortcut Modification
.010 Port Monitors
.012 Print Processors
.013 XDG Autostart Entries
.015 Login Items
Enterprise T1037 Boot or Logon Initialization Scripts
.002 Logon Script (Mac)
.003 Network Logon Script
.004 RC Scripts
.005 Startup Items
Enterprise T1176 Browser Extensions
Enterprise T1554 Compromise Client Software Binary
Enterprise T1543 Create or Modify System Process
.001 Launch Agent
.002 Systemd Service
.004 Launch Daemon
Enterprise T1486 Data Encrypted for Impact
Enterprise T1565 Data Manipulation
.001 Stored Data Manipulation
.003 Runtime Data Manipulation
Enterprise T1074 Data Staged
.001 Local Data Staging
.002 Remote Data Staging
Enterprise T1491 Defacement
.001 Internal Defacement
.002 External Defacement
Enterprise T1189 Drive-by Compromise
Enterprise T1546 Event Triggered Execution
.002 Screensaver
.004 Unix Shell Configuration Modification
.005 Trap
.008 Accessibility Features
.013 PowerShell Profile
.014 Emond
Enterprise T1187 Forced Authentication
Enterprise T1564 Hide Artifacts
.001 Hidden Files and Directories
.006 Run Virtual Instance
.009 Resource Forking
Enterprise T1574 Hijack Execution Flow
.001 DLL Search Order Hijacking
.002 DLL Side-Loading
.004 Dylib Hijacking
.005 Executable Installer File Permissions Weakness
.006 Dynamic Linker Hijacking
.007 Path Interception by PATH Environment Variable
.008 Path Interception by Search Order Hijacking
.009 Path Interception by Unquoted Path
.010 Services File Permissions Weakness
Enterprise T1105 Ingress Tool Transfer
Enterprise T1570 Lateral Tool Transfer
Enterprise T1036 .007 Masquerading: Double File Extension
Enterprise T1556 Modify Authentication Process
.002 Password Filter DLL
Enterprise T1027 Obfuscated Files or Information
.004 Compile After Delivery
.006 HTML Smuggling
Enterprise T1137 Office Application Startup
.001 Office Template Macros
.002 Office Test
.006 Add-ins
Enterprise T1566 Phishing
.001 Spearphishing Attachment
Enterprise T1091 Replication Through Removable Media
Enterprise T1496 Resource Hijacking
Enterprise T1053 Scheduled Task/Job
.007 Container Orchestration Job
Enterprise T1505 Server Software Component
.002 Transport Agent
.003 Web Shell
.004 IIS Components
Enterprise T1218 Signed Binary Proxy Execution
.001 Compiled HTML File
.002 Control Panel
.005 Mshta
.014 MMC
Enterprise T1553 .005 Subvert Trust Controls: Mark-of-the-Web Bypass
Enterprise T1080 Taint Shared Content
Enterprise T1204 User Execution
.001 Malicious Link
.002 Malicious File

File: File Deletion

Removal of a file (ex: Sysmon EID 23)

File: File Deletion

Removal of a file (ex: Sysmon EID 23)

Domain ID Name
Enterprise T1554 Compromise Client Software Binary
Enterprise T1485 Data Destruction
Enterprise T1565 Data Manipulation
.001 Stored Data Manipulation
.003 Runtime Data Manipulation
Enterprise T1070 Indicator Removal on Host
.002 Clear Linux or Mac System Logs
.003 Clear Command History
.004 File Deletion
Enterprise T1490 Inhibit System Recovery

File: File Metadata

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.

File: File Metadata

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.

Domain ID Name
Enterprise T1548 Abuse Elevation Control Mechanism
.001 Setuid and Setgid
Enterprise T1554 Compromise Client Software Binary
Enterprise T1565 Data Manipulation
.003 Runtime Data Manipulation
Enterprise T1546 Event Triggered Execution
.006 LC_LOAD_DYLIB Addition
Enterprise T1222 File and Directory Permissions Modification
.001 Windows File and Directory Permissions Modification
.002 Linux and Mac File and Directory Permissions Modification
Enterprise T1564 Hide Artifacts
.001 Hidden Files and Directories
.004 NTFS File Attributes
.007 VBA Stomping
.009 Resource Forking
Enterprise T1070 Indicator Removal on Host
.006 Timestomp
Enterprise T1570 Lateral Tool Transfer
Enterprise T1036 Masquerading
.001 Invalid Code Signature
.002 Right-to-Left Override
.003 Rename System Utilities
.005 Match Legitimate Name or Location
.006 Space after Filename
.007 Double File Extension
Enterprise T1027 Obfuscated Files or Information
.001 Binary Padding
.002 Software Packing
.003 Steganography
.004 Compile After Delivery
Enterprise T1055 Process Injection
.013 Process Doppelgänging
Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32
Enterprise T1553 Subvert Trust Controls
.001 Gatekeeper Bypass
.002 Code Signing
.005 Mark-of-the-Web Bypass

File: File Modification

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

File: File Modification

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

Domain ID Name
Enterprise T1548 Abuse Elevation Control Mechanism
.001 Setuid and Setgid
.003 Sudo and Sudo Caching
Enterprise T1098 Account Manipulation
.004 SSH Authorized Keys
Enterprise T1547 Boot or Logon Autostart Execution
.001 Registry Run Keys / Startup Folder
.006 Kernel Modules and Extensions
.007 Re-opened Applications
.008 LSASS Driver
.009 Shortcut Modification
.011 Plist Modification
.013 XDG Autostart Entries
.015 Login Items
Enterprise T1037 Boot or Logon Initialization Scripts
.002 Logon Script (Mac)
.003 Network Logon Script
.004 RC Scripts
.005 Startup Items
Enterprise T1554 Compromise Client Software Binary
Enterprise T1543 Create or Modify System Process
.001 Launch Agent
.002 Systemd Service
.004 Launch Daemon
Enterprise T1485 Data Destruction
Enterprise T1486 Data Encrypted for Impact
Enterprise T1565 Data Manipulation
.001 Stored Data Manipulation
.003 Runtime Data Manipulation
Enterprise T1491 Defacement
.001 Internal Defacement
.002 External Defacement
Enterprise T1140 Deobfuscate/Decode Files or Information
Enterprise T1546 Event Triggered Execution
.002 Screensaver
.004 Unix Shell Configuration Modification
.005 Trap
.006 LC_LOAD_DYLIB Addition
.008 Accessibility Features
.011 Application Shimming
.013 PowerShell Profile
.014 Emond
Enterprise T1187 Forced Authentication
Enterprise T1564 Hide Artifacts
.002 Hidden Users
.003 Hidden Window
.004 NTFS File Attributes
.005 Hidden File System
.008 Email Hiding Rules
Enterprise T1574 Hijack Execution Flow
.001 DLL Search Order Hijacking
.002 DLL Side-Loading
.004 Dylib Hijacking
.005 Executable Installer File Permissions Weakness
.006 Dynamic Linker Hijacking
.007 Path Interception by PATH Environment Variable
.008 Path Interception by Search Order Hijacking
.009 Path Interception by Unquoted Path
.010 Services File Permissions Weakness
Enterprise T1070 Indicator Removal on Host
.002 Clear Linux or Mac System Logs
.003 Clear Command History
.006 Timestomp
Enterprise T1056 Input Capture
.003 Web Portal Capture
Enterprise T1036 Masquerading
.003 Rename System Utilities
Enterprise T1556 Modify Authentication Process
.001 Domain Controller Authentication
.003 Pluggable Authentication Modules
.004 Network Device Authentication
Enterprise T1601 Modify System Image
.001 Patch System Image
.002 Downgrade System Image
Enterprise T1137 Office Application Startup
.001 Office Template Macros
.002 Office Test
.006 Add-ins
Enterprise T1055 Process Injection
.009 Proc Memory
Enterprise T1053 Scheduled Task/Job
.002 At (Windows)
.003 Cron
.005 Scheduled Task
.006 Systemd Timers
Enterprise T1505 Server Software Component
.003 Web Shell
.004 IIS Components
Enterprise T1489 Service Stop
Enterprise T1553 Subvert Trust Controls
.001 Gatekeeper Bypass
.003 SIP and Trust Provider Hijacking
Enterprise T1569 System Services
.001 Launchctl
Enterprise T1080 Taint Shared Content
Enterprise T1600 Weaken Encryption
.001 Reduce Key Space
.002 Disable Crypto Hardware

References