Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
- Requires:
- XDR Agent with eXtended Threat Hunting (XTH)
|
Detection Modules |
|
Detector Tags |
EDR Discovery Analytics |
ATT&CK Tactic |
Discovery (TA0007) |
ATT&CK Technique |
|
Severity |
Informational |
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.
Variations
Uncommon attempt at discovering /etc/passwd
Synopsis
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.
Uncommon attempt at discovering /etc/hosts
Synopsis
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.
Uncommon attempt at discovering a sensitive file by a security testing tool
Synopsis
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.
Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script
Synopsis
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.
Uncommon attempt at discovering a sensitive file by a potential Webshell
Synopsis
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.
Uncommon attempt at discovering a sensitive file by a script that was executed by a rare causality
Synopsis
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.
Uncommon attempt at discovering a sensitive file from temporary or world writable directories
Synopsis
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.
Uncommon attempt at discovering a sensitive file by a rare process that was executed by cron
Synopsis
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.
Uncommon attempt at discovering a sensitive file by a non-GTFOBIN process
Synopsis
Description
A process made an uncommon attempt to access a file that may contain sensitive information.
Attacker's Goals
- Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
Investigative actions
- Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
- Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.