Skip to content

Hide Navigation Hide TOC

File Access (235b7491-2d2b-4617-9a52-3c0783680f71)

To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples:

  • File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.
  • File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).
  • Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., /etc/passwd on Linux or System32 files on Windows).
  • File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).
  • File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).

This data component can be collected through the following measures:

Windows

  • Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name.
  • Sysmon:
    • Event ID 11: Logs file creation time changes.
    • Event ID 1 (process creation): Can provide insight into files executed.
  • PowerShell: Commands to monitor file access in real-time: Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}

Linux

  • Auditd: Monitor file access events using audit rules: auditctl -w /path/to/file -p rwxa -k file_access
  • View logs: ausearch -k file_access
  • Inotify: Use inotify to track file access on Linux: inotifywait -m /path/to/watch -e access

macOS

  • Unified Logs: Monitor file access using the macOS Unified Logging System.
  • FSEvents: File System Events can track file accesses: fs_usage | grep open

Network Devices

  • SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol.
  • NAS Logs: Collect logs from network-attached storage systems for file access events.

SIEM Integration

  • Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis.
Cluster A Galaxy A Cluster B Galaxy B Level
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Log Enumeration - T1654 (866d0d6d-02c6-42bd-aa2f-02907fdc0969) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 1
File Access (235b7491-2d2b-4617-9a52-3c0783680f71) mitre-data-component Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern 1
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern 2
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 2
Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2