Skip to content

Hide Navigation Hide TOC

File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5)

contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples:

  • File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows.
  • Timestamps: Analyzing the creation, modification, and access timestamps of a file.
  • File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.
  • File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.
  • File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.
  • File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.

This data component can be collected through the following measures:

Windows

  • Sysinternals Tools: Use AccessEnum or PSFile to retrieve metadata about file access and permissions.
  • Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed).
  • PowerShell: Use Get-Item or Get-ChildItem cmdlets: Get-ChildItem -Path "C:\Path\To\Directory" -Recurse | Select-Object Name, Length, LastWriteTime, Attributes

Linux

  • File System Commands: Use ls -l or stat to retrieve file metadata: stat /path/to/file
  • Auditd: Configure audit rules to log metadata access: auditctl -w /path/to/file -p wa -k file_metadata
  • Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes.

macOS

  • FSEvents: Use FSEvents to track file metadata changes.
  • Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs.
  • Command-Line Tools: Use ls -l or xattr for file attributes: ls -l@ /path/to/file

SIEM Integration

  • Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis.
Cluster A Galaxy A Cluster B Galaxy B Level
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Stripped Payloads - T1027.008 (2f41939b-54c3-41d6-8f8b-35f1ec18ed97) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 1
File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 1
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Space after Filename - T1036.006 (e51137a5-1cdc-499e-911a-abaedaa5ac86) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Setuid and Setgid - T1548.001 (6831414d-bb70-42b7-8030-d4e06b2660c9) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5) Attack Pattern 1
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component 1
File Metadata (639e87f3-acb6-448a-9645-258f20da4bc5) mitre-data-component Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Stripped Payloads - T1027.008 (2f41939b-54c3-41d6-8f8b-35f1ec18ed97) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 2
Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 2
Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 2
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) Attack Pattern 2
Space after Filename - T1036.006 (e51137a5-1cdc-499e-911a-abaedaa5ac86) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Setuid and Setgid - T1548.001 (6831414d-bb70-42b7-8030-d4e06b2660c9) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f) Attack Pattern 2
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720) Attack Pattern Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern 2