Skip to content

Latest commit

 

History

History
74 lines (73 loc) · 7.42 KB

file-events.md

File metadata and controls

74 lines (73 loc) · 7.42 KB

File activity searches. These can find exploratory, collection and preparation for exfil by a rogue insider.

Event Types Description
File & Object Access - Event Logs Anomalous file events by a database client
File & Object Access - Event Logs Anomalous file events by an email client
File & Object Access - Event Logs Anomalous file renames
File & Object Access - Event Logs Anomalous file writes by a browser
File & Object Access - Event Logs Anomalous file writes by a database client
File & Object Access - Event Logs Anomalous file writes by an email client
File & Object Access - Event Logs anomalous local clone access
File & Object Access - Event Logs Anomalous Network File Transfer
File & Object Access - Event Logs Anomalous PDF file writes
File & Object Access - Event Logs Anomalous source code access - extensions c, cpp, h, java
File & Object Access - Event Logs Anomalous source code copies - extensions c, cpp, h, java
File & Object Access - Event Logs Anomalous UNC connections
File & Object Access - Event Logs Anomalous UNC folder path activity
File & Object Access - Event Logs Anomalous UNC reads
File & Object Access - Event Logs Anomalous zip File & Object Access - Event Logs
File & Object Access - Event Logs Browser cache file copies
File & Object Access - Event Logs Browser cache file reads
File & Object Access - Event Logs Compression of source code files
File & Object Access - Event Logs Copying in UNC Paths
File & Object Access - Event Logs Copying of listed file extensions
File & Object Access - Event Logs Copying of listed file names
File & Object Access - Event Logs Device driver File & Object Access - Event Logs
File & Object Access - Event Logs Document file read by a browser
File & Object Access - Event Logs Document file read by a chat client
File & Object Access - Event Logs Document file read by an FTP client
File & Object Access - Event Logs Document file read by an SSH client
File & Object Access - Event Logs Document file read by anomalous email client
File & Object Access - Event Logs Document file read by anomalous process
File & Object Access - Event Logs Document file type / process mismatch
File & Object Access - Event Logs Executable File & Object Access - Event Logs on removable media
File & Object Access - Event Logs Executable file write in C:\ directory
File & Object Access - Event Logs Executable file write in C:\Program Files
File & Object Access - Event Logs Executable file write in C:\Windows\
File & Object Access - Event Logs Executable file write in Recycle Bin
File & Object Access - Event Logs Executable file write in Temp directory
File & Object Access - Event Logs Executable file write in UNC path
File & Object Access - Event Logs Executable file writes and renames by a browser
File & Object Access - Event Logs Executable file writes and renames by a chat client
File & Object Access - Event Logs Executable file writes and renames by a PDF reader
File & Object Access - Event Logs Executable file writes and renames by a zip utility
File & Object Access - Event Logs Executable file writes and renames by an email client
File & Object Access - Event Logs Executable file writes and renames by an FTP client
File & Object Access - Event Logs File Copy activity on Sensitive File Types
File & Object Access - Event Logs File Copy activity on sensitive UNCs
File & Object Access - Event Logs File Copying Between Remote and Fixed Disks
File & Object Access - Event Logs File Copying Between UNC path and Removable Drives
File & Object Access - Event Logs File Deletes in Senstive UNCs
File & Object Access - Event Logs File Renaming in Sensitive UNCs
File & Object Access - Event Logs File Renaming of Sensitive File Types
File & Object Access - Event Logs File writes by a terminal emulator
File & Object Access - Event Logs File writes to a system path
File & Object Access - Event Logs File writes to c:\Program Files
File & Object Access - Event Logs Listed file type emailed to outside user
File & Object Access - Event Logs Modification of the Ntoskrnl.exe and NTLDR files
File & Object Access - Event Logs Network File Transfer From a File Share
File & Object Access - Event Logs Office document file copies by Explorer
File & Object Access - Event Logs Office document file reads by non-Office app
File & Object Access - Event Logs Reads of sensitive keys or secret files
File & Object Access - Event Logs Sensitive data emailed to outside user
File & Object Access - Event Logs UNC activity during off hours
File & Object Access - Event Logs UNC activity with group / UNC path mismatch
File & Object Access - Event Logs UNC activity with workstation / username mismatch
File & Object Access - Event Logs UNC file read by a browser
File & Object Access - Event Logs UNC file read by a compression utility
File & Object Access - Event Logs UNC file read by an email client
File & Object Access - Event Logs UNC file read by an FTP client
File & Object Access - Event Logs UNC file read by an SCP client
File & Object Access - Event Logs zip / rar rile creation in UNC path
File & Object Access - Event Logs Anomalous change permissions / take ownership events
File & Object Access - Event Logs Anomalous file events by a browser