DC0055 File Access
| Item | Value |
|---|---|
| ID | DC0055 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| auditd:FILE | /home//.mozilla/firefox//logins.json OR /home//.config/google-chrome//Login Data |
| auditd:FILE | /proc/*/mem read attempt |
| auditd:FS | read: File access to /proc/modules or /sys/module/ |
| auditd:PATH | Read access to known backup software configuration files (e.g., /etc/rsnapshot.conf, /opt/veeam/config.ini) |
| auditd:PATH | open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog) |
| auditd:PATH | PATH |
| auditd:PATH | file read |
| auditd:SYSCALL | open, read, or stat of browser config files |
| auditd:SYSCALL | open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache |
| auditd:SYSCALL | openat |
| auditd:SYSCALL | open |
| auditd:SYSCALL | open, read |
| auditd:SYSCALL | open, flock, fcntl, unlink |
| auditd:SYSCALL | read/open of sensitive files |
| auditd:SYSCALL | Unusual processes accessing or modifying cookie databases |
| auditd:SYSCALL | PATH records referencing /dev/video* |
| auditd:SYSCALL | open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/ |
| auditd:SYSCALL | Processes reading credential or token cache files |
| auditd:SYSCALL | read/open of sensitive file directories |
| auditd:SYSCALL | open/read of sensitive config or secret files |
| auditd:SYSCALL | open/read of sensitive directories |
| auditd:SYSCALL | open/read: Access to /proc/self/status with focus on TracerPID field |
| auditd:SYSCALL | open/read access to ~/.bash_history |
| auditd:SYSCALL | open,read |
| auditd:SYSCALL | open/read system calls to ~/.bash_history or /etc/shadow |
| auditd:SYSCALL | read of /run/secrets or docker volumes by non-entrypoint process |
| auditd:SYSCALL | Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input |
| auditd:SYSCALL | open/read |
| auditd:SYSCALL | open: Access to named pipes or FIFO in /tmp or /dev/shm by unexpected processes |
| auditd:SYSCALL | open or read to browser cookie storage |
| auditd:SYSCALL | open, read, mount |
| auditd:SYSCALL | file |
| auditd:SYSCALL | Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey |
| auditd:SYSCALL | open/read of sensitive directories (/etc, /home/*) |
| auditd:SYSCALL | PATH |
| auditd:SYSCALL | open/read on ~/.local/share/keepassxc/ OR ~/.password-store/ |
| azure:activity | CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows |
| CloudTrail:GetObject | sensitive credential files in buckets or local image storage |
| desktop:file_manager | nautilus, dolphin, or gvfs logs |
| ebpf:syscalls | container_file_activity |
| ebpf:syscalls | open/read on secret mount paths |
| esxi:hostd | datastore file access |
| esxi:hostd | read: Access to sensitive log files by non-admin users |
| esxi:hostd | datastore/log file access |
| esxi:hostd | vSphere File API Access |
| esxi:hostd | file copy or datastore upload via HTTPS |
| esxi:syslog | guest OS outbound transfer logs |
| esxi:vmkernel | VMFS access logs |
| esxis:vmkernel | Datastore Access |
| File | None |
| fs:fileevents | File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files) |
| fs:fsevents | file system events indicating access to system configuration files and environmental information sources |
| fs:fsusage | file |
| fs:fsusage | File Access Monitor |
| fs:fsusage | Disk Activity Tracing |
| fs:fsusage | filesystem activity |
| fs:fsusage | Filesystem Call Monitoring |
| fs:fsusage | read/write |
| fs:fsusage | file open for known browser cookie paths |
| fs:fsusage | file reads/writes from /Volumes/ |
| fs:quarantine | /var/log/quarantine.log |
| gcp:audit | Write operations to storage |
| kubernetes:audit | GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server |
| linux:osquery | /proc/*/maps access |
| linux:osquery | None |
| linux:syslog | auth.log or custom tool logs |
| linux:syslog | /var/log/syslog |
| linux:syslog | kernel messages related to cryptographic operations, module loading, and filesystem access patterns |
| m365:unified | FileAccessed, MailboxAccessed |
| m365:unified | Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365) |
| macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations |
| macos:endpointsecurity | open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks |
| macos:endpointsecurity | open or read syscall to ~/.bash_history |
| macos:endpointsecurity | es_event_open, es_event_exec |
| macos:keychain | Access to Keychain DB or system.keychain |
| macos:keychain | ~/Library/Keychains, /Library/Keychains |
| macos:osquery | file_events |
| macos:osquery | None |
| macos:unifiedlog | Access to ~/Library/*/Safari or Chrome directories by non-browser processes |
| macos:unifiedlog | file events |
| macos:unifiedlog | Kerberos framework calls to API:{uuid} cache outside normal process lineage |
| macos:unifiedlog | ~/Library/Application Support/Google/Chrome//Login Data OR ~/Library/Application Support/Firefox//logins.json |
| macos:unifiedlog | Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/ |
| macos:unifiedlog | log stream - file subsystem |
| macos:unifiedlog | file read of sensitive directories |
| macos:unifiedlog | Abnormal process access to Safari or Chrome cookie storage |
| macos:unifiedlog | open: Access to /var/log/system.log or related security event logs |
| macos:unifiedlog | open/read of *.plist or .env files |
| macos:unifiedlog | read of user document directories |
| macos:unifiedlog | read access to ~/Library/Keychains/login.keychain-db |
| macos:unifiedlog | filesystem and process events |
| macos:unifiedlog | read access to ~/Library/Keychains or history files by terminal processes |
| macos:unifiedlog | access to /Volumes/SharePoint or network mount |
| macos:unifiedlog | Access to ~/Library/Safari/Bookmarks.plist or recent files |
| macos:unifiedlog | access to keychain database |
| macos:unifiedlog | log stream - file provider subsystem |
| macos:unifiedlog | read/write of user documents prior to upload |
| macos:unifiedlog | open/read access to private key files (id_rsa, .pem, .p12) |
| macos:unifiedlog | read: File access to /System/Library/Extensions/ or related kernel extension paths |
| macos:unifiedlog | .opvault OR .ldb OR *.kdbx |
| WinEventLog:Microsoft-Windows-Windows Defender/Operational | Suspicious file execution on removable media path |
| WinEventLog:Security | EventCode=4663, 4670, 4656 |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0413 | Abuse of Information Repositories for Data Collection | T1213 |
| DET0186 | Automated File and API Collection Detection Across Platforms | T1119 |
| DET0088 | Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002) | T1518.002 |
| DET0197 | Behavior-chain, platform-aware detection strategy for T1125 Video Capture | T1125 |
| DET0018 | Behavior-chain, platform-aware detection strategy for T1129 Shared Modules | T1129 |
| DET0102 | Behavioral Detection of Input Capture Across Platforms | T1056 |
| DET0089 | Behavioral Detection of Keylogging Activity Across Platforms | T1056.001 |
| DET0140 | Behavioral Detection of Malicious File Deletion | T1070.004 |
| DET0508 | Behavioral Detection of Process Injection Across Platforms | T1055 |
| DET0008 | Behavioral Detection of Remote Cloud Logins via Valid Accounts | T1021.007 |
| DET0464 | Behavioral Detection of Wi-Fi Discovery Activity | T1016.002 |
| DET0131 | Behavioral Detection Strategy for Exfiltration Over Alternative Protocol | T1048 |
| DET0221 | Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS | T1123 |
| DET0112 | Boot or Logon Initialization Scripts Detection Strategy | T1037 |
| DET0446 | Credential Access via /etc/passwd and /etc/shadow Parsing | T1003.008 |
| DET0234 | Credential Dumping via Sensitive Memory and Registry Access Correlation | T1003 |
| DET0591 | Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering | T1070.006 |
| DET0493 | Detect Abuse of Inter-Process Communication (T1559) | T1559 |
| DET0385 | Detect Access and Parsing of .bash_history Files for Credential Harvesting | T1552.003 |
| DET0412 | Detect Access or Search for Unsecured Credentials Across Platforms | T1552 |
| DET0396 | Detect Access to macOS Keychain for Credential Theft | T1555.001 |
| DET0307 | Detect Access to Unsecured Credential Files Across Platforms | T1552.001 |
| DET0430 | Detect Credentials Access from Password Stores | T1555 |
| DET0024 | Detect Kerberos Ccache File Theft or Abuse (T1558.005) | T1558.005 |
| DET0522 | Detect Kerberos Ticket Theft or Forgery (T1558) | T1558 |
| DET0047 | Detect Local Email Collection via Outlook Data File Access and Command Line Tooling | T1114.001 |
| DET0072 | Detect Logon Script Modifications and Execution | T1037.001 |
| DET0257 | Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files | T1553.005 |
| DET0037 | Detect Suspicious Access to Browser Credential Stores | T1555.003 |
| DET0549 | Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms | T1552.004 |
| DET0057 | Detect Suspicious Access to securityd Memory for Credential Extraction | T1555.002 |
| DET0597 | Detect Unauthorized Access to Password Managers | T1555.005 |
| DET0420 | Detect User Activity Based Sandbox Evasion via Input & Artifact Probing | T1497.002 |
| DET0044 | Detecting Malicious Browser Extensions Across Platforms | T1176.001 |
| DET0593 | Detecting OS Credential Dumping via /proc Filesystem Access on Linux | T1003.007 |
| DET0034 | Detection of Adversarial Process Discovery Behavior | T1057 |
| DET0734 | Detection of Automated Collection | T0802 |
| DET0554 | Detection of Bluetooth-Based Data Exfiltration | T1011.001 |
| DET0513 | Detection of Cached Domain Credential Dumping via Local Hash Cache Access | T1003.005 |
| DET0139 | Detection of Credential Harvesting via API Hooking | T1056.004 |
| DET0511 | Detection of Data Access and Collection from Removable Media | T1025 |
| DET0123 | Detection of Data Exfiltration via Removable Media | T1052 |
| DET0749 | Detection of Data from Local System | T0893 |
| DET0014 | Detection of Data Staging Prior to Exfiltration | T1074 |
| DET0512 | Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | T1048.002 |
| DET0149 | Detection of Exfiltration Over Unencrypted Non-C2 Protocol | T1048.003 |
| DET0013 | Detection of Local Browser Artifact Access for Reconnaissance | T1217 |
| DET0380 | Detection of Local Data Collection Prior to Exfiltration | T1005 |
| DET0261 | Detection of Local Data Staging Prior to Exfiltration | T1074.001 |
| DET0132 | Detection of Mutex-Based Execution Guardrails Across Platforms | T1480.002 |
| DET0071 | Detection of Remote Data Staging Prior to Exfiltration | T1074.002 |
| DET0739 | Detection of Remote System Discovery | T0846 |
| DET0787 | Detection of Remote System Information Discovery | T0888 |
| DET0733 | Detection of Replication Through Removable Media | T0847 |
| DET0220 | Detection of USB-Based Data Exfiltration | T1052.001 |
| DET0791 | Detection of User Execution | T0863 |
| DET0509 | Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts | T1539 |
| DET0541 | Detection Strategy for /proc Memory Injection on Linux | T1055.009 |
| DET0281 | Detection Strategy for Compressed Payload Creation and Execution | T1027.015 |
| DET0410 | Detection Strategy for Data from Network Shared Drive | T1039 |
| DET0059 | Detection Strategy for Data Manipulation | T1565 |
| DET0371 | Detection Strategy for Debugger Evasion (T1622) | T1622 |
| DET0579 | Detection Strategy for Device Driver Discovery | T1652 |
| DET0214 | Detection Strategy for Embedded Payloads | T1027.009 |
| DET0369 | Detection Strategy for Event Triggered Execution via Trap (T1546.005) | T1546.005 |
| DET0348 | Detection Strategy for Exfiltration Over C2 Channel | T1041 |
| DET0548 | Detection Strategy for Exfiltration Over Web Service | T1567 |
| DET0153 | Detection Strategy for Exfiltration Over Webhook | T1567.004 |
| DET0570 | Detection Strategy for Exfiltration to Cloud Storage | T1567.002 |
| DET0318 | Detection Strategy for Exfiltration to Code Repository | T1567.001 |
| DET0284 | Detection Strategy for Exfiltration to Text Storage Sites | T1567.003 |
| DET0051 | Detection Strategy for File/Path Exclusions | T1564.012 |
| DET0171 | Detection Strategy for Forged Web Cookies | T1606.001 |
| DET0260 | Detection Strategy for Forged Web Credentials | T1606 |
| DET0255 | Detection Strategy for Log Enumeration | T1654 |
| DET0347 | Detection Strategy for Masquerading via Legitimate Resource Name or Location | T1036.005 |
| DET0553 | Detection Strategy for Obfuscated Files or Information: Binary Padding | T1027.001 |
| DET0574 | Detection Strategy for Remote System Enumeration Behavior | T1018 |
| DET0240 | Detection Strategy for Steal or Forge Authentication Certificates | T1649 |
| DET0119 | Detection Strategy for Steganographic Abuse in File & Script Execution | T1027.003 |
| DET0515 | Detection Strategy for T1528 - Steal Application Access Token | T1528 |
| DET0476 | Email Collection via Local Email Access and Auto-Forwarding Behavior | T1114 |
| DET0587 | Enumeration of User or Account Information Across Platforms | T1087 |
| DET0474 | Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy | T1480.001 |
| DET0287 | Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps) | T1203 |
| DET0082 | Internal Website and System Content Defacement via UI or Messaging Modifications | T1491.001 |
| DET0390 | Linux Detection Strategy for T1547.013 - XDG Autostart Entries | T1547.013 |
| DET0303 | Local Account Enumeration Across Host Platforms | T1087.001 |
| DET0292 | Masquerading via Space After Filename - Behavioral Detection Strategy | T1036.006 |
| DET0562 | Multi-Platform Execution Guardrails Environmental Validation Detection Strategy | T1480 |
| DET0491 | Peripheral Device Enumeration via System Utilities and API Calls | T1120 |
| DET0105 | Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools | T1110.002 |
| DET0370 | Recursive Enumeration of Files and Directories Across Privilege Contexts | T1083 |
| DET0301 | Removable Media Execution Chain Detection via File and Process Activity | T1091 |
| DET0527 | Right-to-Left Override Masquerading Detection via Filename and Execution Context | T1036.002 |
| DET0242 | Suspicious Database Access and Dump Activity Across Environments (T1213.006) | T1213.006 |
| DET0478 | User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) | T1204 |