Skip to content

DC0059 File Metadata

Item Value
ID DC0059
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
auditd:CONFIG_CHANGE chmod or chown of hook files indicating privilege escalation or execution permission change
auditd:PATH file path matches exclusion directories
auditd:PATH PATH
auditd:PATH file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)
auditd:SYSCALL Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/
auditd:SYSCALL PATH
auditd:SYSCALL file write after sleep delay
auditd:SYSCALL syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)
auditd:SYSCALL setuid or setgid bit changes
auditd:SYSCALL syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)
auditd:SYSCALL setxattr or getxattr system call
auditd:SYSCALL chmod, chown, setxattr, or file writes to /etc/ssl/ or /usr/local/share/ca-certificates/
ebpf:syscalls Unexpected container volume unmount + file deletion
EDR:detection App reputation telemetry
EDR:file File Metadata Inspection (Low String Entropy, Missing PDB)
EDR:file File Metadata Analysis (PE overlays, entropy)
esxi:hostd host daemon events related to file or VM permission changes
esxi:syslog Datastore file hidden or renamed unexpectedly
esxi:vmkernel Upload of file to datastore
esxi:vmkernel Storage access and file ops
esxi:vmkernel VMware kernel events for file system permission modifications
esxi:vmkernel Datastore modification events
File None
fs:fileevents /var/log/install.log
fs:filesystem Binary file hash changes outside of update/patch cycles
fs:fsevents file system events indicating permission or attribute changes
fs:fsusage filesystem monitoring of exec/open
fwupd:logs Firmware updates applied or failed
gatekeeper/quarantine database LaunchServices quarantine
journald:package dpkg/apt or yum/dnf transaction logs (install/update of build tools)
journald:package dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals
journald:package dpkg/apt install, remove, upgrade events
journald:package yum/dnf install or update transactions
linux:osquery event-based
linux:osquery file_events, hash
linux:osquery hash, elf_info, file_metadata
linux:osquery file_events
linux:osquery elf_info, hash, yara_matches
linux:osquery Read headers and detect MIME type mismatch
linux:osquery file_events.path
linux:osquery Filesystem modifications to trusted paths
linux:osquery Write or modify .desktop file in XDG autostart path
linux:osquery hash, rpm_packages, deb_packages, file_events
linux:syslog Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp
linux:syslog application or system execution logs
linux:syslog file permission modification events in kernel messages
linux:syslog kernel messages related to file system permission changes and security violations
macos:endpointsecurity es_event_file_rename_t or es_event_file_write_t
macos:endpointsecurity es_event_authentication
macos:osquery code_signing, file_metadata
macos:osquery file_events
macos:osquery mach_o_info, file_metadata
macos:unifiedlog softwareupdated/homebrew/install logs, pkginstalld events
macos:unifiedlog AMFI or Gatekeeper signature/notarization failures for newly installed dev components
macos:unifiedlog Detection of altered _VBA_PROJECT or PerformanceCache streams
macos:unifiedlog subsystem:syspolicyd
macos:unifiedlog File metadata updated with UF_HIDDEN flag
macos:unifiedlog Code signature validation fails or is absent post-binary modification
macos:unifiedlog Code signing verification failures or bypassed trust decisions
macos:unifiedlog Creation of new LaunchAgent or LoginItem plist files in ~/Library/LaunchAgents/
macos:unifiedlog filesystem events
macos:unifiedlog xattr -d com.apple.quarantine or similar attribute removal commands
macos:unifiedlog Gatekeeper quarantine policy decision anomalies recorded in com.apple.LaunchServices.QuarantineEventsV2
macos:unifiedlog pkginstalld/softwareupdated/Homebrew install transactions
macos:unifiedlog AMFI/Gatekeeper code signature or notarization failures
macos:unifiedlog kernel extension and system extension logs related to file system security violations or SIP bypass attempts
macos:unifiedlog Unexpected application binary modifications or altered signing status
macos:unifiedlog extended attribute write or modification
macos:unifiedlog New certificate trust settings added by unexpected process
macos:unifiedlog subsystem=com.apple.lsd
macos:unifiedlog installer or system_installd ‘PackageKit: install succeeded/failed’ with non-notarized or unknown signer
macos:unifiedlog Gatekeeper/AMFI ‘code signature invalid’ / ‘not notarized’ messages
macos:unifiedlog File creation or modification with com.apple.ResourceFork extended attribute
networkdevice:syslog OS version query results inconsistent with expected or approved version list
NSM:Flow Observed File Transfers
OpenBSM:AuditTrail BSM audit events for file permission modifications
OpenBSM:AuditTrail BSM audit events for file permission, ownership, and attribute modifications with user context
saas:RepoEvents New file added or modified in PR targeting CI/CD or build config (e.g., gitlab-ci.yml, build.gradle, pom.xml, .github/workflows/*.yml)
WinEventLog:Microsoft-Windows-CodeIntegrity/Operational Invalid/Unsigned image when developer tool launches newly installed binaries
WinEventLog:Microsoft-Windows-CodeIntegrity/Operational Unsigned or invalid image for newly installed/updated binaries
WinEventLog:Microsoft-Windows-CodeIntegrity/Operational Code integrity violations in boot-start drivers or firmware
WinEventLog:Microsoft-Windows-CodeIntegrity/Operational CodeIntegrity reports ‘Invalid image hash’ or ‘Unsigned image’ for new/updated binaries
WinEventLog:Microsoft-Windows-Windows Defender/Operational SmartScreen or ASR blocks on newly downloaded installer/updater
WinEventLog:Security EventCode=4663, 4670, 4656
WinEventLog:Security EventCode=4663, 4656, 4658
WinEventLog:Setup MSI/Product install, repair or update events
WinEventLog:Sysmon EventCode=15
WinEventLog:Windows Defender Operational log
WinEventLog:Windows Defender Operational

Detection Strategy

ID Name Technique Detected
DET0537 Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) T1195
DET0010 Behavioral Detection of Event Triggered Execution Across Platforms T1546
DET0184 Behavioral Detection of Indicator Removal Across Platforms T1070
DET0127 Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy T1036
DET0378 Behavioral Detection of Obfuscated Files or Information T1027
DET0112 Boot or Logon Initialization Scripts Detection Strategy T1037
DET0309 Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) T1195.002
DET0591 Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering T1070.006
DET0288 Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation T1553.001
DET0257 Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files T1553.005
DET0519 Detect Persistence via Office Template Macro Injection or Registry Hijack T1137.001
DET0125 Detect persistence via reopened application plist modification (macOS) T1547.007
DET0452 Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation T1553
DET0134 Detect Suspicious Access to Windows Credential Manager T1555.004
DET0230 Detect Suspicious or Malicious Code Signing Abuse T1553.002
DET0141 Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution T1497.003
DET0597 Detect Unauthorized Access to Password Managers T1555.005
DET0235 Detecting Steganographic Command and Control via File + Network Correlation T1001.002
DET0750 Detection of Indicator Removal on Host T0872
DET0745 Detection of Lateral Tool Transfer T0867
DET0725 Detection of Masquerading T0849
DET0730 Detection of Supply Chain Compromise T0862
DET0345 Detection Strategy for Abuse Elevation Control Mechanism (T1548) T1548
DET0033 Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification T1546.008
DET0281 Detection Strategy for Compressed Payload Creation and Execution T1027.015
DET0059 Detection Strategy for Data Manipulation T1565
DET0569 Detection Strategy for Downgrade System Image on Network Devices T1601.002
DET0214 Detection Strategy for Embedded Payloads T1027.009
DET0406 Detection Strategy for Extended Attributes Abuse T1564.014
DET0051 Detection Strategy for File/Path Exclusions T1564.012
DET0344 Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory T1027.011
DET0502 Detection Strategy for Hidden Artifacts Across Platforms T1564
DET0032 Detection Strategy for Hidden Files and Directories T1564.001
DET0201 Detection Strategy for Hijack Execution Flow for DLLs T1574.001
DET0064 Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path T1574.009
DET0436 Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness. T1574.010
DET0038 Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness T1574.005
DET0564 Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking T1574.008
DET0313 Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop T1027.006
DET0189 Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification T1027.005
DET0183 Detection Strategy for Lateral Tool Transfer across OS platforms T1570
DET0216 Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS T1546.006
DET0405 Detection Strategy for LNK Icon Smuggling T1027.012
DET0101 Detection Strategy for Lua Scripting Abuse T1059.011
DET0226 Detection Strategy for Masquerading via File Type Modification T1036.008
DET0347 Detection Strategy for Masquerading via Legitimate Resource Name or Location T1036.005
DET0432 Detection Strategy for NTFS File Attribute Abuse (ADS/EAs) T1564.004
DET0533 Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows T1677
DET0584 Detection Strategy for Resource Forking on macOS T1564.009
DET0391 Detection Strategy for Runtime Data Manipulation. T1565.003
DET0193 Detection Strategy for Stored Data Manipulation across OS Platforms. T1565.001
DET0019 Detection Strategy for Stripped Payloads Across Platforms T1027.008
DET0180 Detection Strategy for T1547.009 – Shortcut Modification (Windows) T1547.009
DET0012 Detection Strategy for VBA Stomping T1564.007
DET0254 Detection Strategy of Transmitted Data Manipulation T1565.002
DET0368 Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks T1195.003
DET0031 Invalid Code Signature Execution Detection via Metadata and Behavioral Context T1036.001
DET0390 Linux Detection Strategy for T1547.013 - XDG Autostart Entries T1547.013
DET0258 Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018) T1546.018
DET0292 Masquerading via Space After Filename - Behavioral Detection Strategy T1036.006
DET0299 Multi-Platform File and Directory Permissions Modification Detection Strategy T1222
DET0005 Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path T1036.003
DET0527 Right-to-Left Override Masquerading Detection via Filename and Execution Context T1036.002
DET0009 Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) T1195.001
DET0351 Unix-like File Permission Manipulation Behavioral Chain Detection Strategy T1222.002
DET0294 User Execution – Malicious File via download/open → spawn chain (T1204.002) T1204.002
DET0252 User-Initiated Malicious Library Installation via Package Manager (T1204.005) T1204.005
DET0418 Windows DACL Manipulation Behavioral Chain Detection Strategy T1222.001