Skip to content

DC0061 File Modification

Item Value
ID DC0061
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
auditd:FILE Modification or deletion of /etc/audit/audit.rules or /etc/audit/audit.conf
auditd:FILE Modification of Display Manager configuration files (/etc/gdm3/, /etc/lightdm/)
auditd:PATH /etc/passwd or /etc/group file write
auditd:PATH write: Modification of /boot/grub/, /boot/efi/EFI/, or initramfs images
auditd:PATH write or create events on *.pth, sitecustomize.py, usercustomize.py in site-packages or dist-packages
auditd:PATH write: File modifications to /etc/systemd/sleep.conf or related power configuration files
auditd:SYSCALL open/write calls modifying ~/.bashrc, ~/.profile, or /etc/paths.d
auditd:SYSCALL open, write
auditd:SYSCALL AUDIT_SYSCALL (open, write, rename, unlink)
auditd:SYSCALL PATH
auditd:SYSCALL execve call for modification of /etc/sudoers or writing to /var/db/sudo
auditd:SYSCALL open, write: File modifications under /etc/ssl/certs, /usr/local/share/ca-certificates, or /etc/pki/ca-trust/source/anchors
auditd:SYSCALL open, unlink, rename: Suspicious file access, deletion, or modification of sensitive paths
auditd:SYSCALL open/write of .service unit files
auditd:SYSCALL open/write/unlink
auditd:SYSCALL write, rename
auditd:SYSCALL write
auditd:SYSCALL write
auditd:SYSCALL open, write: Write operations targeting /dev/sda, /dev/nvme0n1, or EFI partition mounts
auditd:SYSCALL open/write to /etc/pam.d/*
auditd:SYSCALL write: Modification of structured stored data by suspicious processes
auditd:SYSCALL openat, write, rename, unlink
auditd:SYSCALL open/write syscalls targeting /etc/ld.so.preload or binaries in /usr/bin
auditd:SYSCALL modification of existing .service file
auditd:SYSCALL open, write: Modification of /boot/grub/ or /boot/efi/
auditd:SYSCALL chmod
auditd:SYSCALL rename,chmod
auditd:SYSCALL Modification of user shell profile or trap registration via echo/redirection (e.g., echo “trap ‘malicious_cmd’ INT” >> ~/.bashrc)
auditd:SYSCALL chmod, write, create, open
auditd:SYSCALL open, write: File writes to application binaries or libraries at runtime
auditd:SYSCALL file write operations in /Library/WebServer/Documents
auditd:SYSCALL write operation on /etc/passwd or /etc/shadow
auditd:SYSCALL mount or losetup commands creating hidden or encrypted FS
auditd:SYSCALL open/write to /proc//mem or /proc//maps
auditd:SYSCALL write or rename to /etc/systemd/system or /etc/init.d
auditd:SYSCALL modification of entrypoint scripts or init containers
auditd:SYSCALL chmod/chown to /etc/passwd or /etc/shadow
auditd:SYSCALL open/write syscalls targeting web directory files
azure:resource PATCH vm/authorized_keys
containerd:runtime file change monitoring within /etc/cron.*, /tmp, or mounted volumes
ebpf:syscalls file_write
esxi:cron manual edits to /etc/rc.local.d/local.sh or cron.d
esxi:hostd boot
esxi:hostd modification of crontab or local.sh entries
esxi:hostd binary or module replacement event
esxi:shell file write or edit
esxi:shell admin command usage
esxi:vmkernel rename .vmdk to .*.locked
esxi:vmkernel Unauthorized file modifications within datastore volumes via shell access or vCLI
esxi:vmkernel /var/log/vmkernel.log
ESXiLogs:messages changes to /etc/motd or /etc/vmware/welcome
File None
FileIntegrity:ImageValidation Hash/checksum mismatch against baseline vendor-provided OS image versions
firmware:update Unexpected or unscheduled firmware updates, image overwrites, or failed signature validation
FirmwareLogs:Update Unexpected firmware or image updates modifying cryptographic modules
FirmwareLogs:Update Unexpected firmware updates that alter encryption libraries or disable hardware crypto modules
fs:fileevents /var/log/quarantine.log
fs:fileevents /var/log/install.log
fs:filesystem Modification or creation of files matching ‘com.apple.loginwindow.*.plist’ in ~/Library/Preferences/ByHost
fs:fsevents create/write/rename under user-writable paths
fs:fsevents file system events indicating permission, ownership, or extended attribute changes on critical paths. File system modification events with kFSEventStreamEventFlagItemChangeOwner, kFSEventStreamEventFlagItemXattrMod flags
fs:fsevents Extensions
fs:fsusage unlink, write
fs:fsusage file access to /usr/lib/cron/tabs/ and cron output files
fs:fsusage file access to /usr/lib/cron/at and job execution path
fs:fsusage modification of existing LaunchAgents plist
fs:fsusage Filesystem Access Logging
fs:fsusage truncate, unlink, write
fs:fsusage file write to launchd plist paths
fs:launchdaemons file_modify
fs:plist /var/root/Library/Preferences/com.apple.loginwindow.plist
fs:plist_monitoring /Users//Library/Mail/V/MailData/RulesActiveState.plist
gcp:audit compute.instances.setMetadata
IntegrityCheck:ImageValidation Checksum or hash mismatch between running image and known-good vendor-provided image
linux:fim Changes to /etc/rc.local.d/local.sh or creation of unexpected startup files in persistent partitions (/etc/init.d, /store, /locker)
linux:osquery file_events
linux:osquery New or modified kernel object files (.ko) within /lib/modules directory
linux:syslog rename
linux:syslog Unexpected log entries or malformed SQL operations in databases
m365:defender OfficeTelemetry or DLP
m365:office Anomalous editing of invoice or payment document templates
macos:auth ~/.ssh/authorized_keys
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_WRITE, targeting .zshrc, .zlogin, .zprofile
macos:endpointsecurity write, rename
macos:osquery file_events
macos:osquery query: Enumeration of root certificates showing unexpected additions
macos:osquery File modifications in ~/Library/Preferences/
macos:osquery Changes to LSFileQuarantineEnabled field in Info.plist
macos:osquery CALCULATE: Mismatch in file integrity of critical macOS applications
macos:osquery Modifications to /var/db/SystemPolicyConfiguration/KextPolicy or kext_policy table
macos:osquery write
macos:unifiedlog File modification in /etc/paths.d or user shell rc files
macos:unifiedlog Modification of ~/Library/LaunchAgents or /Library/LaunchDaemons plist
macos:unifiedlog Anomalous plist modifications or sensitive file overwrites by non-standard processes
macos:unifiedlog loginwindow or desktopservices modified settings or files
macos:unifiedlog SecurityAgentPlugins modification
macos:unifiedlog write: File modifications to *.plist within LaunchAgents, LaunchDaemons, Application Support, or Preferences directories
macos:unifiedlog Modification of backgrounditems.btm or creation of LoginItems subdirectory in .app bundle
macos:unifiedlog Modification of plist with apple.awt.UIElement set to TRUE
macos:unifiedlog replace existing dylibs
macos:unifiedlog Modification of /Library/Security/SecurityAgentPlugins
macos:unifiedlog Modifications to Mail.app plist files controlling message rules
macos:unifiedlog Unexpected creation or modification of stored data files in protected directories
macos:unifiedlog file encrypted
macos:unifiedlog Mach-O binary modified or LC_LOAD_DYLIB segment inserted
macos:unifiedlog Modified application plist or binary replacement in /Applications
macos:unifiedlog File creation or overwrite in common web-hosting folders
macos:unifiedlog write of plist files in /Library/LaunchAgents or /Library/LaunchDaemons
macos:unifiedlog write
macos:unifiedlog Modification of /System/Library/CoreServices/boot.efi
macos:unifiedlog Modification of LaunchAgents or LaunchDaemons plist files
macos:unifiedlog Plist modifications containing virtualization run configurations
macos:unifiedlog binary modified or replaced
macos:unifiedlog Modification of /Library/Preferences/com.apple.loginwindow plist
macos:unifiedlog File write or append to .zshrc, .bash_profile, .zprofile, etc.
macos:unifiedlog write: File modification to com.apple.PowerManagement.plist or related system preference files
macos:unifiedlog create/modify dylib in monitored directories
macos:unifiedlog modification to /var/db/dslocal/nodes/Default/users/
macos:unifiedlog Hidden volume attachment or modification events
macos:unifiedlog Suspicious plist edits for volume mounting behavior
macos:unifiedlog file writes
macos:unifiedlog Modification or replacement of /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db
macos:unifiedlog rule definitions written to emond rule plists
macos:unifiedlog Terminal/Editor processes modifying web folder
network:runtime checksum or runtime memory verification failures
networkconfig unexpected OS image file upload or modification events
networkdevice:audit SNMP configuration changes, such as enabling read/write access or modifying community strings
networkdevice:config config-change: timezone or ntp server configuration change after a time query command
networkdevice:config Configuration changes to boot variables, startup image paths, or checksum verification failures
networkdevice:config Configuration changes referencing ‘crypto’, ‘key length’, ‘cipher’, or downgrade of encryption settings
networkdevice:config Configuration file modified or replaced on network device
networkdevice:config Configuration change events referencing encryption, TLS/SSL, or IPSec settings
networkdevice:config Configuration changes to startup image paths, boot loader parameters, or debug flags
networkdevice:config Configuration changes referencing cryptographic hardware modules or disabling hardware acceleration
networkdevice:config Configuration changes referencing older image versions or unexpected boot parameters
networkdevice:firmware Unexpected firmware update or image modification affecting crypto modules
networkdevice:syslog config
networkdevice:syslog startup-config
networkdevice:syslog Checksum/hash mismatch between device OS image and baseline known-good version
sysdig:file evt.type=write
WinEventLog:CodeIntegrity EventCode=3033
WinEventLog:Security EventCode=4663, 4670, 4656
WinEventLog:Sysmon EventCode=2
WinEventLog:System Unexpected modification to lsass.exe or cryptdll.dll

Detection Strategy

ID Name Technique Detected
DET0096 Account Manipulation Behavior Chain Detection T1098
DET0151 Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery T1124
DET0537 Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) T1195
DET0165 Behavioral Detection of Command History Clearing T1070.003
DET0010 Behavioral Detection of Event Triggered Execution Across Platforms T1546
DET0590 Behavioral Detection of External Website Defacement across Platforms T1491.002
DET0184 Behavioral Detection of Indicator Removal Across Platforms T1070
DET0102 Behavioral Detection of Input Capture Across Platforms T1056
DET0520 Behavioral Detection of Log File Clearing on Linux and macOS T1070.002
DET0266 Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics T1070.008
DET0140 Behavioral Detection of Malicious File Deletion T1070.004
DET0127 Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy T1036
DET0049 Behavioral Detection of Network History and Configuration Tampering T1070.007
DET0378 Behavioral Detection of Obfuscated Files or Information T1027
DET0052 Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching T1548.003
DET0131 Behavioral Detection Strategy for Exfiltration Over Alternative Protocol T1048
DET0274 Boot or Logon Autostart Execution Detection Strategy T1547
DET0112 Boot or Logon Initialization Scripts Detection Strategy T1037
DET0085 Credential Dumping from SAM via Registry Dump and Local File Access T1003.002
DET0591 Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering T1070.006
DET0094 Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse T1053
DET0290 Cross-Platform Detection of Cron Job Abuse for Persistence and Execution T1053.003
DET0333 Cross-Platform Detection of Scheduled Task/Job Abuse via at Utility T1053.002
DET0238 Defacement via File and Web Content Modification Across Platforms T1491
DET0535 Detect Abuse of vSphere Installation Bundles (VIBs) for Persistent Access T1505.006
DET0296 Detect Adversary-in-the-Middle via Network and Configuration Anomalies T1557
DET0336 Detect Compromise of Host Software Binaries T1554
DET0271 Detect Domain Controller Authentication Process Modification (Skeleton Key) T1556.001
DET0022 Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM T1187
DET0288 Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation T1553.001
DET0454 Detect Malicious Modification of Pluggable Authentication Modules (PAM) T1556.003
DET0190 Detect MFA Modification or Disabling Across Platforms T1556.006
DET0104 Detect Modification of Authentication Processes Across Platforms T1556
DET0272 Detect Modification of Network Device Authentication via Patched System Images T1556.004
DET0050 Detect Persistence via Malicious Office Add-ins T1137.006
DET0125 Detect persistence via reopened application plist modification (macOS) T1547.007
DET0020 Detect Shell Configuration Modification for Persistence via Event-Triggered Execution T1546.004
DET0225 Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows) T1547.008
DET0593 Detecting OS Credential Dumping via /proc Filesystem Access on Linux T1003.007
DET0480 Detection of Credential Harvesting via Web Portal Modification T1056.003
DET0758 Detection of Data Destruction T0809
DET0270 Detection of Domain or Tenant Policy Modifications via AD and Identity Provider T1484
DET0305 Detection of Group Policy Modifications via AD Object Changes and File Activity T1484.001
DET0750 Detection of Indicator Removal on Host T0872
DET0377 Detection of Kernel/User-Level Rootkit Behavior Across Platforms T1014
DET0434 Detection of Launch Agent Creation or Modification on macOS T1543.001
DET0437 Detection of LSA Secrets Dumping via Registry and Memory Extraction T1003.004
DET0439 Detection of Malware Relocation via Suspicious File Movement T1070.010
DET0725 Detection of Masquerading T0849
DET0215 Detection of Multi-Platform File Encryption for Impact T1486
DET0586 Detection of NTDS.dit Credential Dumping from Domain Controllers T1003.003
DET0766 Detection of Project File Infection T0873
DET0897 Detection of Selective Exclusion T1679
DET0765 Detection of Service Stop T0881
DET0571 Detection of System Process Creation or Modification Across Platforms T1543
DET0253 Detection of Systemd Service Creation or Modification on Linux T1543.002
DET0471 Detection of Tainted Content Written to Shared Storage T1080
DET0509 Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts T1539
DET0541 Detection Strategy for /proc Memory Injection on Linux T1055.009
DET0237 Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts T1037.004
DET0281 Detection Strategy for Compressed Payload Creation and Execution T1027.015
DET0059 Detection Strategy for Data Manipulation T1565
DET0062 Detection Strategy for Disable or Modify Linux Audit System T1562.012
DET0569 Detection Strategy for Downgrade System Image on Network Devices T1601.002
DET0192 Detection Strategy for Email Hiding Rules T1564.008
DET0214 Detection Strategy for Embedded Payloads T1027.009
DET0555 Detection Strategy for Event Triggered Execution via emond on macOS T1546.014
DET0369 Detection Strategy for Event Triggered Execution via Trap (T1546.005) T1546.005
DET0150 Detection Strategy for File Creation or Modification of Boot Files T1542.003
DET0495 Detection Strategy for Financial Theft T1657
DET0461 Detection Strategy for Hidden File System Abuse T1564.005
DET0353 Detection Strategy for Hidden User Accounts T1564.002
DET0321 Detection Strategy for Hidden Virtual Instance Execution T1564.006
DET0128 Detection Strategy for Hidden Windows T1564.003
DET0218 Detection Strategy for Hijack Execution Flow across OS platforms. T1574
DET0004 Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable. T1574.007
DET0152 Detection Strategy for Hijack Execution Flow: Dylib Hijacking T1574.004
DET0435 Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking T1574.006
DET0450 Detection Strategy for Kernel Modules and Extensions Autostart Execution T1547.006
DET0401 Detection Strategy for Launch Daemon Creation or Modification (macOS) T1543.004
DET0216 Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS T1546.006
DET0244 Detection Strategy for Login Hook Persistence on macOS T1037.002
DET0170 Detection Strategy for Modify System Image on Network Devices T1601
DET0469 Detection Strategy for Patch System Image on Network Devices T1601.001
DET0109 Detection Strategy for Plist File Modification (T1647) T1647
DET0324 Detection Strategy for Polymorphic Code Mutation and Execution T1027.014
DET0417 Detection Strategy for Power Settings Abuse T1653
DET0451 Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification T1546.013
DET0391 Detection Strategy for Runtime Data Manipulation. T1565.003
DET0453 Detection Strategy for SNMP (MIB Dump) on Network Devices T1602.001
DET0126 Detection Strategy for SSH Key Injection in Authorized Keys T1098.004
DET0193 Detection Strategy for Stored Data Manipulation across OS Platforms. T1565.001
DET0019 Detection Strategy for Stripped Payloads Across Platforms T1027.008
DET0442 Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking. T1553.003
DET0056 Detection Strategy for Subvert Trust Controls via Install Root Certificate. T1553.004
DET0510 Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior T1027.017
DET0279 Detection Strategy for System Services across OS platforms. T1569
DET0265 Detection Strategy for System Services: Launchctl T1569.001
DET0073 Detection Strategy for System Services: Systemctl T1569.003
DET0583 Detection Strategy for T1136 - Create Account across platforms T1136
DET0166 Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux) T1505.002
DET0068 Detection Strategy for T1505.004 - Malicious IIS Components T1505.004
DET0278 Detection Strategy for T1542 Pre-OS Boot T1542
DET0375 Detection Strategy for T1546.017 - Udev Rules (Linux) T1546.017
DET0180 Detection Strategy for T1547.009 – Shortcut Modification (Windows) T1547.009
DET0121 Detection Strategy for T1547.015 – Login Items on macOS T1547.015
DET0339 Detection Strategy for Weaken Encryption on Network Devices T1600
DET0494 Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices T1600.002
DET0243 Detection Strategy for Weaken Encryption: Reduce Key Space on Network Devices T1600.001
DET0576 Email Forwarding Rule Abuse Detection Across Platforms T1114.003
DET0287 Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps) T1203
DET0082 Internal Website and System Content Defacement via UI or Messaging Modifications T1491.001
DET0031 Invalid Code Signature Execution Detection via Metadata and Behavioral Context T1036.001
DET0258 Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018) T1546.018
DET0005 Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path T1036.003
DET0447 T1136.001 Detection Strategy - Local Account Creation Across Platforms T1136.001
DET0534 TCC Database Manipulation via Launchctl and Unprotected SIP T1548.006
DET0351 Unix-like File Permission Manipulation Behavioral Chain Detection Strategy T1222.002
DET0478 User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) T1204
DET0394 Web Shell Detection via Server Behavior and File Execution Chains T1505.003