Skip to content

DS0022 File

A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).1

Item Value
ID DS0022
Platforms Linux, Network, Windows, macOS
Collection Layers Host
Version 1.0
Created 20 October 2021
Last Modified 07 December 2022

Data Components

File Access

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Domain ID Name
enterprise T1087 Account Discovery
enterprise T1087.001 Local Account
enterprise T1119 Automated Collection
ics T0802 Automated Collection
enterprise T1020 Automated Exfiltration
enterprise T1217 Browser Information Discovery
enterprise T1555 Credentials from Password Stores
enterprise T1555.001 Keychain
enterprise T1555.003 Credentials from Web Browsers
enterprise T1555.004 Windows Credential Manager
enterprise T1555.005 Password Managers
enterprise T1005 Data from Local System
ics T0893 Data from Local System
enterprise T1039 Data from Network Shared Drive
enterprise T1025 Data from Removable Media
enterprise T1074 Data Staged
enterprise T1074.001 Local Data Staging
enterprise T1074.002 Remote Data Staging
enterprise T1114 Email Collection
enterprise T1114.001 Local Email Collection
enterprise T1048 Exfiltration Over Alternative Protocol
enterprise T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
enterprise T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
enterprise T1041 Exfiltration Over C2 Channel
enterprise T1011 Exfiltration Over Other Network Medium
enterprise T1011.001 Exfiltration Over Bluetooth
enterprise T1052 Exfiltration Over Physical Medium
enterprise T1052.001 Exfiltration over USB
enterprise T1567 Exfiltration Over Web Service
enterprise T1567.001 Exfiltration to Code Repository
enterprise T1567.002 Exfiltration to Cloud Storage
enterprise T1187 Forced Authentication
enterprise T1003 OS Credential Dumping
enterprise T1003.002 Security Account Manager
enterprise T1003.003 NTDS
enterprise T1003.007 Proc Filesystem
enterprise T1003.008 /etc/passwd and /etc/shadow
enterprise T1018 Remote System Discovery
ics T0846 Remote System Discovery
ics T0888 Remote System Information Discovery
enterprise T1091 Replication Through Removable Media
ics T0847 Replication Through Removable Media
enterprise T1649 Steal or Forge Authentication Certificates
enterprise T1558 Steal or Forge Kerberos Tickets
enterprise T1539 Steal Web Session Cookie
enterprise T1033 System Owner/User Discovery
enterprise T1552 Unsecured Credentials
enterprise T1552.001 Credentials In Files
enterprise T1552.003 Bash History
enterprise T1552.004 Private Keys
enterprise T1552.006 Group Policy Preferences
ics T0863 User Execution

File Creation

Initial construction of a new file (ex: Sysmon EID 11)

Domain ID Name
enterprise T1560 Archive Collected Data
enterprise T1560.001 Archive via Utility
enterprise T1560.002 Archive via Library
enterprise T1560.003 Archive via Custom Method
enterprise T1547 Boot or Logon Autostart Execution
enterprise T1547.006 Kernel Modules and Extensions
enterprise T1547.008 LSASS Driver
enterprise T1547.009 Shortcut Modification
enterprise T1547.010 Port Monitors
enterprise T1547.012 Print Processors
enterprise T1547.013 XDG Autostart Entries
enterprise T1547.015 Login Items
enterprise T1037 Boot or Logon Initialization Scripts
enterprise T1037.002 Login Hook
enterprise T1037.003 Network Logon Script
enterprise T1037.004 RC Scripts
enterprise T1037.005 Startup Items
enterprise T1176 Browser Extensions
enterprise T1554 Compromise Client Software Binary
enterprise T1543 Create or Modify System Process
enterprise T1543.001 Launch Agent
enterprise T1543.002 Systemd Service
enterprise T1543.004 Launch Daemon
enterprise T1486 Data Encrypted for Impact
enterprise T1565 Data Manipulation
enterprise T1565.001 Stored Data Manipulation
enterprise T1565.003 Runtime Data Manipulation
enterprise T1074 Data Staged
enterprise T1074.001 Local Data Staging
enterprise T1074.002 Remote Data Staging
enterprise T1491 Defacement
enterprise T1491.001 Internal Defacement
enterprise T1491.002 External Defacement
enterprise T1189 Drive-by Compromise
ics T0817 Drive-by Compromise
enterprise T1546 Event Triggered Execution
enterprise T1546.002 Screensaver
enterprise T1546.004 Unix Shell Configuration Modification
enterprise T1546.005 Trap
enterprise T1546.008 Accessibility Features
enterprise T1546.013 PowerShell Profile
enterprise T1546.014 Emond
enterprise T1546.016 Installer Packages
enterprise T1187 Forced Authentication
enterprise T1564 Hide Artifacts
enterprise T1564.001 Hidden Files and Directories
enterprise T1564.006 Run Virtual Instance
enterprise T1564.009 Resource Forking
enterprise T1574 Hijack Execution Flow
enterprise T1574.001 DLL Search Order Hijacking
enterprise T1574.002 DLL Side-Loading
enterprise T1574.004 Dylib Hijacking
enterprise T1574.005 Executable Installer File Permissions Weakness
enterprise T1574.006 Dynamic Linker Hijacking
enterprise T1574.007 Path Interception by PATH Environment Variable
enterprise T1574.008 Path Interception by Search Order Hijacking
enterprise T1574.009 Path Interception by Unquoted Path
enterprise T1574.010 Services File Permissions Weakness
enterprise T1105 Ingress Tool Transfer
enterprise T1570 Lateral Tool Transfer
ics T0867 Lateral Tool Transfer
enterprise T1036 Masquerading
enterprise T1036.007 Double File Extension
enterprise T1556 Modify Authentication Process
enterprise T1556.002 Password Filter DLL
enterprise T1556.008 Network Provider DLL
enterprise T1027 Obfuscated Files or Information
enterprise T1027.004 Compile After Delivery
enterprise T1027.006 HTML Smuggling
enterprise T1027.009 Embedded Payloads
enterprise T1137 Office Application Startup
enterprise T1137.001 Office Template Macros
enterprise T1137.002 Office Test
enterprise T1137.006 Add-ins
enterprise T1566 Phishing
enterprise T1566.001 Spearphishing Attachment
enterprise T1091 Replication Through Removable Media
ics T0847 Replication Through Removable Media
enterprise T1496 Resource Hijacking
enterprise T1053 Scheduled Task/Job
enterprise T1053.007 Container Orchestration Job
enterprise T1505 Server Software Component
enterprise T1505.002 Transport Agent
enterprise T1505.003 Web Shell
enterprise T1505.004 IIS Components
ics T0865 Spearphishing Attachment
enterprise T1553 Subvert Trust Controls
enterprise T1553.005 Mark-of-the-Web Bypass
enterprise T1218 System Binary Proxy Execution
enterprise T1218.001 Compiled HTML File
enterprise T1218.002 Control Panel
enterprise T1218.005 Mshta
enterprise T1218.014 MMC
enterprise T1080 Taint Shared Content
enterprise T1204 User Execution
enterprise T1204.001 Malicious Link
enterprise T1204.002 Malicious File

File Deletion

Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)

Domain ID Name
enterprise T1554 Compromise Client Software Binary
enterprise T1485 Data Destruction
ics T0809 Data Destruction
enterprise T1565 Data Manipulation
enterprise T1565.001 Stored Data Manipulation
enterprise T1565.003 Runtime Data Manipulation
enterprise T1070 Indicator Removal
enterprise T1070.001 Clear Windows Event Logs
enterprise T1070.002 Clear Linux or Mac System Logs
enterprise T1070.003 Clear Command History
enterprise T1070.004 File Deletion
enterprise T1070.008 Clear Mailbox Data
enterprise T1070.009 Clear Persistence
ics T0872 Indicator Removal on Host
enterprise T1490 Inhibit System Recovery

File Metadata

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.

Domain ID Name
enterprise T1548 Abuse Elevation Control Mechanism
enterprise T1548.001 Setuid and Setgid
enterprise T1554 Compromise Client Software Binary
enterprise T1565 Data Manipulation
enterprise T1565.003 Runtime Data Manipulation
enterprise T1546 Event Triggered Execution
enterprise T1546.006 LC_LOAD_DYLIB Addition
enterprise T1222 File and Directory Permissions Modification
enterprise T1222.001 Windows File and Directory Permissions Modification
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification
enterprise T1564 Hide Artifacts
enterprise T1564.001 Hidden Files and Directories
enterprise T1564.004 NTFS File Attributes
enterprise T1564.007 VBA Stomping
enterprise T1564.009 Resource Forking
enterprise T1070 Indicator Removal
enterprise T1070.006 Timestomp
ics T0872 Indicator Removal on Host
enterprise T1570 Lateral Tool Transfer
ics T0867 Lateral Tool Transfer
enterprise T1036 Masquerading
enterprise T1036.001 Invalid Code Signature
enterprise T1036.002 Right-to-Left Override
enterprise T1036.003 Rename System Utilities
enterprise T1036.005 Match Legitimate Name or Location
enterprise T1036.006 Space after Filename
enterprise T1036.007 Double File Extension
ics T0849 Masquerading
enterprise T1027 Obfuscated Files or Information
enterprise T1027.001 Binary Padding
enterprise T1027.002 Software Packing
enterprise T1027.003 Steganography
enterprise T1027.004 Compile After Delivery
enterprise T1027.007 Dynamic API Resolution
enterprise T1027.008 Stripped Payloads
enterprise T1027.009 Embedded Payloads
enterprise T1027.010 Command Obfuscation
enterprise T1055 Process Injection
enterprise T1055.013 Process Doppelgänging
enterprise T1553 Subvert Trust Controls
enterprise T1553.001 Gatekeeper Bypass
enterprise T1553.002 Code Signing
enterprise T1553.005 Mark-of-the-Web Bypass
enterprise T1195 Supply Chain Compromise
enterprise T1195.001 Compromise Software Dependencies and Development Tools
enterprise T1195.002 Compromise Software Supply Chain
ics T0862 Supply Chain Compromise
enterprise T1218 System Binary Proxy Execution
enterprise T1218.011 Rundll32

File Modification

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

Domain ID Name
enterprise T1548 Abuse Elevation Control Mechanism
enterprise T1548.001 Setuid and Setgid
enterprise T1548.003 Sudo and Sudo Caching
enterprise T1098 Account Manipulation
enterprise T1098.004 SSH Authorized Keys
enterprise T1547 Boot or Logon Autostart Execution
enterprise T1547.001 Registry Run Keys / Startup Folder
enterprise T1547.006 Kernel Modules and Extensions
enterprise T1547.007 Re-opened Applications
enterprise T1547.008 LSASS Driver
enterprise T1547.009 Shortcut Modification
enterprise T1547.013 XDG Autostart Entries
enterprise T1547.015 Login Items
enterprise T1037 Boot or Logon Initialization Scripts
enterprise T1037.002 Login Hook
enterprise T1037.003 Network Logon Script
enterprise T1037.004 RC Scripts
enterprise T1037.005 Startup Items
enterprise T1554 Compromise Client Software Binary
enterprise T1543 Create or Modify System Process
enterprise T1543.001 Launch Agent
enterprise T1543.002 Systemd Service
enterprise T1543.004 Launch Daemon
enterprise T1485 Data Destruction
ics T0809 Data Destruction
enterprise T1486 Data Encrypted for Impact
enterprise T1565 Data Manipulation
enterprise T1565.001 Stored Data Manipulation
enterprise T1565.003 Runtime Data Manipulation
enterprise T1491 Defacement
enterprise T1491.001 Internal Defacement
enterprise T1491.002 External Defacement
enterprise T1140 Deobfuscate/Decode Files or Information
enterprise T1546 Event Triggered Execution
enterprise T1546.002 Screensaver
enterprise T1546.004 Unix Shell Configuration Modification
enterprise T1546.005 Trap
enterprise T1546.006 LC_LOAD_DYLIB Addition
enterprise T1546.008 Accessibility Features
enterprise T1546.011 Application Shimming
enterprise T1546.013 PowerShell Profile
enterprise T1546.014 Emond
enterprise T1187 Forced Authentication
enterprise T1564 Hide Artifacts
enterprise T1564.002 Hidden Users
enterprise T1564.003 Hidden Window
enterprise T1564.004 NTFS File Attributes
enterprise T1564.005 Hidden File System
enterprise T1564.008 Email Hiding Rules
enterprise T1574 Hijack Execution Flow
enterprise T1574.001 DLL Search Order Hijacking
enterprise T1574.002 DLL Side-Loading
enterprise T1574.004 Dylib Hijacking
enterprise T1574.005 Executable Installer File Permissions Weakness
enterprise T1574.006 Dynamic Linker Hijacking
enterprise T1574.008 Path Interception by Search Order Hijacking
enterprise T1574.009 Path Interception by Unquoted Path
enterprise T1574.010 Services File Permissions Weakness
enterprise T1070 Indicator Removal
enterprise T1070.002 Clear Linux or Mac System Logs
enterprise T1070.003 Clear Command History
enterprise T1070.006 Timestomp
enterprise T1070.007 Clear Network Connection History and Configurations
enterprise T1070.008 Clear Mailbox Data
enterprise T1070.009 Clear Persistence
ics T0872 Indicator Removal on Host
enterprise T1056 Input Capture
enterprise T1056.003 Web Portal Capture
enterprise T1036 Masquerading
enterprise T1036.003 Rename System Utilities
enterprise T1036.008 Masquerade File Type
ics T0849 Masquerading
enterprise T1556 Modify Authentication Process
enterprise T1556.001 Domain Controller Authentication
enterprise T1556.003 Pluggable Authentication Modules
enterprise T1556.004 Network Device Authentication
enterprise T1556.007 Hybrid Identity
enterprise T1601 Modify System Image
enterprise T1601.001 Patch System Image
enterprise T1601.002 Downgrade System Image
enterprise T1137 Office Application Startup
enterprise T1137.001 Office Template Macros
enterprise T1137.002 Office Test
enterprise T1137.006 Add-ins
enterprise T1647 Plist File Modification
enterprise T1055 Process Injection
enterprise T1055.009 Proc Memory
ics T0873 Project File Infection
enterprise T1014 Rootkit
enterprise T1053 Scheduled Task/Job
enterprise T1053.002 At
enterprise T1053.003 Cron
enterprise T1053.005 Scheduled Task
enterprise T1053.006 Systemd Timers
enterprise T1505 Server Software Component
enterprise T1505.003 Web Shell
enterprise T1505.004 IIS Components
enterprise T1505.005 Terminal Services DLL
enterprise T1489 Service Stop
ics T0881 Service Stop
enterprise T1553 Subvert Trust Controls
enterprise T1553.001 Gatekeeper Bypass
enterprise T1553.003 SIP and Trust Provider Hijacking
enterprise T1569 System Services
enterprise T1569.001 Launchctl
enterprise T1080 Taint Shared Content
enterprise T1600 Weaken Encryption
enterprise T1600.001 Reduce Key Space
enterprise T1600.002 Disable Crypto Hardware

References

  1. Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021. 

  2. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020. 

  3. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. 

  4. Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021. 

  5. hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021. 

  6. Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021. 

  7. Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019. 

  8. Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019. 

  9. Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016. 

  10. Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple’s Endpoint Security Framework. Retrieved December 17, 2020. 

  11. Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016. 

  12. Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018. 

  13. Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018. 

  14. Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018. 

  15. Kessler, G. (2022, December 9). GCK’S FILE SIGNATURES TABLE. Retrieved August 23, 2022. 

  16. Li, V. (2019, October 2). Polyglot Files: a Hacker’s best friend. Retrieved September 27, 2022. 

  17. Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021. 

  18. Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. 

  19. Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021. 

  20. Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021. 

  21. Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021. 

  22. Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021. 

  23. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  24. Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020. 

  25. Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023. 

  26. ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021. 

  27. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. 

  28. Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022. 

  29. French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. 

  30. NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021. 

  31. Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021. 

  32. French, D., Filar, B.. (2020, March 21). A Chain Is No Stronger Than Its Weakest LNK. Retrieved November 30, 2020. 

  33. hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021. 

  34. Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022. 

  35. Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022. 

  36. Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022. 

  37. Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017. 

  38. Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017. 

  39. hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017. 

  40. Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016. 

  41. Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.