Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioninformationaltest

File and Directory Discovery - Linux

Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Daniil Yugoslavskiy, oscd.community, CheraghiMiladCreated Mon Oct 19Updated Sun Dec 01d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72linux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic6 selectors
detection:
    selection_file_with_asterisk:
        Image|endswith: '/file'
        CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
    selection_recursive_ls:
        Image|endswith: '/ls'
        CommandLine|contains: '-R'
    selection_find_execution:
        Image|endswith: '/find'
    selection_tree_execution:
        Image|endswith: '/tree'
    selection_findmnt_execution:
        Image|endswith: '/findmnt'
    selection_locate_execution:
        Image|endswith: '/mlocate'
    condition: 1 of selection_*
False Positives

Legitimate activities

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
Status
test
Level
informational
Type
Detection
Created
Mon Oct 19
Modified
Sun Dec 01
Author
Daniil Yugoslavskiy, oscd.community, CheraghiMilad
Path
rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml
Raw Tags
attack.discoveryattack.t1083
View on GitHub