📁 File Access Detections
🔐 Protecting Sensitive Files
File access detection recipes monitor filesystem operations to identify suspicious or unauthorized access patterns indicating security threats. Track credential theft, configuration tampering, and reconnaissance activities in real-time.
🎯 What These Detections Monitor
File access recipes track filesystem interactions including reads, writes, modifications, and deletions of security-sensitive files:
🔒 Access Control
- Unauthorized access to sensitive files
- Credential file monitoring
- Authentication system access
⚙️ Configuration Changes
- System configuration tampering
- Security policy modifications
- Package manager changes
🔍 Reconnaissance
- Fingerprinting activities
- System enumeration
- Information gathering
🦠 Malicious Activity
- Malware persistence mechanisms
- Binary self-deletion
- Code manipulation
📂 Detection Categories
🔑 Credential and Authentication Files
- Credentials Files Access - Password files, SSH keys, certificates
- PAM Configuration Modification - Authentication module changes
- Sudoers Modification - Sudo configuration changes
- SSH Authentication Keys - SSH authorized keys modifications
- SSL Certificate Access - SSL/TLS certificate access
⚙️ System Configuration
- Capabilities Modification - File capabilities changes
- Core Pattern Access - Core dump pattern monitoring
- System Request (SysRq) Access - SysRq configuration tracking
- Package Repository Config - Package manager configuration changes
- Shell Configuration Modification - Shell initialization file changes
🔍 System Reconnaissance
- CPU Fingerprinting - CPU information enumeration
- Machine Fingerprinting - Hardware enumeration
- Filesystem Fingerprinting - Filesystem structure reconnaissance
- OS Fingerprinting - Operating system enumeration
- OS Network Fingerprinting - Network configuration enumeration
- OS Status Fingerprinting - System status file access
💻 Code and Library Manipulation
- Code Modification Through procfs - Process modification via process filesystem
- Global Shared Library Modification - System library changes
- Java Debug Library Load - Java debugging library loading
- Java Instrumentation Library Load - Java agent instrumentation
📊 Process Information Access
- Environment Variables from procfs - Process environment variable reading
- Scheduler Debug Access - Scheduler debugging information access
🚨 Malicious Activities
- Binary Self-Deletion - Programs deleting their own executables
- Cryptocurrency Miner Files - Cryptominer file access
- Authentication Logs Tampering - Unauthorized auth log access
🛡️ Kernel Security
- Unprivileged BPF Configuration - Unprivileged kernel tracing settings changes
🛡️ MITRE ATT&CK Coverage
Credential Access
- T1003 - OS Credential Dumping
- T1552 - Unsecured Credentials
Discovery
- T1082 - System Information Discovery
- T1083 - File and Directory Discovery
Persistence & Privilege Escalation
- T1098 - Account Manipulation
- T1136 - Create Account
- T1547 - Boot or Logon Autostart Execution
Defense Evasion
- T1222 - File and Directory Permissions Modification
- T1574 - Hijack Execution Flow