Skip to content

Latest commit

 

History

History
38 lines (20 loc) · 789 Bytes

File-Modification.md

File metadata and controls

38 lines (20 loc) · 789 Bytes

File Modification Use Cases

Grouped by Detection Method

Aggregate Count

Blacklist Alert

  • Changes to hosts file
  • Changes by an unexpected user to any file under c:\ root
  • Changes by an unexpected user to any file under c:\program files\
  • Changes by an unexpected user to any file under c:\program files (x86)\
  • Changes by an unexpected user to any file under c:\windows\
  • Changes to files in another user's home directory
  • Changes to files in folder path containing 'inetpub' or 'wwwroot'
  • Changes to c:\windows\system32\drivers\etc\hosts

Whitelist Alert

Levenshtein Score Alert

Rolling Whitelist Alert

Shannon Entropy Score Alert

Threshold Alert

Log Source Examples

  • Cloud Bucket Logs

Possible False Positives