1+ name : Sigma - Category - file_event
2+ id : f1e2a3b4-5c6d-7e8f-9a0b-1c2d3e4f5a6b
3+ description : |
4+ Generic investigation playbook for file creation, modification, and deletion events.
5+ File events can indicate persistence mechanisms, data staging, malware drops, or legitimate software operations.
6+ type : detection
7+ detection_id : ' '
8+ detection_category : file_event
9+ detection_type : sigma
10+ contributors :
11+ - SecurityOnionSolutions
12+ date : 2025-05-29
13+
14+ questions :
15+ # Thread 1: Legitimacy Assessment (3 questions)
16+ - question : Is the file location and type expected for this process?
17+ context : |
18+ Certain processes should only write to specific directories. Unusual locations often indicate malicious activity.
19+ range : -7d
20+ answer_sources :
21+ - file_event
22+ query : |
23+ aggregation: true
24+ logsource:
25+ category: file_event
26+ detection:
27+ selection:
28+ hostname|expand: '%hostname%'
29+ Image|expand: '%Image%'
30+ condition: selection
31+ fields:
32+ - TargetFilename
33+ - User
34+
35+ question : What is the historical pattern of file creation by this process?
36+ context : |
37+ Understanding normal file creation patterns helps identify anomalous behavior.
38+ range : -30d
39+ answer_sources :
40+ - file_event
41+ query : |
42+ aggregation: true
43+ logsource:
44+ category: file_event
45+ detection:
46+ selection:
47+ hostname|expand: '%hostname%'
48+ Image|expand: '%Image%'
49+ condition: selection
50+ fields:
51+ - TargetFilename
52+
53+ question : Is this file creation associated with scheduled maintenance or admin tasks?
54+ context : |
55+ Many file events occur during legitimate maintenance windows or administrative activities.
56+ range : -24h
57+ answer_sources :
58+ - file_event
59+ query : |
60+ aggregation: true
61+ logsource:
62+ category: file_event
63+ detection:
64+ selection:
65+ hostname|expand: '%hostname%'
66+ User|expand: '%User%'
67+ condition: selection
68+ fields:
69+ - Image
70+ - TargetFilename
71+
72+ # Thread 2: Activity Context (4 questions)
73+ - question : What triggered this file creation event?
74+ context : |
75+ Understanding the parent process and command line provides crucial context.
76+ answer_sources :
77+ - alert
78+ query : |
79+ aggregation: false
80+ logsource:
81+ category: alert
82+ detection:
83+ selection:
84+ document_id|expand: '%document_id%'
85+ condition: selection
86+ fields:
87+ - Image
88+ - CommandLine
89+ - ParentImage
90+ - ParentCommandLine
91+ - User
92+ - TargetFilename
93+
94+ question : What other files were created by this process in the same timeframe?
95+ context : |
96+ Multiple file creations can reveal patterns like data staging, malware installation, or batch operations.
97+ range : +/-5m
98+ answer_sources :
99+ - file_event
100+ query : |
101+ aggregation: false
102+ logsource:
103+ category: file_event
104+ detection:
105+ selection:
106+ hostname|expand: '%hostname%'
107+ ProcessGuid|expand: '%ProcessGuid%'
108+ condition: selection
109+ fields:
110+ - TargetFilename
111+ - User
112+
113+ question : Were any processes spawned from the created file location?
114+ context : |
115+ Execution from newly created files often indicates malware drops or persistence mechanisms.
116+ range : +15m
117+ answer_sources :
118+ - process_creation
119+ query : |
120+ aggregation: false
121+ logsource:
122+ category: process_creation
123+ detection:
124+ selection:
125+ hostname|expand: '%hostname%'
126+ Image|startswith|expand: '%TargetFilename|dirname%'
127+ condition: selection
128+ fields:
129+ - Image
130+ - CommandLine
131+ - User
132+ - ParentImage
133+
134+ question : What was the complete process chain leading to this file event?
135+ context : |
136+ Tracing back through parent processes reveals the full execution chain.
137+ range : -10m
138+ answer_sources :
139+ - process_creation
140+ query : |
141+ aggregation: false
142+ logsource:
143+ category: process_creation
144+ detection:
145+ selection:
146+ hostname|expand: '%hostname%'
147+ ProcessGuid|expand: '%ParentProcessGuid%'
148+ condition: selection
149+ fields:
150+ - Image
151+ - CommandLine
152+ - User
153+ - ProcessGuid
154+
155+ # Thread 3: Impact Assessment (3 questions)
156+ - question : Are other hosts showing similar file creation patterns?
157+ context : |
158+ Widespread file creation across multiple systems may indicate deployment, malware spread, or policy changes.
159+ range : +/-30m
160+ answer_sources :
161+ - file_event
162+ query : |
163+ aggregation: true
164+ logsource:
165+ category: file_event
166+ detection:
167+ selection:
168+ TargetFilename|endswith|expand: '%TargetFilename|basename%'
169+ filter:
170+ hostname|expand: '%hostname%'
171+ condition: selection and not filter
172+ fields:
173+ - hostname
174+ - Image
175+ - TargetFilename
176+
177+ question : What file extensions and locations are being targeted?
178+ context : |
179+ File extensions and paths reveal intent - executables suggest malware, documents suggest data theft.
180+ range : +/-10m
181+ answer_sources :
182+ - file_event
183+ query : |
184+ aggregation: true
185+ logsource:
186+ category: file_event
187+ detection:
188+ selection:
189+ hostname|expand: '%hostname%'
190+ User|expand: '%User%'
191+ condition: selection
192+ fields:
193+ - TargetFilename
194+
195+ question : Were any sensitive directories accessed?
196+ context : |
197+ File creation in system directories, credential stores, or data repositories indicates higher risk.
198+ range : +/-30m
199+ answer_sources :
200+ - file_event
201+ query : |
202+ aggregation: false
203+ logsource:
204+ category: file_event
205+ detection:
206+ selection_host:
207+ hostname|expand: '%hostname%'
208+ selection_paths:
209+ TargetFilename|contains:
210+ - '\System32\'
211+ - '\SysWOW64\'
212+ - '\Program Files\'
213+ - '\ProgramData\'
214+ - '\Users\Public\'
215+ - '/etc/'
216+ - '/var/'
217+ - '/tmp/'
218+ condition: all of selection_*
219+ fields:
220+ - Image
221+ - TargetFilename
222+ - User
223+
224+ # Thread 4: Investigative Deep-Dive (3 questions)
225+ - question : Are there any persistence mechanisms being established?
226+ context : |
227+ File creation in startup folders, scheduled tasks, or service directories indicates persistence attempts.
228+ range : +/-30m
229+ answer_sources :
230+ - file_event
231+ query : |
232+ aggregation: false
233+ logsource:
234+ category: file_event
235+ detection:
236+ selection_host:
237+ hostname|expand: '%hostname%'
238+ selection_persistence:
239+ TargetFilename|contains:
240+ - '\Startup\'
241+ - '\Start Menu\'
242+ - '\CurrentVersion\Run'
243+ - '\Services\'
244+ - '\Tasks\'
245+ - '/etc/cron'
246+ - '/etc/systemd'
247+ - '.bashrc'
248+ - '.profile'
249+ condition: all of selection_*
250+ fields:
251+ - Image
252+ - TargetFilename
253+ - User
254+
255+ question : Were any anti-forensics techniques observed?
256+ context : |
257+ File creation followed by deletion, hidden files, or alternate data streams suggest evasion attempts.
258+ range : +/-15m
259+ answer_sources :
260+ - file_event
261+ query : |
262+ aggregation: false
263+ logsource:
264+ category: file_event
265+ detection:
266+ selection_host:
267+ hostname|expand: '%hostname%'
268+ ProcessGuid|expand: '%ProcessGuid%'
269+ selection_suspicious:
270+ TargetFilename|contains:
271+ - ':Zone.Identifier'
272+ - '$Recycle.Bin'
273+ - 'desktop.ini'
274+ - 'Thumbs.db'
275+ condition: all of selection_*
276+ fields:
277+ - TargetFilename
278+ - Image
279+
280+ question : What file hashes were associated with created executables?
281+ context : |
282+ File hashes allow reputation checking and cross-reference with threat intelligence.
283+ range : +/-5m
284+ answer_sources :
285+ - file_event
286+ query : |
287+ aggregation: false
288+ logsource:
289+ category: file_event
290+ detection:
291+ selection_host:
292+ hostname|expand: '%hostname%'
293+ selection_executable:
294+ TargetFilename|endswith:
295+ - '.exe'
296+ - '.dll'
297+ - '.scr'
298+ - '.com'
299+ - '.bat'
300+ - '.ps1'
301+ - '.vbs'
302+ - '.js'
303+ - '.elf'
304+ - '.so'
305+ - '.sh'
306+ condition: all of selection_*
307+ fields:
308+ - TargetFilename
309+ - Image
310+ - User
311+
312+ # Thread 5: Enterprise Context (2 questions)
313+ - question : Have similar file events been seen historically?
314+ context : |
315+ Historical patterns help distinguish between new threats and recurring legitimate activity.
316+ range : -90d
317+ answer_sources :
318+ - file_event
319+ query : |
320+ aggregation: true
321+ logsource:
322+ category: file_event
323+ detection:
324+ selection:
325+ TargetFilename|contains|expand: '%TargetFilename|basename%'
326+ condition: selection
327+ fields:
328+ - hostname
329+ - Image
330+ - TargetFilename
331+
332+ question : Are there related alerts for file-based attacks?
333+ context : |
334+ Other file-related alerts may provide additional context about ongoing campaigns.
335+ range : -24h
336+ answer_sources :
337+ - alert
338+ query : |
339+ aggregation: true
340+ logsource:
341+ category: alert
342+ detection:
343+ selection_host:
344+ hostname|expand: '%hostname%'
345+ selection_file_alerts:
346+ rule.name|contains:
347+ - 'file'
348+ - 'persistence'
349+ - 'drop'
350+ - 'stage'
351+ - 'exfil'
352+ condition: all of selection_*
353+ fields:
354+ - rule.name
355+ - rule.level
0 commit comments