Adversaries may use Linux system utilities to discover and enumerate files and directories to identify potential targets or exfiltration opportunities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage reconnaissance activities that could lead to more severe compromises.
Detection Rule
title: File and Directory Discovery - Linux
id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
status: test
description: |
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad
date: 2020-10-19
modified: 2024-12-01
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_file_with_asterisk:
Image|endswith: '/file'
CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
selection_recursive_ls:
Image|endswith: '/ls'
CommandLine|contains: '-R'
selection_find_execution:
Image|endswith: '/find'
selection_tree_execution:
Image|endswith: '/tree'
selection_findmnt_execution:
Image|endswith: '/findmnt'
selection_locate_execution:
Image|endswith: '/mlocate'
condition: 1 of selection_*
falsepositives:
- Legitimate activities
level: informational
imProcessCreate
| where (TargetProcessName endswith "/file" and TargetProcessCommandLine matches regex "(.){200,}") or (TargetProcessName endswith "/ls" and TargetProcessCommandLine contains "-R") or TargetProcessName endswith "/find" or TargetProcessName endswith "/tree" or TargetProcessName endswith "/findmnt" or TargetProcessName endswith "/mlocate"Scenario: System integrity check using find to locate configuration files
Filter/Exclusion: process.name = find AND process.args CONTAINS "/etc" AND process.args NOT CONTAINS "delete" OR "remove"
Scenario: Scheduled backup job using rsync to copy files to a remote server
Filter/Exclusion: process.name = rsync AND process.args CONTAINS "--backup" OR "backup" AND process.args CONTAINS "remote-server"
Scenario: Admin using ls to inspect directory contents during routine maintenance
Filter/Exclusion: process.name = ls AND process.args CONTAINS "/var/log" OR "/tmp" AND user.name = "root" OR "admin"
Scenario: Log rotation using logrotate to manage log files
Filter/Exclusion: process.name = logrotate AND process.args CONTAINS "/etc/logrotate.conf" AND process.args NOT CONTAINS "delete" OR "remove"
Scenario: Using find to locate and delete temporary files in /tmp
Filter/Exclusion: process.name = find AND process.args CONTAINS "/tmp" AND process.args CONTAINS "delete" AND user.name = "root"