Adversaries may be using the find command on Linux systems to discover and locate sensitive files or directories, indicating potential reconnaissance or persistence activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent further lateral movement or data exfiltration.
Detection Rule
title: Potential Discovery Activity Using Find - Linux
id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
related:
- id: 85de3a19-b675-4a51-bfc6-b11a5186c971
type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/find'
CommandLine|contains:
- '-perm -4000'
- '-perm -2000'
- '-perm 0777'
- '-perm -222'
- '-perm -o w'
- '-perm -o x'
- '-perm -u=s'
- '-perm -g=s'
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName endswith "/find" and (TargetProcessCommandLine contains "-perm -4000" or TargetProcessCommandLine contains "-perm -2000" or TargetProcessCommandLine contains "-perm 0777" or TargetProcessCommandLine contains "-perm -222" or TargetProcessCommandLine contains "-perm -o w" or TargetProcessCommandLine contains "-perm -o x" or TargetProcessCommandLine contains "-perm -u=s" or TargetProcessCommandLine contains "-perm -g=s")Scenario: System Administrator Performing Routine Log Analysis
Description: An admin is using find to search for log files in /var/log to troubleshoot an application issue.
Filter/Exclusion: Check for find commands executed in /var/log with -name matching log file patterns (e.g., *.log, *.log.gz). Exclude users with admin privileges or those in the sudo group.
Scenario: Scheduled Job for Backup Purposes
Description: A cron job is configured to use find to locate and archive old files in a user home directory.
Filter/Exclusion: Filter commands that include -mtime +30 or similar time-based flags, and check for execution in a known backup directory (e.g., /backup).
Scenario: Security Team Performing File Integrity Check
Description: The security team is using find to locate all files modified in the last 24 hours to check for potential tampering.
Filter/Exclusion: Exclude find commands that include -mtime -1 and are executed by the security team or from a known SIEM tool directory (e.g., /opt/siem_tools).
Scenario: Developer Searching for Source Code Files
Description: A developer is using find to locate all .c and .h files in a project directory for code review.
Filter/Exclusion: Filter for -name "*.c" or -name "*.h" and check if the command is executed within a known development directory (e.g., /home/dev/project).
Scenario: System Update or Patching Process
Description: A package manager or update script is using find to locate and remove old configuration files during a system upgrade.
Filter/Exclusion: Exclude find commands