Files
  • 10 Dec 2023
  • 1 Minute to read
  • Contributors
  • Dark
    Light

Files

  • Dark
    Light

Article Summary

FILE_CREATE

Generated when a file is created.

Platforms:

{
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Microsoft\\Windows\\WebCache\\V01tmp.log",
  "TIMESTAMP": 1468335271948
}

FILE_DELETE

Generated when a file is deleted.

Platforms:

{
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\EBA4E4F0-3020-459E-9E34-D5336E244F05\\api-ms-win-core-processthreads-l1-1-2.dll",
  "TIMESTAMP": 1468335611906
}

FILE_TYPE_ACCESSED

Generated when a new process is observed interacting with certain file types (like .doc). These can be used as indicators of an unknown process exfiltrating files it should not, or ransom-ware.

This is the mapping between rule name ID and extensions:

  • 1 = .doc
  • 1 = .docm
  • 1 = .docx
  • 2 = .xlt
  • 2 = .xlsm
  • 2 = .xlsx
  • 3 = .ppt
  • 3 = .pptm
  • 3 = .pptx
  • 3 = .ppts
  • 4 = .pdf
  • 5 = .rtf
  • 50 = .zip
  • 51 = .rar
  • 64 = .locky
  • 64 = .aesir

Platforms:

{
  "PROCESS_ID": 2048,
  "RULE_NAME": 3,
  "FILE_PATH": "C:\\Users\\dev\\Desktop\\importantnews.doc"
}

The RULE_NAME component is the class of file extension involved:

  • Rule 1: .doc, .docm, .docx
  • Rule 2: .xlt, .xlsm, .xlsx
  • Rule 3: .ppt, .pptm, .pptx, .ppts
  • Rule 4: .pdf
  • Rule 5: .rtf
  • Rule 50: .zip
  • Rule 51: .rar
  • Rule 64: .locky, .aesir

FILE_MODIFIED

Generated when a file is modified.

Platforms:

{
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Microsoft\\Windows\\WebCache\\V01.log",
  "TIMESTAMP": 1468335272949
}

NEW_DOCUMENT

Generated when a file is created that matches a set list of locations and extensions. It indicates the file has been cached in memory and can be retrieved using the doc_cache_get task.

The following file patterns are considered "documents":

  • .bat
  • .js
  • .ps1
  • .sh
  • .py
  • .exe
  • .scr
  • .pdf
  • .doc
  • .docm
  • .docx
  • .ppt
  • .pptm
  • .pptx
  • .xlt
  • .xlsm
  • .xlsx
  • .vbs
  • .rtf
  • .hta
  • .lnk
  • .xsl
  • .com
  • .png
  • .jpg
  • .asp
  • .aspx
  • .php
  • \windows\system32\

Platforms:

{
  "FILE_PATH": "C:\\Users\\dev\\Desktop\\evil.exe",
  "TIMESTAMP": 1468335816308,
  "HASH": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}

Was this article helpful?

What's Next