Suspicious File Access Patterns

🎯 Scenario Objective

The objective of this scenario is to simulate abnormal and potentially malicious file access behavior in order to validate the ability of security controls (EDR, SIEM, UEBA, DLP) to:

Detect unusual volume, frequency, or sequence of file access

Identify non-standard processes accessing sensitive files

Correlate file access activity with user, process, and context

Detect early-stage attacker behaviors such as data discovery, collection, or staging

This scenario focuses on behavioral patterns, not on malware execution.

🧠 Threat Context

Adversaries commonly access large numbers of files after gaining initial access in order to:

Discover sensitive information (documents, credentials, configs)

Prepare for data exfiltration

Perform ransomware impact analysis

Identify intellectual property or financial data

Such activity often results in file access patterns that differ significantly from normal user behavior. 🧪 Scenario Description (Execution Flow) Step 1 – File System Discovery

A process enumerates directories and files across multiple locations (user profile, shared folders, system paths) using automated techniques.

Step 2 – Sensitive File Access

Multiple files of interest (documents, PDFs, archives, configuration files) are opened or read in a short time window.

Step 3 – Unusual Process Context

File access is performed by non-standard or suspicious processes, such as scripting engines, command-line tools, or renamed binaries executed from unusual locations.

Step 4 – Bulk or Automated Access

File access occurs in loops or scripted sequences, generating a high volume of file I/O operations in a limited timeframe.

🧪 Atomic Red Team Dependency

This scenario is implemented using payloads from the Atomic Red Team framework, which provides controlled and repeatable adversary technique simulations mapped to MITRE ATT&CK.

As a result:

The Atomic Red Team collector must be deployed and enabled in OpenAEV

The collector is required to:

Execute Atomic Red Team payloads

Capture execution context and results

Feed OpenAEV with accurate test telemetry and status

Without the Atomic Red Team collector, this scenario cannot be executed or validated correctly.

📊 Expected Telemetry & Logs

EDR

File open/read events

Process-to-file interaction telemetry

Windows Security Logs

Object access events (e.g., 4663, when enabled)

Sysmon

Event ID 11 (FileCreate)

Correlated process execution events

UEBA

Detection of deviations from normal user behavior

🚨 Detection Expectations

Security controls should detect:

Automated or bulk file access behavior

Unusual processes accessing user or sensitive files

File access activity inconsistent with historical user baselines

Correlated suspicious activity across discovery and collection phases

🧪 BAS / AEV Validation Goals Control Validation Focus EDR Behavioral file access detection SIEM Cross-source correlation and alerting UEBA User and process anomaly detection DLP Visibility into sensitive file access 🧹 Cleanup & Safety

No data modification or exfiltration

No destructive actions

Temporary artifacts created by Atomic Red Team payloads are removed after execution

🟢 Outcome

A successful execution confirms that the organization can detect and respond to early-stage suspicious file access activity before escalation to data theft, ransomware deployment, or insider threat actions.