OpenCTI または OpenAEV プラットフォームを 30 日間お試しいただけます。 無料トライアル
XTM Hub by Filigranサインイン

Suspicious File Access Patterns

Endpoint Security Validation
Detection Rule Validation

概要

Suspicious File Access Patterns Assesment

🎯 Scenario Objective

The objective of this scenario is to simulate abnormal and potentially malicious file access behavior in order to validate the ability of security controls (EDR, SIEM, UEBA, DLP) to:

Detect unusual volume, frequency, or sequence of file access

Identify non-standard processes accessing sensitive files

Correlate file access activity with user, process, and context

Detect early-stage attacker behaviors such as data discovery, collection, or staging

This scenario focuses on behavioral patterns, not on malware execution.

🧠 Threat Context

Adversaries commonly access large numbers of files after gaining initial access in order to:

Discover sensitive information (documents, credentials, configs)

Prepare for data exfiltration

Perform ransomware impact analysis

Identify intellectual property or financial data

Such activity often results in file access patterns that differ significantly from normal user behavior. 🧪 Scenario Description (Execution Flow) Step 1 – File System Discovery

A process enumerates directories and files across multiple locations (user profile, shared folders, system paths) using automated techniques.

Step 2 – Sensitive File Access

Multiple files of interest (documents, PDFs, archives, configuration files) are opened or read in a short time window.

Step 3 – Unusual Process Context

File access is performed by non-standard or suspicious processes, such as scripting engines, command-line tools, or renamed binaries executed from unusual locations.

Step 4 – Bulk or Automated Access

File access occurs in loops or scripted sequences, generating a high volume of file I/O operations in a limited timeframe.

🧪 Atomic Red Team Dependency

This scenario is implemented using payloads from the Atomic Red Team framework, which provides controlled and repeatable adversary technique simulations mapped to MITRE ATT&CK.

As a result:

The Atomic Red Team collector must be deployed and enabled in OpenAEV

The collector is required to:

Execute Atomic Red Team payloads

Capture execution context and results

Feed OpenAEV with accurate test telemetry and status

Without the Atomic Red Team collector, this scenario cannot be executed or validated correctly.

📊 Expected Telemetry & Logs

EDR

File open/read events

Process-to-file interaction telemetry

Windows Security Logs

Object access events (e.g., 4663, when enabled)

Sysmon

Event ID 11 (FileCreate)

Correlated process execution events

UEBA

Detection of deviations from normal user behavior

🚨 Detection Expectations

Security controls should detect:

Automated or bulk file access behavior

Unusual processes accessing user or sensitive files

File access activity inconsistent with historical user baselines

Correlated suspicious activity across discovery and collection phases

🧪 BAS / AEV Validation Goals Control Validation Focus EDR Behavioral file access detection SIEM Cross-source correlation and alerting UEBA User and process anomaly detection DLP Visibility into sensitive file access 🧹 Cleanup & Safety

No data modification or exfiltration

No destructive actions

Temporary artifacts created by Atomic Red Team payloads are removed after execution

🟢 Outcome

A successful execution confirms that the organization can detect and respond to early-stage suspicious file access activity before escalation to data theft, ransomware deployment, or insider threat actions.

基本情報

Filigran
Sébastien Miguel
2026年7月01日
2.0.11
80+
4

    当社は、XTM Hubの機能を動作させ、その利用状況を把握し、ユーザー体験を向上させるためにクッキーを使用しています。必須のクッキーは常に有効になっています。また、ユーザーの同意を得た上で、機能、パフォーマンス、分析、およびマーケティングを目的としたオプションのクッキーも使用しています。 すべてのクッキーを受け入れる、すべてを拒否する、または許可するオプションのクッキーを選択することができます。「クッキー設定」から、いつでも設定を変更できます。詳細については、当社のクッキーポリシーをご覧ください。