From c8e1d66a357dc592a2ea1f2e570741cbe5485c33 Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com>
Date: Sun, 1 Dec 2024 16:37:54 +0330
Subject: [PATCH] Merge PR #5091 from @CheraghiMilad - Update `File and
 Directory Discovery - Linux`

update: File and Directory Discovery - Linux - Add 2 additional binaries, "findmnt" and "mlocate"
---------

Co-authored-by: Milad Cheraghi <cheraghimiladmail@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 ...ation_lnx_file_and_directory_discovery.yml | 21 ++++++++++++-------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml
index 1238daa1a..64a3c4b52 100644
--- a/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml
@@ -1,12 +1,13 @@
 title: File and Directory Discovery - Linux
 id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
 status: test
-description: Detects usage of system utilities to discover files and directories
+description: |
+    Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
-author: Daniil Yugoslavskiy, oscd.community
+author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad
 date: 2020-10-19
-modified: 2022-11-25
+modified: 2024-12-01
 tags:
     - attack.discovery
     - attack.t1083
@@ -14,17 +15,21 @@ logsource:
     category: process_creation
     product: linux
 detection:
-    select_file_with_asterisk:
+    selection_file_with_asterisk:
         Image|endswith: '/file'
         CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
-    select_recursive_ls:
+    selection_recursive_ls:
         Image|endswith: '/ls'
         CommandLine|contains: '-R'
-    select_find_execution:
+    selection_find_execution:
         Image|endswith: '/find'
-    select_tree_execution:
+    selection_tree_execution:
         Image|endswith: '/tree'
-    condition: 1 of select*
+    selection_findmnt_execution:
+        Image|endswith: '/findmnt'
+    selection_locate_execution:
+        Image|endswith: '/mlocate'
+    condition: 1 of selection_*
 falsepositives:
     - Legitimate activities
 level: informational