Update mass-file-enumeration-in-user-data-paths.md

aring87 · web-flow · commit 7d99c465bd08 · 2026-03-26T15:25:32.000-04:00
diff --git a/content/triage-guides/sentinel/collection/mass-file-enumeration-in-user-data-paths.md b/content/triage-guides/sentinel/collection/mass-file-enumeration-in-user-data-paths.md
@@ -1,95 +1,257 @@
-# Triage Guide: Mass File Enumeration in User Data Paths
+# Mass File Access in User Data Paths by Uncommon Process Triage Guide
 
-## Detection Title
-Mass File Enumeration in User Data Paths
+## Rule Overview
 
-## Detection ID
-SENT-COLL-0002
+**Title:** Mass File Access in User Data Paths by Uncommon Process  
+**Rule ID:** SENT-COLL-0002  
+**Severity:** Medium  
+**Risk Score:** 58  
+**Tactic:** Collection  
+**Techniques:** T1005 - Data from Local System, T1039 - Data from Network Shared Drive  
+**Platform:** Microsoft Sentinel  
+**Data Source:** DeviceFileEvents  
+**Lifecycle:** Experimental
 
-## Objective
+## Purpose
 
-This detection identifies processes touching large numbers of files across user data paths within a short period. This may indicate data discovery, staging, or collection activity prior to archiving or exfiltration.
+This detection identifies high-volume access to files in user data paths by uncommon processes, which may indicate collection or staging activity.
 
-## Why It Matters
+This matters because attackers often enumerate or access many files across user directories before:
 
-Large-scale file enumeration across:
-- user profiles
-- desktop folders
-- document folders
-- download directories
+- Exfiltration
+- Compression
+- Cloud upload
+- Removable media transfer
+- Internal staging
 
-can indicate an attempt to identify or collect valuable user data. While some legitimate tools do this, the behavior is important to review when tied to suspicious processes or timing.
+## Detection Logic Summary
 
-## Alert Logic Summary
+The rule reviews `DeviceFileEvents` in common user data paths such as:
 
-The rule looks for activity in paths such as:
 - `\Users\`
 - `\Desktop\`
 - `\Documents\`
 - `\Downloads\`
 
-It summarizes file touches over 15 minutes and alerts when:
-- file touches are high
-- multiple distinct user-data paths are involved
+It excludes common expected processes such as:
+
+- `explorer.exe`
+- `SearchIndexer.exe`
+- `OneDrive.exe`
+- `MsMpEng.exe`
+- `svchost.exe`
+
+The rule summarizes activity over 15-minute windows and alerts when:
+
+- `FileTouches >= 200`
+- `Paths >= 3`
+
+## Likely Analyst Goal
+
+Determine whether the file activity was:
+
+- Normal backup, sync, indexing, or administrative behavior
+- Approved enterprise software activity
+- Suspicious mass file enumeration or collection
 
 ## Initial Triage Questions
 
-- What process touched the files?
-- Is the process a known backup, indexing, or security tool?
-- Was the user performing normal file-management activity?
-- Did the process also create archives or stage files?
-- Is there outbound transfer behavior soon after?
+1. What uncommon process touched the files?
+2. Is the process normal for the host or business workflow?
+3. How broad was the file access?
+4. Was the activity followed by archiving, upload, or transfer?
+5. Is there evidence of local or remote data staging?
+
+---
 
 ## Investigation Steps
 
-1. Identify the initiating process and account.
-2. Review the time window and total file-touch volume.
-3. Confirm whether the process is expected on the host.
-4. Determine whether the activity is:
-   - backup
-   - search indexing
-   - anti-malware scanning
-   - scripted file collection
-5. Review for related activity after enumeration:
-   - zip or archive creation
-   - cloud upload
-   - external network transfer
-   - copying to temporary or staging locations
-6. Check whether the same process touched sensitive departments, shared data, or multiple users’ folders.
-
-## Common False Positives
-
-- backup agents
-- indexing services
-- anti-malware or EDR scanning
-- administrative bulk file operations
-- migration or profile-copy utilities
-
-## Escalation Guidance
+### 1. Review the Process Identity
+
+Inspect:
+
+- `InitiatingProcessFileName`
+- `InitiatingProcessCommandLine`
+- `InitiatingProcessAccountName`
+
+Determine whether the process is:
+
+- Known and approved
+- Rare or previously unseen
+- Unsigned
+- Running from a suspicious path
+
+**Why this matters:**  
+Uncommon processes touching large numbers of user files can indicate collection tooling.
+
+---
+
+### 2. Review the Volume and Path Distribution
+
+Assess:
+
+- Number of file touches
+- Number of distinct paths
+- Whether activity spans multiple user folders
+- Whether the activity is broad or narrowly targeted
+
+**Why this matters:**  
+Broad access across many directories is more consistent with automated enumeration or staging.
+
+---
+
+### 3. Determine Whether the Activity Is Expected
+
+Ask:
+
+- Is this a backup, sync, or migration utility?
+- Is the device undergoing software inventory or migration?
+- Does the process belong to approved enterprise tooling?
+- Does the user role justify large-scale file interaction?
+
+**Why this matters:**  
+Some enterprise tools touch large file volumes as part of normal operations.
+
+---
+
+### 4. Review the Execution Context
+
+Check:
+
+- Parent process
+- Signer information
+- File path
+- Launch location
+- User-writable directory execution
+- Script host usage
+
+Focus on whether the process launched from:
+
+- `%TEMP%`
+- Downloads
+- AppData
+- USB media
+- Network shares
+
+**Why this matters:**  
+Execution context often shows whether a process is legitimate software or suspicious tooling.
+
+---
+
+### 5. Hunt for Follow-On Staging or Exfiltration
+
+Look for nearby events involving:
+
+- Archive creation
+- ZIP or RAR usage
+- Cloud upload
+- Email transfer
+- USB transfer
+- Copies into temp folders
+- Outbound network connections
+
+**Why this matters:**  
+Mass file access followed by transfer or compression is highly suspicious.
+
+---
+
+### 6. Assess the User and Host
+
+Review:
+
+- Whether the host is a workstation, admin system, or high-value endpoint
+- Whether the user works with large file collections
+- Whether similar file access has happened before
+- Whether other alerts exist on the same system
+
+**Why this matters:**  
+Collection behavior on finance, HR, executive, or admin systems can have greater impact.
+
+---
+
+## Benign Explanations
+
+Common legitimate scenarios include:
+
+1. Backup, indexing, sync, or anti-malware scanning
+2. Bulk file handling by administrators or approved enterprise tooling
+3. Software inventory or migration utilities
+
+---
+
+## Suspicious Indicators
+
+Escalate concern when you observe:
+
+- Rare or unsigned process touching many files
+- Execution from temp or user-writable paths
+- Mass access followed by compression or transfer
+- Similar activity across multiple hosts
+- Concurrent credential or browser data access
+- Other compromise indicators on the host
+
+---
+
+## Triage Decision
+
+### Close as Benign / False Positive
+
+Close as benign when:
+
+- The process is approved and expected
+- The volume aligns to backup, inventory, or migration workflows
+- No staging or exfiltration is observed
+
+### Escalate as Suspicious
 
 Escalate when:
-- the process is unusual or unsigned
-- enumeration is followed by compression or transfer
-- the user context is suspicious
-- the process is script-based or attacker-adjacent
-- the host shows related discovery, collection, or exfiltration behavior
 
-## Recommended Enrichment
+- The process is uncommon or suspicious
+- File access volume is abnormal for the host
+- There is evidence of staging or transfer preparation
+
+### Escalate as Likely Malicious
+
+Escalate as likely malicious when:
+
+- Mass file access clearly supports collection behavior
+- Exfiltration or staging is confirmed
+- The device shows broader intrusion evidence
+
+---
+
+## Response Actions
+
+Depending on findings, consider:
+
+- Isolating the device
+- Collecting the binary and execution artifacts
+- Hunting for the same process across endpoints
+- Reviewing cloud, email, and removable media activity
+- Escalating to incident response for suspected collection and staging
+
+---
+
+## Example Analyst Notes Template
+
+### Analyst Summary
 
-- initiating process details
-- signer and file path of the process
-- parent process
-- archive creation events
-- outbound network telemetry
-- cloud application activity
-- recent alerts on the same host
+Alert fired for mass file access in user data paths by an uncommon process, potentially indicating data collection or staging activity.
 
-## ATT&CK Mapping
+### Key Findings
 
-- Collection
-- T1005 – Data from Local System
-- T1039 – Data from Network Shared Drive
+- **Affected device:**  
+- **Affected user:**  
+- **Process:**  
+- **Command line:**  
+- **File touch volume:**  
+- **Distinct paths:**  
+- **Expected business purpose:**  
+- **Nearby staging or exfiltration behavior:**  
+- **Final assessment:**  
 
-## Related Rule
+### Recommended Disposition
 
-- `detections/sentinel/collection/mass-file-enumeration-in-user-data-paths.yml`
+- Benign / False Positive
+- Suspicious - Needs Deeper Investigation
+- Confirmed Malicious
