Find sigma rule
Attack: File and Directory Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir
, tree
, ls
, find
, and locate
.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir
, show flash
, and/or nvram
).(Citation: US-CERT-TA18-106A)
Some files and directories may require elevated or specific user permissions to access.
MITRE
Tactic
- discovery
technique
- T1083
Test : File and Directory Discovery (cmd.exe)
OS
- windows
Description:
Find or discover files on the file system. Upon successful execution, this test will output the results of all the data discovery commands to a specified file.
Executor
command_prompt
Sigma Rule
- proc_creation_win_susp_local_system_owner_account_discovery.yml (id: 502b42de-4306-40b4-9596-6f590c81f073)