Find sigma rule

Attack: File and Directory Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)

Some files and directories may require elevated or specific user permissions to access.

MITRE

Tactic

discovery

technique

T1083

Test : ESXi - Enumerate VMDKs available on an ESXi Host

OS

linux

Description:

An adversary uses the find command to enumerate vmdks on an ESXi host. Reference

Executor

command_prompt

Sigma Rule

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test