Find sigma rule
Attack: File and Directory Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir
, tree
, ls
, find
, and locate
.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir
, show flash
, and/or nvram
).(Citation: US-CERT-TA18-106A)
Some files and directories may require elevated or specific user permissions to access.
MITRE
Tactic
- discovery
technique
- T1083
Test : Launch DirLister Executable
OS
- windows
Description:
Launches the DirLister executable for a short period of time and then exits.
Recently seen used by BlackCat ransomware to create a list of accessible directories and files.
Executor
powershell
Sigma Rule
- proc_creation_win_dirlister_execution.yml (id: b4dc61f5-6cce-468e-a608-b48b469feaa2)