Find sigma rule 
Attack: File and Directory Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)
Some files and directories may require elevated or specific user permissions to access.
MITRE
Tactic
- discovery
technique
- T1083
Test : Simulating MAZE Directory Enumeration
OS
- windows
Description:
This test emulates MAZE ransomware’s ability to enumerate directories using Powershell. Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
Executor
powershell
Sigma Rule
- posh_ps_susp_directory_enum.yml (id: 162e69a7-7981-4344-84a9-0f1c9a217a52)