detection.wiki

ATT&CK coverage › Technique

File and Directory Discovery T1083

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Events covered

3 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 8 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (7 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image5ends_with 5\DirLister.exe, \PCHunter32.exe, \PCHunter64.exe, \notepad.exe, \Seatbelt.exe
OriginalFileName3eq 3DirLister.exe, PCHunter.exe, Seatbelt.exe
CommandLine3match 2, ends_with 1password*.csv, password*.txt, password*.doc, InterestingFiles, -outputfile=
Description2eq 2Epoolsoft Windows Information View Tools, Seatbelt
ScriptBlockText2match 2SilentlyContinue, -append, -ErrorAction , get-childitem, gci
Hashes1match 1IMPHASH=444D210CEA1FF8112F256A4997EED7FF, SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB, SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA430659...
ParentImage1ends_with 1\explorer.exe

Top indicator values (68 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
OriginalFileNameeqDirLister.exe1
Imageends_with\DirLister.exe1
HashesmatchSHA1=3FB89787CB97D902780DA080545584D97FB1C2EB1
HashesmatchIMPHASH=444D210CEA1FF8112F256A4997EED7FF1
HashesmatchMD5=228DD0C2E6287547E26FFBD973A40F141
DescriptioneqEpoolsoft Windows Information View Tools1
HashesmatchSHA1=5F1CBC3D99558307BC1250D084FA9685214820251
HashesmatchSHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C1
Imageends_with\PCHunter32.exe1
HashesmatchMD5=987B65CD9B9F4E9A1AFD8F8B48CF64A71
HashesmatchIMPHASH=0479F44DF47CFA2EF1CCC4416A5386631
OriginalFileNameeqPCHunter.exe1
HashesmatchSHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D321
Imageends_with\PCHunter64.exe1
CommandLineends_withpassword*.txt1
Imageends_with\notepad.exe111
CommandLineends_withpassword*.doc1
ParentImageends_with\explorer.exe111
CommandLineends_withpassword*.xls1
CommandLineends_withpassword*.csv1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 7 rules

Kusto Query Language 1 rule