MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1083: File and Directory Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).

Some files and directories may require elevated or specific user permissions to access.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_discovery: PT-CR-322: File_Directory_Discovery: An attempt to retrieve a list of existing system files and folders is detected
postgresql_database: PT-CR-1829: PostgreSQL_Structure_Discovery: Execution of certain SQL commands may indicate reconnaissance of the internal structure of the PostgreSQL database, which may indicate attacker activity
mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host
mssql_database: PT-CR-416: MSSQL_file_system_discovery: An attempt to get information from the file system using a database
mssql_database: PT-CR-556: MSSQL_backup_location_discovery: An attempt to get information about the database backup locations
clickhouse: PT-CR-1564: ClickHouse_users_directory_discovery: An attempt to receive information about the location of DBMS user files is detected
clickhouse: PT-CR-1565: ClickHouse_backup_directory_discovery: An attempt to receive information about the location of DBMS object backup copies is detected
dnsmasq: PT-CR-2149: Dnsmasq_TFTP_File_Recon: Multiple failed attempts to access a file via TFTP

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.