Applied Cybernetics Group
T1083 — File and Directory Discovery
- Technique
T1083- Tactics
- Discovery
- MISP citations
- 0
- KEV CVEs mapped
- 5
- Community rules
- 24
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1083
MITRE description
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A) Some files and directories may require elevated or specific user permissions to access.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Turla Group Lateral Movement (emerging-threats)
- WannaCry Ransomware Activity (emerging-threats)
- Linux Capabilities Discovery (core)
- Shell Invocation via Apt - Linux (core)
- Capabilities Discovery - Linux (core)
- File and Directory Discovery - Linux (core)
- Shell Execution via Find - Linux (core)
- Shell Execution via Flock - Linux (core)
- Shell Execution GCC - Linux (core)
- Shell Execution via Nice - Linux (core)
- PUA - TruffleHog Execution - Linux (core)
- Potential Discovery Activity Using Find - Linux (core)
- Vim GTFOBin Abuse - Linux (core)
- File and Directory Discovery - MacOS (core)
- Potential Discovery Activity Using Find - MacOS (core)
- Cisco Discovery (core)
- Source Code Enumeration Detection by Keyword (core)
- Powershell Sensitive File Discovery (core)
- Powershell Directory Enumeration (core)
- DirLister Execution (core)
- HackTool - PCHunter Execution (core)
- Notepad Password Files Discovery (core)
- PUA - Seatbelt Execution (core)
- PUA - TruffleHog Execution (core)