IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
File and Directory Discovery
editFile and Directory Discovery
editEnumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Discovery
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by agent.id, user.name with maxspan=1m [process where event.type in ("start", "process_started") and ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or process.name : "tree.com"] [process where event.type in ("start", "process_started") and ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or process.name : "tree.com"] [process where event.type in ("start", "process_started") and ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or process.name : "tree.com"]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: File and Directory Discovery
- ID: T1083
- Reference URL: https://attack.mitre.org/techniques/T1083/