EXPLORE
Sign In
← Back to Explore
T1083

File and Directory Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Exa...

ESXiLinuxmacOSNetwork DevicesWindows
48
Detections
3
Sources
50
Threat Actors

BY SOURCE

22elastic22sigma4splunk_escu

PROCEDURES (27)

Process Creation Monitoring6 detections

Auto-extracted: 6 detections for process creation monitoring

Privilege6 detections

Auto-extracted: 6 detections for privilege

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Privilege3 detections

Auto-extracted: 3 detections for privilege

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Container2 detections

Auto-extracted: 2 detections for container

Inject2 detections

Auto-extracted: 2 detections for inject

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Credential1 detections

Auto-extracted: 1 detections for credential

Aws1 detections

Auto-extracted: 1 detections for aws

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Http1 detections

Auto-extracted: 1 detections for http

Cloud1 detections

Auto-extracted: 1 detections for cloud

Http1 detections

Auto-extracted: 1 detections for http

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Cloud1 detections

Auto-extracted: 1 detections for cloud

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Kernel1 detections

Auto-extracted: 1 detections for kernel

Kernel1 detections

Auto-extracted: 1 detections for kernel

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

THREAT ACTORS (50)

admin@338Aoqin DragonAPT18APT28APT3APT32APT38APT39APT41APT5BRONZE BUTLERChimeraConfuciusContagious InterviewDark CaracalDarkhotelDragonflyFIN13Fox KittenGamaredon GroupHAFNIUMInceptionKe3changKimsukyLazarus GroupLeafminerLotus BlossomLuminousMothMagic HoundMedusa GroupmenuPassMuddyWaterMustang PandaPatchworkPlayRedCurlSandworm TeamScattered SpiderSidewinderSowbugTeamTNTToddyCatTropic TrooperTurlaUNC3886Velvet AntVolt TyphoonWindigoWinnti GroupWinter Vivern

DETECTIONS (48)

AWS Credentials Searched For Inside A Container
elastichigh
Capabilities Discovery - Linux
sigmalow
Cisco Discovery
sigmalow
Cloud Credential Search Detected via Defend for Containers
elasticmedium
DirLister Execution
sigmalow
ESXI Discovery via Find
elasticmedium
ESXI Discovery via Grep
elasticmedium
File and Directory Discovery - Linux
sigmainformational
File and Directory Discovery - MacOS
sigmainformational
Full Disk Access Permission Check
elasticmedium
HackTool - PCHunter Execution
sigmahigh
Kernel Instrumentation Discovery via kprobes and tracefs
elasticlow
Kubeconfig File Discovery
elasticlow
Kubelet Pod Discovery Detected via Defend for Containers
elasticlow
Linux Auditd Database File And Directory Discovery
splunk_escu
Linux Auditd File And Directory Discovery
splunk_escu
Linux Auditd Hidden Files And Directories Creation
splunk_escu
Linux Auditd Virtual Disk File And Directory Discovery
splunk_escu
Linux Capabilities Discovery
sigmalow
Notepad Password Files Discovery
sigmalow
Potential Credential Discovery via Recursive Grep
elastichigh
Potential Discovery Activity Using Find - Linux
sigmamedium
Potential Discovery Activity Using Find - MacOS
sigmamedium
Powershell Directory Enumeration
sigmamedium
Powershell Sensitive File Discovery
sigmamedium
Private Key Searching Activity
elastichigh
Process Capability Enumeration
elasticmedium
PUA - Seatbelt Execution
sigmahigh
PUA - TruffleHog Execution
sigmamedium
PUA - TruffleHog Execution - Linux
sigmamedium
Security File Access via Common Utilities
elasticlow
Sensitive Keys Or Passwords Search Detected via Defend for Containers
elasticmedium
Sensitive Keys Or Passwords Searched For Inside A Container
elasticmedium
Shell Execution GCC - Linux
sigmahigh
Shell Execution via Find - Linux
sigmahigh
Shell Execution via Flock - Linux
sigmahigh
Shell Execution via Nice - Linux
sigmahigh
Shell Invocation via Apt - Linux
sigmamedium
Source Code Enumeration Detection by Keyword
sigmamedium
SUID/SGUID Enumeration Detected
elasticmedium
Suspicious Dynamic Linker Discovery via od
elastichigh
Suspicious Memory grep Activity
elastichigh
Suspicious System Commands Executed by Previously Unknown Executable
elasticlow
Suspicious which Enumeration
elasticlow
Vim GTFOBin Abuse - Linux
sigmahigh
Web Server Local File Inclusion Activity
elasticlow
Web Server Potential Remote File Inclusion Activity
elasticlow
Yum/DNF Plugin Status Discovery
elasticlow