T1083 File and Directory Discovery Mappings

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API.

View in MITRE ATT&CK®

Mappings

Loading, please wait
Capability ID
Capability Description
Mapping Type
ATT&CK ID
ATT&CK Name
Notes
azure_sentinel Azure Sentinel technique_scores T1083 File and Directory Discovery
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes modules for finding files of interest on hosts and network shares, but does not address other procedures.
References
docker_host_hardening Docker Host Hardening technique_scores T1083 File and Directory Discovery
Comments
This control may provide recommendations to ensure sensitive host system directories are not mounted in the container.
References
Showing 1 to 2 of 2 rows