Which SIEM platforms have a T1083 detection rule?

df00tech provides T1083 (File and Directory Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect File and Directory Discovery (T1083)?

Detecting File and Directory Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1083 detection?

The T1083 detection is rated medium severity with medium confidence.

What are common false positives for T1083?

Common false positives for T1083 include: Backup and archival software (Veeam, Backup Exec, Robocopy scripts) performing scheduled recursive scans; IT asset inventory tools (SCCM hardware inventory, Lansweeper, PDQ Inventory) enumerating file systems; Security scanners (Nessus, Qualys, Tenable) and EDR agents performing file integrity monitoring sweeps.

T1083

File and Directory Discovery

Discovery Last updated: April 13, 2026

Adversaries may enumerate files and directories or search specific filesystem locations to gather information about a host or network share. This discovery technique helps adversaries identify sensitive files, understand the environment, and shape follow-on behavior such as targeted exfiltration or lateral movement. Common tools include dir, tree, ls, find, locate, and forfiles. Adversaries may also search for credential files, configuration files, or documents with specific extensions using recursive enumeration patterns.

What is T1083 File and Directory Discovery?

File and Directory Discovery (T1083) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for File and Directory Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1083 File and Directory Discovery
Canonical reference: https://attack.mitre.org/techniques/T1083/

Microsoft Sentinel / Defender

kusto

let RecursiveFlags = dynamic(["/s", "/S", "-Recurse", "-recurse", "-r ", "--recursive", "-R "]);
let CredentialExtensions = dynamic([".key", ".pem", ".pfx", ".p12", ".cer", ".kdbx", "id_rsa", "authorized_keys", ".ppk", "password", "passwd", "credential", "secret", ".aws", "web.config", "appsettings"]);
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "msedge.exe", "chrome.exe", "firefox.exe"]);
let SensitivePaths = dynamic(["\\Users\\", "\\AppData\\", "\\Documents\\", "\\Desktop\\", "\\temp\\", "\\tmp\\", "\\ssh\\", "\\.aws\\", "\\.config\\", "\\inetpub\\", "\\wwwroot\\"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Windows CMD file discovery
    (FileName =~ "cmd.exe" and ProcessCommandLine has_any ("dir ", "tree ", "forfiles") and ProcessCommandLine has_any (RecursiveFlags))
    // PowerShell file discovery
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-ChildItem", "gci ", "Get-Item") and ProcessCommandLine has_any (RecursiveFlags))
    // find.exe or where.exe with broad scope
    or (FileName in~ ("find.exe", "where.exe") and ProcessCommandLine matches regex @"[A-Za-z]:\\\\")
)
| extend IsRecursive = ProcessCommandLine has_any (RecursiveFlags)
| extend IsSuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend TargetsSensitivePath = ProcessCommandLine has_any (SensitivePaths)
| extend HuntsCredentials = ProcessCommandLine has_any (CredentialExtensions)
| extend SuspicionScore = toint(IsRecursive) + toint(IsSuspiciousParent) * 2 + toint(TargetsSensitivePath) + toint(HuntsCredentials) * 2
| where SuspicionScore >= 2
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsRecursive, IsSuspiciousParent, TargetsSensitivePath, HuntsCredentials, SuspicionScore
| sort by SuspicionScore desc, Timestamp desc

Detects suspicious file and directory discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors cmd.exe, PowerShell, and native find utilities executing recursive enumeration commands. Assigns a suspicion score based on recursive flags, suspicious parent processes (Office apps, browsers, script hosts), sensitive path targeting, and credential-related file searches. Alerts fire at score >= 2 to reduce noise while catching meaningful enumeration patterns.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Backup and archival software (Veeam, Backup Exec, Robocopy scripts) performing scheduled recursive scans
IT asset inventory tools (SCCM hardware inventory, Lansweeper, PDQ Inventory) enumerating file systems
Security scanners (Nessus, Qualys, Tenable) and EDR agents performing file integrity monitoring sweeps
Developer IDE indexers (Visual Studio Code, JetBrains) scanning project directories on first open
File synchronization clients (OneDrive, Dropbox, SharePoint sync) performing reconciliation passes

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval cmdline=lower(CommandLine)
| eval parent=lower(ParentImage)
// Detect recursive file discovery patterns
| eval IsRecursive=if(match(cmdline, "(/s|/S|-recurse|-r\s|--recursive|-R\s)"), 1, 0)
// Detect credential-hunting file searches
| eval HuntsCredentials=if(match(cmdline, "(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)"), 1, 0)
// Detect suspicious parent processes launching discovery
| eval IsSuspiciousParent=if(match(parent, "(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec|msedge|chrome|firefox)"), 1, 0)
// Detect sensitive path targeting
| eval TargetsSensitivePath=if(match(cmdline, "(\\\\users\\\\|\\\\appdata\\\\|\\\\documents\\\\|\\\\desktop\\\\|\\\\temp\\\\|\\\\ssh\\\\|\.aws|\.config|inetpub|wwwroot)"), 1, 0)
// Match file discovery process names
| where (match(Image, "(cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)")
         AND match(cmdline, "(dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item|find\s|where\s)"))
| eval SuspicionScore=IsRecursive + (IsSuspiciousParent * 2) + TargetsSensitivePath + (HuntsCredentials * 2)
| where SuspicionScore >= 2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRecursive, IsSuspiciousParent, TargetsSensitivePath, HuntsCredentials, SuspicionScore
| sort - SuspicionScore, - _time

Detects file and directory discovery activity using Sysmon Event ID 1 (Process Creation) logs. Evaluates command lines for recursive directory enumeration, credential file targeting, sensitive path access, and suspicious parent processes. Assigns a weighted suspicion score, triggering on scores >= 2. Suspicious parent processes (Office, browsers, script hosts) carry double weight as they strongly indicate post-exploitation activity.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup and archival software performing scheduled recursive filesystem scans
IT asset inventory tools enumerating installed files and directories
Security scanners and EDR agents conducting file integrity monitoring
Developer tools indexing project workspaces on startup
File synchronization clients performing reconciliation scans

Elastic Security (EQL)

eql

sequence by host.id, process.entity_id with maxspan=5s
  [process where event.type == "start" and
    (
      (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe") and
       process.args : ("dir", "tree", "forfiles", "Get-ChildItem", "gci", "Get-Item") and
       process.args : ("/s", "/S", "-Recurse", "-recurse", "-r", "--recursive", "-R"))
      or
      (process.name : ("find.exe", "where.exe") and
       process.command_line : ("?:\\*", "*[A-Z]:\\\\*"))
    ) and
    (
      process.command_line : ("*.key", "*.pem", "*.pfx", "*.p12", "*.kdbx", "*id_rsa*", "*authorized_keys*", "*.ppk", "*password*", "*passwd*", "*credential*", "*secret*", "*.aws*", "*web.config*", "*appsettings*") or
      process.command_line : ("*\\Users\\*", "*\\AppData\\*", "*\\Documents\\*", "*\\Desktop\\*", "*\\temp\\*", "*\\ssh\\*", "*\.aws\\*", "*inetpub*", "*wwwroot*")
    )
  ]
| eval IsRecursive = process.args : ("/s", "/S", "-Recurse", "-recurse", "-r", "--recursive", "-R")
| eval HuntsCredentials = process.command_line : ("*.key", "*.pem", "*.pfx", "*.p12", "*.kdbx", "*id_rsa*", "*authorized_keys*", "*.ppk", "*password*", "*passwd*", "*credential*", "*secret*")
| eval IsSuspiciousParent = process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "msedge.exe", "chrome.exe", "firefox.exe")
| eval TargetsSensitivePath = process.command_line : ("*\\Users\\*", "*\\AppData\\*", "*\\Documents\\*", "*\\Desktop\\*", "*\\temp\\*", "*\\ssh\\*", "*inetpub*", "*wwwroot*")
| eval SuspicionScore = (IsRecursive ? 1 : 0) + (IsSuspiciousParent ? 2 : 0) + (TargetsSensitivePath ? 1 : 0) + (HuntsCredentials ? 2 : 0)
| where SuspicionScore >= 2

Detects recursive file and directory enumeration consistent with T1083, focusing on Windows CMD, PowerShell, find.exe, and where.exe processes performing recursive discovery against sensitive paths or credential-related file extensions. Scores events by suspicion weight — recursive flag, suspicious parent, sensitive path, credential hunting.

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

IT administrators running scheduled inventory or compliance scripts that recursively enumerate file systems
Backup agents (e.g., Veeam, Acronis) that traverse directory trees as part of backup preparation
Software deployment tools (SCCM, Ansible) scanning for config files or installed software inventory

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Command") MATCHES '(/s|/S|-recurse|-r\s|--recursive|-R\s)' THEN 1
    ELSE 0
  END AS IsRecursive,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec|msedge|chrome|firefox)' THEN 2
    ELSE 0
  END AS IsSuspiciousParentScore,
  CASE
    WHEN LOWER("Command") MATCHES '(\\\\users\\\\|\\\\appdata\\\\|\\\\documents\\\\|\\\\desktop\\\\|\\\\temp\\\\|\\\\ssh\\\\|\.aws|\.config|inetpub|wwwroot)' THEN 1
    ELSE 0
  END AS TargetsSensitivePath,
  CASE
    WHEN LOWER("Command") MATCHES '(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)' THEN 2
    ELSE 0
  END AS HuntsCredentialsScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (QIDNAME(qid) = 'Process Create' OR eventid IN (4688, 1))
  )
  AND LOWER("Process Name") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)'
  AND LOWER("Command") MATCHES '(dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item|find\s|where\s)'
  AND (
    LOWER("Command") MATCHES '(/s|/S|-recurse|-r\s|--recursive|-R\s)'
    OR LOWER("Command") MATCHES '(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|password|passwd|credential|secret)'
    OR LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec)'
  )
HAVING (IsRecursive + IsSuspiciousParentScore + TargetsSensitivePath + HuntsCredentialsScore) >= 2
ORDER BY event_time DESC
LAST 24 HOURS

QRadar AQL query detecting T1083 file and directory discovery via Windows process events (Security EventID 4688 or Sysmon EventID 1). Evaluates recursive flags, suspicious parent processes, sensitive path targeting, and credential file hunting using a weighted suspicion score. Requires Windows Security or Sysmon log source configured in QRadar.

medium severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Sysmon DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Enterprise antivirus or EDR solutions performing scheduled filesystem scans that trigger dir or find with recursive flags
Developer toolchains (npm, pip, gradle) that invoke cmd.exe or PowerShell to recursively search for config or lock files
Help desk remote tools (TeamViewer, RMM agents) that spawn PowerShell Get-ChildItem for system inventory or diagnostics

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as cmdline nodrop
| parse field=ParentImage "*" as parent_image nodrop
| parse field=Image "*" as proc_image nodrop
// Normalize fields
| eval cmdline = toLowerCase(cmdline)
| eval parent_image = toLowerCase(parent_image)
| eval proc_image = toLowerCase(proc_image)
// Filter to file discovery processes
| where proc_image matches /(?:cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)/
| where cmdline matches /(?:dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item|find\s)/
// Score recursive flags
| eval IsRecursive = if(cmdline matches /(?:\/s|\/S|-recurse|-r\s|--recursive|-R\s)/, 1, 0)
// Score credential hunting
| eval HuntsCredentials = if(cmdline matches /(?:\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)/, 2, 0)
// Score suspicious parent processes
| eval IsSuspiciousParent = if(parent_image matches /(?:winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec|msedge|chrome|firefox)/, 2, 0)
// Score sensitive path targeting
| eval TargetsSensitivePath = if(cmdline matches /(?:\\users\\|\\appdata\\|\\documents\\|\\desktop\\|\\temp\\|\\ssh\\|\.aws|\.config|inetpub|wwwroot)/, 1, 0)
// Compute total score
| eval SuspicionScore = IsRecursive + HuntsCredentials + IsSuspiciousParent + TargetsSensitivePath
| where SuspicionScore >= 2
| fields _messageTime, Computer, User, proc_image, cmdline, parent_image, IsRecursive, HuntsCredentials, IsSuspiciousParent, TargetsSensitivePath, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

Sumo Logic query detecting T1083 file and directory discovery using Sysmon Event ID 1 or Windows Security Event ID 4688. Applies a weighted suspicion scoring model across recursive enumeration patterns, credential file hunting, sensitive path targeting, and suspicious parent process spawning. Alerts when combined score reaches threshold of 2 or more.

medium severity high confidence

Data Sources

Sumo Logic Sysmon Source Sumo Logic Windows Security Event Log Source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Automated patch management platforms (e.g., ManageEngine, Ivanti) running PowerShell Get-ChildItem to audit installed software or config state
Security scanning tools like Tenable Nessus or Qualys agents that enumerate directories as part of credentialed scans
User-initiated file searches via Windows Explorer or third-party tools (Everything, Agent Ransack) that internally invoke dir or find

Google Chronicle / SecOps

yaral

rule t1083_file_directory_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1083 File and Directory Discovery via recursive enumeration using Windows CMD, PowerShell, find.exe, or where.exe targeting sensitive paths or credential files"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1083"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)$/
    (
      $e.principal.process.command_line = /(?i)(dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item)/
      or $e.principal.process.command_line = /(?i)(find\s|where\s)/
    )
    (
      // Recursive flag present
      $e.principal.process.command_line = /(?i)(\/s\b|\/S\b|-[Rr]ecurse|-r\s|--recursive|-R\s)/
      or
      // Credential file targeting
      $e.principal.process.command_line = /(?i)(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)/
      or
      // Suspicious parent
      $e.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|msedge\.exe|chrome\.exe|firefox\.exe)$/
    )
    (
      // Also require either sensitive path OR credential hunt to reduce noise
      $e.principal.process.command_line = /(?i)(\\users\\|\\appdata\\|\\documents\\|\\desktop\\|\\temp\\|\\ssh\\|\.aws|\.config|inetpub|wwwroot)/
      or
      $e.principal.process.command_line = /(?i)(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret)/
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1083 File and Directory Discovery. Matches process launch events where Windows discovery utilities (cmd.exe, PowerShell, find.exe, where.exe) are used with recursive flags against sensitive file system paths or credential-related file extensions. Optionally correlates suspicious parent processes such as Office applications or script interpreters as a high-confidence escalation signal.

medium severity high confidence

Data Sources

Google Chronicle UDM — Windows Endpoint telemetry Chronicle Forwarder with Sysmon or MDE integration

Required Tables

process_launch UDM events

False Positives

Enterprise deployment orchestration tools (Puppet, Chef, SaltStack) executing PowerShell Get-ChildItem to verify file state during runs
IT operations runbooks that search for log files, temp files, or config artifacts using dir /s during routine maintenance windows
Developers using terminal emulators or IDEs that spawn cmd.exe or PowerShell with recursive find operations during build or test cycles

CrowdStrike LogScale (CQL)

cql

// T1083 - File and Directory Discovery — CrowdStrike LogScale (Falcon telemetry)
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)$/
| CommandLine = /(?i)(dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item|find\s|where\s)/
// Evaluate recursive flag
| IsRecursive := if(CommandLine = /(?i)(\/s\b|\/S\b|-recurse|-r\s|--recursive|-R\s)/, 1, 0)
// Evaluate credential hunting
| HuntsCredentials := if(CommandLine = /(?i)(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)/, 2, 0)
// Evaluate suspicious parent
| IsSuspiciousParent := if(ParentBaseFileName = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|msedge\.exe|chrome\.exe|firefox\.exe)$/, 2, 0)
// Evaluate sensitive path
| TargetsSensitivePath := if(CommandLine = /(?i)(\\users\\|\\appdata\\|\\documents\\|\\desktop\\|\\temp\\|\\ssh\\|\.aws|\.config|inetpub|wwwroot)/, 1, 0)
// Compute suspicion score
| SuspicionScore := IsRecursive + HuntsCredentials + IsSuspiciousParent + TargetsSensitivePath
| SuspicionScore >= 2
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsRecursive, HuntsCredentials, IsSuspiciousParent, TargetsSensitivePath, SuspicionScore])
| sort(SuspicionScore, order=desc)
| sort(@timestamp, order=desc)

CrowdStrike LogScale (Falcon) query detecting T1083 File and Directory Discovery using ProcessRollup2 events. Evaluates weighted suspicion score across recursive enumeration flags, credential file targeting, sensitive path access, and suspicious parent processes. Requires CrowdStrike Falcon sensor with process telemetry enabled and forwarded to LogScale.

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor — ProcessRollup2 events CrowdStrike LogScale (Humio) SIEM integration

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor self-diagnostics or Real Time Response sessions initiated by SOC analysts running dir or Get-ChildItem for live triage
Corporate endpoint management agents (Tanium, BigFix) that invoke cmd.exe with recursive directory scans as part of sensor health checks
Automated CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runners) running PowerShell scripts that perform recursive project directory enumeration

Sigma rule & cross-platform mapping

The detection logic for File and Directory Discovery (T1083) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1083 Sigma rules on detection.fyi

Platform-specific guides for T1083

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (6)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Recursive Directory Listing via CMD
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'dir /s /b C:\Users'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\df00tech-dir-test.txt. Parent process will be the shell or test runner invoking the command.
Test 2Credential File Search via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', '-Force', and credential extensions (.key, .pem, .pfx, id_rsa, .kdbx). Sysmon Event ID 11: File Create for the output file. PowerShell ScriptBlock Log Event ID 4104 with full script.
Test 3File Search via Windows where.exe for Executable Targets
Expected signal: Sysmon Event ID 1: Process Create with Image=where.exe, CommandLine containing '/r C:\Program Files *.exe'. Security Event ID 4688 with same details if command line auditing is enabled. Sysmon Event ID 11 for the output file creation.
Test 4Tree Command for Full Filesystem Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'tree /f /a C:\Users'. Security Event ID 4688 if command line auditing is enabled. Sysmon Event ID 11 for the output file creation in TEMP.
Test 5Linux Credential File Discovery via find
Expected signal: Linux auditd EXECVE records showing find command with -name patterns for credential files. Syslog entries if process accounting is enabled. On systems with Sysmon for Linux: Event ID 1 (Process Create) with CommandLine showing find with credential extension patterns.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1083 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

File and Directory Discovery

What is T1083 File and Directory Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1083

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1083 File and Directory Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1083

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox