T1083

File and Directory Discovery

Adversaries may enumerate files and directories or search specific filesystem locations to gather information about a host or network share. This discovery technique helps adversaries identify sensitive files, understand the environment, and shape follow-on behavior such as targeted exfiltration or lateral movement. Common tools include dir, tree, ls, find, locate, and forfiles. Adversaries may also search for credential files, configuration files, or documents with specific extensions using recursive enumeration patterns.

Microsoft Sentinel / Defender

kusto

let RecursiveFlags = dynamic(["/s", "/S", "-Recurse", "-recurse", "-r ", "--recursive", "-R "]);
let CredentialExtensions = dynamic([".key", ".pem", ".pfx", ".p12", ".cer", ".kdbx", "id_rsa", "authorized_keys", ".ppk", "password", "passwd", "credential", "secret", ".aws", "web.config", "appsettings"]);
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "msedge.exe", "chrome.exe", "firefox.exe"]);
let SensitivePaths = dynamic(["\\Users\\", "\\AppData\\", "\\Documents\\", "\\Desktop\\", "\\temp\\", "\\tmp\\", "\\ssh\\", "\\.aws\\", "\\.config\\", "\\inetpub\\", "\\wwwroot\\"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Windows CMD file discovery
    (FileName =~ "cmd.exe" and ProcessCommandLine has_any ("dir ", "tree ", "forfiles") and ProcessCommandLine has_any (RecursiveFlags))
    // PowerShell file discovery
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-ChildItem", "gci ", "Get-Item") and ProcessCommandLine has_any (RecursiveFlags))
    // find.exe or where.exe with broad scope
    or (FileName in~ ("find.exe", "where.exe") and ProcessCommandLine matches regex @"[A-Za-z]:\\\\")
)
| extend IsRecursive = ProcessCommandLine has_any (RecursiveFlags)
| extend IsSuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend TargetsSensitivePath = ProcessCommandLine has_any (SensitivePaths)
| extend HuntsCredentials = ProcessCommandLine has_any (CredentialExtensions)
| extend SuspicionScore = toint(IsRecursive) + toint(IsSuspiciousParent) * 2 + toint(TargetsSensitivePath) + toint(HuntsCredentials) * 2
| where SuspicionScore >= 2
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsRecursive, IsSuspiciousParent, TargetsSensitivePath, HuntsCredentials, SuspicionScore
| sort by SuspicionScore desc, Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Backup and archival software (Veeam, Backup Exec, Robocopy scripts) performing scheduled recursive scans
IT asset inventory tools (SCCM hardware inventory, Lansweeper, PDQ Inventory) enumerating file systems
Security scanners (Nessus, Qualys, Tenable) and EDR agents performing file integrity monitoring sweeps
Developer IDE indexers (Visual Studio Code, JetBrains) scanning project directories on first open
File synchronization clients (OneDrive, Dropbox, SharePoint sync) performing reconciliation passes

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval cmdline=lower(CommandLine)
| eval parent=lower(ParentImage)
// Detect recursive file discovery patterns
| eval IsRecursive=if(match(cmdline, "(/s|/S|-recurse|-r\s|--recursive|-R\s)"), 1, 0)
// Detect credential-hunting file searches
| eval HuntsCredentials=if(match(cmdline, "(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)"), 1, 0)
// Detect suspicious parent processes launching discovery
| eval IsSuspiciousParent=if(match(parent, "(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec|msedge|chrome|firefox)"), 1, 0)
// Detect sensitive path targeting
| eval TargetsSensitivePath=if(match(cmdline, "(\\\\users\\\\|\\\\appdata\\\\|\\\\documents\\\\|\\\\desktop\\\\|\\\\temp\\\\|\\\\ssh\\\\|\.aws|\.config|inetpub|wwwroot)"), 1, 0)
// Match file discovery process names
| where (match(Image, "(cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)")
         AND match(cmdline, "(dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item|find\s|where\s)"))
| eval SuspicionScore=IsRecursive + (IsSuspiciousParent * 2) + TargetsSensitivePath + (HuntsCredentials * 2)
| where SuspicionScore >= 2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRecursive, IsSuspiciousParent, TargetsSensitivePath, HuntsCredentials, SuspicionScore
| sort - SuspicionScore, - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup and archival software performing scheduled recursive filesystem scans
IT asset inventory tools enumerating installed files and directories
Security scanners and EDR agents conducting file integrity monitoring
Developer tools indexing project workspaces on startup
File synchronization clients performing reconciliation scans

Elastic Security (EQL)

eql

sequence by host.id, process.entity_id with maxspan=5s
  [process where event.type == "start" and
    (
      (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe") and
       process.args : ("dir", "tree", "forfiles", "Get-ChildItem", "gci", "Get-Item") and
       process.args : ("/s", "/S", "-Recurse", "-recurse", "-r", "--recursive", "-R"))
      or
      (process.name : ("find.exe", "where.exe") and
       process.command_line : ("?:\\*", "*[A-Z]:\\\\*"))
    ) and
    (
      process.command_line : ("*.key", "*.pem", "*.pfx", "*.p12", "*.kdbx", "*id_rsa*", "*authorized_keys*", "*.ppk", "*password*", "*passwd*", "*credential*", "*secret*", "*.aws*", "*web.config*", "*appsettings*") or
      process.command_line : ("*\\Users\\*", "*\\AppData\\*", "*\\Documents\\*", "*\\Desktop\\*", "*\\temp\\*", "*\\ssh\\*", "*\.aws\\*", "*inetpub*", "*wwwroot*")
    )
  ]
| eval IsRecursive = process.args : ("/s", "/S", "-Recurse", "-recurse", "-r", "--recursive", "-R")
| eval HuntsCredentials = process.command_line : ("*.key", "*.pem", "*.pfx", "*.p12", "*.kdbx", "*id_rsa*", "*authorized_keys*", "*.ppk", "*password*", "*passwd*", "*credential*", "*secret*")
| eval IsSuspiciousParent = process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "msedge.exe", "chrome.exe", "firefox.exe")
| eval TargetsSensitivePath = process.command_line : ("*\\Users\\*", "*\\AppData\\*", "*\\Documents\\*", "*\\Desktop\\*", "*\\temp\\*", "*\\ssh\\*", "*inetpub*", "*wwwroot*")
| eval SuspicionScore = (IsRecursive ? 1 : 0) + (IsSuspiciousParent ? 2 : 0) + (TargetsSensitivePath ? 1 : 0) + (HuntsCredentials ? 2 : 0)
| where SuspicionScore >= 2

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

IT administrators running scheduled inventory or compliance scripts that recursively enumerate file systems
Backup agents (e.g., Veeam, Acronis) that traverse directory trees as part of backup preparation
Software deployment tools (SCCM, Ansible) scanning for config files or installed software inventory

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Command") MATCHES '(/s|/S|-recurse|-r\s|--recursive|-R\s)' THEN 1
    ELSE 0
  END AS IsRecursive,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec|msedge|chrome|firefox)' THEN 2
    ELSE 0
  END AS IsSuspiciousParentScore,
  CASE
    WHEN LOWER("Command") MATCHES '(\\\\users\\\\|\\\\appdata\\\\|\\\\documents\\\\|\\\\desktop\\\\|\\\\temp\\\\|\\\\ssh\\\\|\.aws|\.config|inetpub|wwwroot)' THEN 1
    ELSE 0
  END AS TargetsSensitivePath,
  CASE
    WHEN LOWER("Command") MATCHES '(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)' THEN 2
    ELSE 0
  END AS HuntsCredentialsScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (QIDNAME(qid) = 'Process Create' OR eventid IN (4688, 1))
  )
  AND LOWER("Process Name") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)'
  AND LOWER("Command") MATCHES '(dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item|find\s|where\s)'
  AND (
    LOWER("Command") MATCHES '(/s|/S|-recurse|-r\s|--recursive|-R\s)'
    OR LOWER("Command") MATCHES '(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|password|passwd|credential|secret)'
    OR LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec)'
  )
HAVING (IsRecursive + IsSuspiciousParentScore + TargetsSensitivePath + HuntsCredentialsScore) >= 2
ORDER BY event_time DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Sysmon DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Enterprise antivirus or EDR solutions performing scheduled filesystem scans that trigger dir or find with recursive flags
Developer toolchains (npm, pip, gradle) that invoke cmd.exe or PowerShell to recursively search for config or lock files
Help desk remote tools (TeamViewer, RMM agents) that spawn PowerShell Get-ChildItem for system inventory or diagnostics

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as cmdline nodrop
| parse field=ParentImage "*" as parent_image nodrop
| parse field=Image "*" as proc_image nodrop
// Normalize fields
| eval cmdline = toLowerCase(cmdline)
| eval parent_image = toLowerCase(parent_image)
| eval proc_image = toLowerCase(proc_image)
// Filter to file discovery processes
| where proc_image matches /(?:cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)/
| where cmdline matches /(?:dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item|find\s)/
// Score recursive flags
| eval IsRecursive = if(cmdline matches /(?:\/s|\/S|-recurse|-r\s|--recursive|-R\s)/, 1, 0)
// Score credential hunting
| eval HuntsCredentials = if(cmdline matches /(?:\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)/, 2, 0)
// Score suspicious parent processes
| eval IsSuspiciousParent = if(parent_image matches /(?:winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec|msedge|chrome|firefox)/, 2, 0)
// Score sensitive path targeting
| eval TargetsSensitivePath = if(cmdline matches /(?:\\users\\|\\appdata\\|\\documents\\|\\desktop\\|\\temp\\|\\ssh\\|\.aws|\.config|inetpub|wwwroot)/, 1, 0)
// Compute total score
| eval SuspicionScore = IsRecursive + HuntsCredentials + IsSuspiciousParent + TargetsSensitivePath
| where SuspicionScore >= 2
| fields _messageTime, Computer, User, proc_image, cmdline, parent_image, IsRecursive, HuntsCredentials, IsSuspiciousParent, TargetsSensitivePath, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Sysmon Source Sumo Logic Windows Security Event Log Source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Automated patch management platforms (e.g., ManageEngine, Ivanti) running PowerShell Get-ChildItem to audit installed software or config state
Security scanning tools like Tenable Nessus or Qualys agents that enumerate directories as part of credentialed scans
User-initiated file searches via Windows Explorer or third-party tools (Everything, Agent Ransack) that internally invoke dir or find

Google Chronicle / SecOps

yaral

rule t1083_file_directory_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1083 File and Directory Discovery via recursive enumeration using Windows CMD, PowerShell, find.exe, or where.exe targeting sensitive paths or credential files"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1083"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)$/
    (
      $e.principal.process.command_line = /(?i)(dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item)/
      or $e.principal.process.command_line = /(?i)(find\s|where\s)/
    )
    (
      // Recursive flag present
      $e.principal.process.command_line = /(?i)(\/s\b|\/S\b|-[Rr]ecurse|-r\s|--recursive|-R\s)/
      or
      // Credential file targeting
      $e.principal.process.command_line = /(?i)(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)/
      or
      // Suspicious parent
      $e.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|msedge\.exe|chrome\.exe|firefox\.exe)$/
    )
    (
      // Also require either sensitive path OR credential hunt to reduce noise
      $e.principal.process.command_line = /(?i)(\\users\\|\\appdata\\|\\documents\\|\\desktop\\|\\temp\\|\\ssh\\|\.aws|\.config|inetpub|wwwroot)/
      or
      $e.principal.process.command_line = /(?i)(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret)/
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle UDM — Windows Endpoint telemetry Chronicle Forwarder with Sysmon or MDE integration

Required Tables

process_launch UDM events

False Positives

Enterprise deployment orchestration tools (Puppet, Chef, SaltStack) executing PowerShell Get-ChildItem to verify file state during runs
IT operations runbooks that search for log files, temp files, or config artifacts using dir /s during routine maintenance windows
Developers using terminal emulators or IDEs that spawn cmd.exe or PowerShell with recursive find operations during build or test cycles

CrowdStrike LogScale (CQL)

cql

// T1083 - File and Directory Discovery — CrowdStrike LogScale (Falcon telemetry)
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)$/
| CommandLine = /(?i)(dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item|find\s|where\s)/
// Evaluate recursive flag
| IsRecursive := if(CommandLine = /(?i)(\/s\b|\/S\b|-recurse|-r\s|--recursive|-R\s)/, 1, 0)
// Evaluate credential hunting
| HuntsCredentials := if(CommandLine = /(?i)(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)/, 2, 0)
// Evaluate suspicious parent
| IsSuspiciousParent := if(ParentBaseFileName = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|msedge\.exe|chrome\.exe|firefox\.exe)$/, 2, 0)
// Evaluate sensitive path
| TargetsSensitivePath := if(CommandLine = /(?i)(\\users\\|\\appdata\\|\\documents\\|\\desktop\\|\\temp\\|\\ssh\\|\.aws|\.config|inetpub|wwwroot)/, 1, 0)
// Compute suspicion score
| SuspicionScore := IsRecursive + HuntsCredentials + IsSuspiciousParent + TargetsSensitivePath
| SuspicionScore >= 2
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsRecursive, HuntsCredentials, IsSuspiciousParent, TargetsSensitivePath, SuspicionScore])
| sort(SuspicionScore, order=desc)
| sort(@timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor — ProcessRollup2 events CrowdStrike LogScale (Humio) SIEM integration

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor self-diagnostics or Real Time Response sessions initiated by SOC analysts running dir or Get-ChildItem for live triage
Corporate endpoint management agents (Tanium, BigFix) that invoke cmd.exe with recursive directory scans as part of sensor health checks
Automated CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runners) running PowerShell scripts that perform recursive project directory enumeration

Last updated: 2026-04-13 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1083 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

File and Directory Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections