Detect File and Directory Discovery in IBM QRadar
Adversaries may enumerate files and directories or search specific filesystem locations to gather information about a host or network share. This discovery technique helps adversaries identify sensitive files, understand the environment, and shape follow-on behavior such as targeted exfiltration or lateral movement. Common tools include dir, tree, ls, find, locate, and forfiles. Adversaries may also search for credential files, configuration files, or documents with specific extensions using recursive enumeration patterns.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1083 File and Directory Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1083/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"Process Name" AS process_name,
"Command" AS command_line,
"Parent Process Name" AS parent_process,
CASE
WHEN LOWER("Command") MATCHES '(/s|/S|-recurse|-r\s|--recursive|-R\s)' THEN 1
ELSE 0
END AS IsRecursive,
CASE
WHEN LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec|msedge|chrome|firefox)' THEN 2
ELSE 0
END AS IsSuspiciousParentScore,
CASE
WHEN LOWER("Command") MATCHES '(\\\\users\\\\|\\\\appdata\\\\|\\\\documents\\\\|\\\\desktop\\\\|\\\\temp\\\\|\\\\ssh\\\\|\.aws|\.config|inetpub|wwwroot)' THEN 1
ELSE 0
END AS TargetsSensitivePath,
CASE
WHEN LOWER("Command") MATCHES '(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|\.ppk|password|passwd|credential|secret|\.aws|web\.config|appsettings)' THEN 2
ELSE 0
END AS HuntsCredentialsScore
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
(QIDNAME(qid) = 'Process Create' OR eventid IN (4688, 1))
)
AND LOWER("Process Name") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|find\.exe|where\.exe)'
AND LOWER("Command") MATCHES '(dir\s|tree\s|forfiles|get-childitem|\bgci\b|get-item|find\s|where\s)'
AND (
LOWER("Command") MATCHES '(/s|/S|-recurse|-r\s|--recursive|-R\s)'
OR LOWER("Command") MATCHES '(\.key|\.pem|\.pfx|\.p12|\.kdbx|id_rsa|authorized_keys|password|passwd|credential|secret)'
OR LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec)'
)
HAVING (IsRecursive + IsSuspiciousParentScore + TargetsSensitivePath + HuntsCredentialsScore) >= 2
ORDER BY event_time DESC
LAST 24 HOURSQRadar AQL query detecting T1083 file and directory discovery via Windows process events (Security EventID 4688 or Sysmon EventID 1). Evaluates recursive flags, suspicious parent processes, sensitive path targeting, and credential file hunting using a weighted suspicion score. Requires Windows Security or Sysmon log source configured in QRadar.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise antivirus or EDR solutions performing scheduled filesystem scans that trigger dir or find with recursive flags
- Developer toolchains (npm, pip, gradle) that invoke cmd.exe or PowerShell to recursively search for config or lock files
- Help desk remote tools (TeamViewer, RMM agents) that spawn PowerShell Get-ChildItem for system inventory or diagnostics
Other platforms for T1083
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Recursive Directory Listing via CMD
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'dir /s /b C:\Users'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\df00tech-dir-test.txt. Parent process will be the shell or test runner invoking the command.
- Test 2Credential File Search via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', '-Force', and credential extensions (.key, .pem, .pfx, id_rsa, .kdbx). Sysmon Event ID 11: File Create for the output file. PowerShell ScriptBlock Log Event ID 4104 with full script.
- Test 3File Search via Windows where.exe for Executable Targets
Expected signal: Sysmon Event ID 1: Process Create with Image=where.exe, CommandLine containing '/r C:\Program Files *.exe'. Security Event ID 4688 with same details if command line auditing is enabled. Sysmon Event ID 11 for the output file creation.
- Test 4Tree Command for Full Filesystem Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'tree /f /a C:\Users'. Security Event ID 4688 if command line auditing is enabled. Sysmon Event ID 11 for the output file creation in TEMP.
- Test 5Linux Credential File Discovery via find
Expected signal: Linux auditd EXECVE records showing find command with -name patterns for credential files. Syslog entries if process accounting is enabled. On systems with Sysmon for Linux: Event ID 1 (Process Create) with CommandLine showing find with credential extension patterns.
References (7)
- https://attack.mitre.org/techniques/T1083/
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1083 including response playbook, investigation guide, and atomic red team tests.