T1083 Microsoft Sentinel · KQL

Detect File and Directory Discovery in Microsoft Sentinel

Adversaries may enumerate files and directories or search specific filesystem locations to gather information about a host or network share. This discovery technique helps adversaries identify sensitive files, understand the environment, and shape follow-on behavior such as targeted exfiltration or lateral movement. Common tools include dir, tree, ls, find, locate, and forfiles. Adversaries may also search for credential files, configuration files, or documents with specific extensions using recursive enumeration patterns.

MITRE ATT&CK

Tactic
Discovery
Technique
T1083 File and Directory Discovery
Canonical reference
https://attack.mitre.org/techniques/T1083/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let RecursiveFlags = dynamic(["/s", "/S", "-Recurse", "-recurse", "-r ", "--recursive", "-R "]);
let CredentialExtensions = dynamic([".key", ".pem", ".pfx", ".p12", ".cer", ".kdbx", "id_rsa", "authorized_keys", ".ppk", "password", "passwd", "credential", "secret", ".aws", "web.config", "appsettings"]);
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "msedge.exe", "chrome.exe", "firefox.exe"]);
let SensitivePaths = dynamic(["\\Users\\", "\\AppData\\", "\\Documents\\", "\\Desktop\\", "\\temp\\", "\\tmp\\", "\\ssh\\", "\\.aws\\", "\\.config\\", "\\inetpub\\", "\\wwwroot\\"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Windows CMD file discovery
    (FileName =~ "cmd.exe" and ProcessCommandLine has_any ("dir ", "tree ", "forfiles") and ProcessCommandLine has_any (RecursiveFlags))
    // PowerShell file discovery
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-ChildItem", "gci ", "Get-Item") and ProcessCommandLine has_any (RecursiveFlags))
    // find.exe or where.exe with broad scope
    or (FileName in~ ("find.exe", "where.exe") and ProcessCommandLine matches regex @"[A-Za-z]:\\\\")
)
| extend IsRecursive = ProcessCommandLine has_any (RecursiveFlags)
| extend IsSuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend TargetsSensitivePath = ProcessCommandLine has_any (SensitivePaths)
| extend HuntsCredentials = ProcessCommandLine has_any (CredentialExtensions)
| extend SuspicionScore = toint(IsRecursive) + toint(IsSuspiciousParent) * 2 + toint(TargetsSensitivePath) + toint(HuntsCredentials) * 2
| where SuspicionScore >= 2
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsRecursive, IsSuspiciousParent, TargetsSensitivePath, HuntsCredentials, SuspicionScore
| sort by SuspicionScore desc, Timestamp desc
medium severity medium confidence

Detects suspicious file and directory discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors cmd.exe, PowerShell, and native find utilities executing recursive enumeration commands. Assigns a suspicion score based on recursive flags, suspicious parent processes (Office apps, browsers, script hosts), sensitive path targeting, and credential-related file searches. Alerts fire at score >= 2 to reduce noise while catching meaningful enumeration patterns.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Backup and archival software (Veeam, Backup Exec, Robocopy scripts) performing scheduled recursive scans
  • IT asset inventory tools (SCCM hardware inventory, Lansweeper, PDQ Inventory) enumerating file systems
  • Security scanners (Nessus, Qualys, Tenable) and EDR agents performing file integrity monitoring sweeps
  • Developer IDE indexers (Visual Studio Code, JetBrains) scanning project directories on first open
  • File synchronization clients (OneDrive, Dropbox, SharePoint sync) performing reconciliation passes
Download portable Sigma rule (.yml)

Other platforms for T1083

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Recursive Directory Listing via CMD

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'dir /s /b C:\Users'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\df00tech-dir-test.txt. Parent process will be the shell or test runner invoking the command.

  2. Test 2Credential File Search via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', '-Force', and credential extensions (.key, .pem, .pfx, id_rsa, .kdbx). Sysmon Event ID 11: File Create for the output file. PowerShell ScriptBlock Log Event ID 4104 with full script.

  3. Test 3File Search via Windows where.exe for Executable Targets

    Expected signal: Sysmon Event ID 1: Process Create with Image=where.exe, CommandLine containing '/r C:\Program Files *.exe'. Security Event ID 4688 with same details if command line auditing is enabled. Sysmon Event ID 11 for the output file creation.

  4. Test 4Tree Command for Full Filesystem Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'tree /f /a C:\Users'. Security Event ID 4688 if command line auditing is enabled. Sysmon Event ID 11 for the output file creation in TEMP.

  5. Test 5Linux Credential File Discovery via find

    Expected signal: Linux auditd EXECVE records showing find command with -name patterns for credential files. Syslog entries if process accounting is enabled. On systems with Sysmon for Linux: Event ID 1 (Process Create) with CommandLine showing find with credential extension patterns.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1083 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1005Data from Local SystemT1074.001Local Data StagingT1552.001Credentials In FilesT1033System Owner/User DiscoveryT1057Process DiscoveryT1082System Information DiscoveryT1560.001Archive via UtilityT1041Exfiltration Over C2 ChannelT1059.001PowerShell

Same Tactic: Discovery

Popular Detections