title: File and Directory Discovery (T1083)
id: df00tech-t1083
status: experimental
description: "Adversaries may enumerate files and directories or search specific filesystem locations to gather information about a host or network share. This discovery technique helps adversaries identify sensitive files, understand the environment, and shape follow-on behavior such as targeted exfiltration or lateral movement. Common tools include dir, tree, ls, find, locate, and forfiles. Adversaries may also search for credential files, configuration files, or documents with specific extensions using recursive enumeration patterns."
references:
  - https://attack.mitre.org/techniques/T1083/
  - https://df00tech.com/detections/T1083
author: df00tech
date: 2026/04/13
tags:
  - attack.t1083
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup and archival software (Veeam, Backup Exec, Robocopy scripts) performing scheduled recursive scans"
  - "IT asset inventory tools (SCCM hardware inventory, Lansweeper, PDQ Inventory) enumerating file systems"
  - "Security scanners (Nessus, Qualys, Tenable) and EDR agents performing file integrity monitoring sweeps"
  - "Developer IDE indexers (Visual Studio Code, JetBrains) scanning project directories on first open"
  - "File synchronization clients (OneDrive, Dropbox, SharePoint sync) performing reconciliation passes"
level: medium