File and Directory Discovery - Linux

calendar Dec 1, 2024 · attack.discovery attack.t1083  ·
Share on: linkedin copy

Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.

Sigma rule (View on GitHub)

 1title: File and Directory Discovery - Linux
 2id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
 3status: test
 4description: |
 5        Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
 6references:
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
 8author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad
 9date: 2020-10-19
10modified: 2024-12-01
11tags:
12    - attack.discovery
13    - attack.t1083
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection_file_with_asterisk:
19        Image|endswith: '/file'
20        CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
21    selection_recursive_ls:
22        Image|endswith: '/ls'
23        CommandLine|contains: '-R'
24    selection_find_execution:
25        Image|endswith: '/find'
26    selection_tree_execution:
27        Image|endswith: '/tree'
28    selection_findmnt_execution:
29        Image|endswith: '/findmnt'
30    selection_locate_execution:
31        Image|endswith: '/mlocate'
32    condition: 1 of selection_*
33falsepositives:
34    - Legitimate activities
35level: informational

References

Related rules

to-top