File And SubFolder Enumeration Via Dir Command
Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
Sigma rule (View on GitHub)
1title: File And SubFolder Enumeration Via Dir Command
2id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
3status: test
4description: |
5 Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
6references:
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
8author: frack113
9date: 2021-12-13
10modified: 2024-04-14
11tags:
12 - attack.discovery
13 - attack.t1217
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_cmd:
19 - Image|endswith: '\cmd.exe'
20 - OriginalFileName: Cmd.Exe
21 selection_cli:
22 CommandLine|contains|windash: 'dir*-s'
23 condition: all of selection_*
24falsepositives:
25 - Likely
26level: low
27regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml
28simulation:
29 - type: atomic-red-team
30 name: List Internet Explorer Bookmarks using the command prompt
31 technique: T1217
32 atomic_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Suspicious File Access to Browser Credential Storage
- Automated Collection Bookmarks Using Get-ChildItem PowerShell
- Suspicious Where Execution
- Advanced IP Scanner - File Event
- Console CodePage Lookup Via CHCP