File And SubFolder Enumeration Via Dir Command
Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
Sigma rule (View on GitHub)
1title: File And SubFolder Enumeration Via Dir Command
2id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
3status: test
4description: |
5 Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
6references:
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
8author: frack113
9date: 2021-12-13
10modified: 2024-04-14
11tags:
12 - attack.discovery
13 - attack.t1217
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_cmd:
19 - Image|endswith: '\cmd.exe'
20 - OriginalFileName: Cmd.Exe
21 selection_cli:
22 CommandLine|contains|windash: 'dir*-s'
23 condition: all of selection_*
24falsepositives:
25 - Likely
26level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Automated Collection Bookmarks Using Get-ChildItem PowerShell
- Suspicious Where Execution
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule