File And SubFolder Enumeration Via Dir Command
Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
Sigma rule (View on GitHub)
1title: File And SubFolder Enumeration Via Dir Command
2id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
3status: test
4description: |
5 Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
6references:
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
8author: frack113
9date: 2021-12-13
10modified: 2026-05-18
11tags:
12 - attack.discovery
13 - attack.t1217
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_cmd:
19 - Image|endswith: '\cmd.exe'
20 - OriginalFileName: Cmd.Exe
21 selection_cli:
22 CommandLine|contains|windash: '-s'
23 CommandLine|contains: 'dir '
24 filter_main_rmdir:
25 CommandLine|contains: 'rmdir'
26 condition: all of selection_* and not 1 of filter_main_*
27falsepositives:
28 - Likely
29level: low
30regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml
31simulation:
32 - type: atomic-red-team
33 name: List Internet Explorer Bookmarks using the command prompt
34 technique: T1217
35 atomic_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85
References
Related rules
- Suspicious File Access to Browser Credential Storage
- Automated Collection Bookmarks Using Get-ChildItem PowerShell
- Suspicious Where Execution
- Vim GTFOBin Abuse - Linux
- Github Self Hosted Runner Changes Detected