DirLister Execution
Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
Sigma rule (View on GitHub)
1title: DirLister Execution
2id: b4dc61f5-6cce-468e-a608-b48b469feaa2
3status: test
4description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md
7 - https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
8author: frack113
9date: 2022-08-20
10modified: 2023-02-04
11tags:
12 - attack.discovery
13 - attack.t1083
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - OriginalFileName: 'DirLister.exe'
20 - Image|endswith: '\dirlister.exe'
21 condition: selection
22falsepositives:
23 - Legitimate use by users
24level: low
References
Related rules
- Capabilities Discovery - Linux
- Cisco Discovery
- File and Directory Discovery - Linux
- File and Directory Discovery - MacOS
- HackTool - PCHunter Execution