Viewing remote directories

calendar Feb 23, 2024 · attack.discovery attack.t1083 dist.public  ·
Share on: linkedin copy

Detecting the use of dir command to inspect directories on the remote host.

Sigma rule (View on GitHub)

 1title: Viewing remote directories
 2id: bca1fab7-5640-489d-a161-e154fb6ba4f8
 3description: Detecting the use of dir command to inspect directories on the remote host.
 4status: experimental
 5date: 2023-06-12
 6modified: 2024-02-23
 7author: "@kostastsale, @TheDFIRReport"
 8references:
 9    - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    selection:
15        Image|endswith:
16            - 'cmd.exe'
17        CommandLine|contains:
18            - 'dir *\\*\c$\*>>'
19    condition: selection
20falsepositives:
21    - Possible administrator activity
22level: high
23tags:
24    - attack.discovery #TA0007
25    - attack.t1083
26    - dist.public

References

  • A Truly Graceful Wipe Out

    In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment of …


    Read More

Related rules

to-top