title: File and Directory Discovery
id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
status: experimental
description: Detects usage of system utilities to discover files and directories
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
logsource:
  category: process_creation
  product: linux
detection:
  file_with_asterisk:
    ProcessName|endswith: '/file'
    CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
  recursive_ls:
    ProcessName|endswith: '/ls'
    CommandLine|contains: '-R'
  find_execution:
    ProcessName|endswith: '/find'
  tree_execution: 
    ProcessName|endswith: '/tree'
  condition: 1 of them
falsepositives:
  - Legitimate activities
level: low
tags:
  - attack.discovery
  - attack.t1083