File and Directory Discovery (T1083) is a MITRE ATT&CK technique in the Discovery tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully invests in a compromise. On Windows systems, attackers use dir commands, tree, and PowerShell cmdlets to enumerate directory structures. On Linux, find, ls, and locate are commonly used for file system reconnaissance. Attackers search for sensitive files including configuration files with credentials, database files, source code repositories, backup files, SSH private keys, and documents containing confidential business information. The goal is to identify valuable data to exfiltrate and to find additional credentials that can be used for further access.
“File and Directory Discovery is documented as technique T1083 in the MITRE ATT&CK knowledge base under the Discovery tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify File and Directory Discovery activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for file system enumeration commands particularly those searching for file types commonly associated with credentials and sensitive data such as *.kdbx, *.pfx, *.key, id_rsa, *.config, and *.rdp files.
Alert on processes accessing large numbers of files in quick succession, particularly across multiple directories, as this pattern is consistent with automated file search operations rather than normal user activity.
Detect searches targeting specific sensitive directories including backup locations, certificate stores, SSH key directories, and application configuration paths that are not normally accessed by standard user processes.
Monitor for PowerShell Get-ChildItem or Select-String commands searching for specific keywords like password, credential, secret, or token within file contents, which indicates targeted credential harvesting.
Track access to network shares by monitoring SMB access logs, alerting on accounts accessing shares outside of their normal job function or accessing large numbers of files across multiple share locations rapidly.
These realistic alert examples show what File and Directory Discovery looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
PowerShell command executed: Get-ChildItem -Recurse -Include *.kdbx,*.pfx,*.p12,id_rsa,*.pem -Path C:\ and \\FILESERVER\. This targeted search for certificate files, private keys, and password manager databases is consistent with post-compromise credential harvesting. The process has subsequently enumerated and copied 14 matching files to a staging directory.
User account contractor_temp accessed 847 files on the Finance department network share within 15 minutes, including files in budget, payroll, and acquisition subdirectories. This account normally accesses only the Vendors subdirectory for legitimate business purposes. The access pattern suggests systematic data collection prior to exfiltration rather than legitimate work activity.
Command executed searching for web application configuration files: find / -name "web.config" -o -name "*.config" -o -name "application.properties" 2>/dev/null then piped through grep for password, connectionstring, and credential keywords. This targeted search for configuration files containing database connection strings and API credentials is post-compromise reconnaissance.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including File and Directory Discovery. Build detection skills with zero consequences — free forever.
Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Read more GlossaryNetwork Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more