T1083

File and Directory Discovery

File and Directory Discovery (T1083) is a MITRE ATT&CK technique associated with Discovery . Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

Technique ID: T1083
Difficulty: Intermediate
Tactics: Discovery
Platforms: ESXiLinuxmacOSNetwork DevicesWindows

Executive Summary

File and Directory Discovery (T1083) is a MITRE ATT&CK technique associated with Discovery. Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

Why Attackers Use It

Attackers use File and Directory Discovery because it provides a reliable way to advance their objective within the Discovery tactic, often with a favorable balance of impact versus detectability on ESXi, Linux, macOS, Network Devices, Windows environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.

MITRE Description

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)

Some files and directories may require elevated or specific user permissions to access.

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes File and Directory Discovery to achieve its tactical objective (Discovery).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

No universal command represents File and Directory Discovery. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.

Splunk Queries

Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.

Investigation Workflow

Confirm that the observed behavior is consistent with File and Directory Discovery and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1001.002
T1001.003
T1003.002
T1003.004
T1003.005
T1005
T1007
T1008
T1010
T1012
T1016
T1018
T1020
T1021.002
T1025
T1027
T1027.004
T1027.007
T1027.013
T1030
T1033
T1036
T1036.001
T1036.005
T1037.004
T1039
T1041
T1046
T1047
T1048.003
T1049
T1052.001
T1053.002
T1055.001
T1055.013
T1056.001
T1057
T1059.003
T1059.004
T1059.012
T1069.001
T1070
T1070.004
T1070.006
T1071
T1071.001
T1071.002
T1071.003
T1071.004
T1074.001
T1078.003
T1080
T1082
T1087
T1087.001
T1087.002
T1090
T1090.001
T1090.003
T1091
T1092
T1095
T1098.004
T1102.002
T1104
T1105
T1106
T1110
T1112
T1113
T1114.001
T1119
T1120
T1123
T1124
T1132
T1132.002
T1133
T1134
T1134.001
T1134.002
T1135
T1137.001
T1140
T1190
T1201
T1210
T1213
T1217
T1218.003
T1222.001
T1222.002
T1480
T1480.002
T1485
T1486
T1489
T1490
T1491.001
T1497.001
T1505.004
T1518
T1518.001
T1529
T1543
T1543.003
T1546
T1547.001
T1547.004
T1547.013
T1548.002
T1552.001
T1552.004
T1553.001
T1553.002
T1555
T1555.003
T1559
T1560
T1560.001
T1560.002
T1560.003
T1561.001
T1561.002
T1564.001
T1565.001
T1567
T1567.002
T1569.002
T1570
T1571
T1573.001
T1573.002
T1574
T1588.007
T1608.005
T1609
T1610
T1611
T1614
T1614.001
T1647
T1652
T1654
T1679
T1680
T1685
T1685.005
T1686
T1688

T1001.002Steganography T1001.003Protocol or Service Impersonation T1003.002Security Account Manager T1003.004LSA Secrets T1003.005Cached Domain Credentials T1005Data from Local System T1007System Service Discovery T1008Fallback Channels T1010Application Window Discovery T1012Query Registry T1016System Network Configuration Discovery T1018Remote System Discovery T1020Automated Exfiltration T1021.002SMB/Windows Admin Shares T1025Data from Removable Media T1027Obfuscated Files or Information T1027.004Compile After Delivery T1027.007Dynamic API Resolution T1027.013Encrypted/Encoded File T1030Data Transfer Size Limits T1033System Owner/User Discovery T1036Masquerading T1036.001Invalid Code Signature T1036.005Match Legitimate Resource Name or Location T1037.004RC Scripts T1039Data from Network Shared Drive T1041Exfiltration Over C2 Channel T1046Network Service Discovery T1047Windows Management Instrumentation T1048.003Exfiltration Over Unencrypted Non-C2 Protocol T1049System Network Connections Discovery T1052.001Exfiltration over USB T1053.002At T1055.001Dynamic-link Library Injection T1055.013Process Doppelgänging T1056.001Keylogging T1057Process Discovery T1059.003Windows Command Shell T1059.004Unix Shell T1059.012Hypervisor CLI T1069.001Local Groups T1070Indicator Removal T1070.004File Deletion T1070.006Timestomp T1071Application Layer Protocol T1071.001Web Protocols T1071.002File Transfer Protocols T1071.003Mail Protocols T1071.004DNS T1074.001Local Data Staging T1078.003Local Accounts T1080Taint Shared Content T1082System Information Discovery T1087Account Discovery T1087.001Local Account T1087.002Domain Account T1090Proxy T1090.001Internal Proxy T1090.003Multi-hop Proxy T1091Replication Through Removable Media T1092Communication Through Removable Media T1095Non-Application Layer Protocol T1098.004SSH Authorized Keys T1102.002Bidirectional Communication T1104Multi-Stage Channels T1105Ingress Tool Transfer T1106Native API T1110Brute Force T1112Modify Registry T1113Screen Capture T1114.001Local Email Collection T1119Automated Collection T1120Peripheral Device Discovery T1123Audio Capture T1124System Time Discovery T1132Data Encoding T1132.002Non-Standard Encoding T1133External Remote Services T1134Access Token Manipulation T1134.001Token Impersonation/Theft T1134.002Create Process with Token T1135Network Share Discovery T1137.001Office Template Macros T1140Deobfuscate/Decode Files or Information T1190Exploit Public-Facing Application T1201Password Policy Discovery T1210Exploitation of Remote Services T1213Data from Information Repositories T1217Browser Information Discovery T1218.003CMSTP T1222.001Windows Permissions T1222.002Linux and Mac Permissions T1480Execution Guardrails T1480.002Mutual Exclusion T1485Data Destruction T1486Data Encrypted for Impact T1489Service Stop T1490Inhibit System Recovery T1491.001Internal Defacement T1497.001System Checks T1505.004IIS Components T1518Software Discovery T1518.001Security Software Discovery T1529System Shutdown/Reboot T1543Create or Modify System Process T1543.003Windows Service T1546Event Triggered Execution T1547.001Registry Run Keys / Startup Folder T1547.004Winlogon Helper DLL T1547.013XDG Autostart Entries T1548.002Bypass User Account Control T1552.001Credentials In Files T1552.004Private Keys T1553.001Gatekeeper Bypass T1553.002Code Signing T1555Credentials from Password Stores T1555.003Credentials from Web Browsers T1559Inter-Process Communication T1560Archive Collected Data T1560.001Archive via Utility T1560.002Archive via Library T1560.003Archive via Custom Method T1561.001Disk Content Wipe T1561.002Disk Structure Wipe T1564.001Hidden Files and Directories T1565.001Stored Data Manipulation T1567Exfiltration Over Web Service T1567.002Exfiltration to Cloud Storage T1569.002Service Execution T1570Lateral Tool Transfer T1571Non-Standard Port T1573.001Symmetric Cryptography T1573.002Asymmetric Cryptography T1574Hijack Execution Flow T1588.007Artificial Intelligence T1608.005Link Target T1609Container Administration Command T1610Deploy Container T1611Escape to Host T1614System Location Discovery T1614.001System Language Discovery T1647Plist File Modification T1652Device Driver Discovery T1654Log Enumeration T1679Selective Exclusion T1680Local Storage Discovery T1685Disable or Modify Tools T1685.005Clear Windows Event Logs T1686Disable or Modify System Firewall T1688Safe Mode Boot

Loading AttackTrace...

Executive Summary

Why Attackers Use It

MITRE Description

Some files and directories may require elevated or specific user permissions to access.

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes File and Directory Discovery to achieve its tactical objective (Discovery).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

Splunk Queries

Investigation Workflow

Confirm that the observed behavior is consistent with File and Directory Discovery and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1001.002
T1001.003
T1003.002
T1003.004
T1003.005
T1005
T1007
T1008
T1010
T1012
T1016
T1018
T1020
T1021.002
T1025
T1027
T1027.004
T1027.007
T1027.013
T1030
T1033
T1036
T1036.001
T1036.005
T1037.004
T1039
T1041
T1046
T1047
T1048.003
T1049
T1052.001
T1053.002
T1055.001
T1055.013
T1056.001
T1057
T1059.003
T1059.004
T1059.012
T1069.001
T1070
T1070.004
T1070.006
T1071
T1071.001
T1071.002
T1071.003
T1071.004
T1074.001
T1078.003
T1080
T1082
T1087
T1087.001
T1087.002
T1090
T1090.001
T1090.003
T1091
T1092
T1095
T1098.004
T1102.002
T1104
T1105
T1106
T1110
T1112
T1113
T1114.001
T1119
T1120
T1123
T1124
T1132
T1132.002
T1133
T1134
T1134.001
T1134.002
T1135
T1137.001
T1140
T1190
T1201
T1210
T1213
T1217
T1218.003
T1222.001
T1222.002
T1480
T1480.002
T1485
T1486
T1489
T1490
T1491.001
T1497.001
T1505.004
T1518
T1518.001
T1529
T1543
T1543.003
T1546
T1547.001
T1547.004
T1547.013
T1548.002
T1552.001
T1552.004
T1553.001
T1553.002
T1555
T1555.003
T1559
T1560
T1560.001
T1560.002
T1560.003
T1561.001
T1561.002
T1564.001
T1565.001
T1567
T1567.002
T1569.002
T1570
T1571
T1573.001
T1573.002
T1574
T1588.007
T1608.005
T1609
T1610
T1611
T1614
T1614.001
T1647
T1652
T1654
T1679
T1680
T1685
T1685.005
T1686
T1688

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques