sigma-rules/rules/windows/discovery_file_dir_discovery.toml

[metadata]
creation_date = "2020/12/04"
maturity = "production"
updated_date = "2021/03/03"

[rule]
author = ["Elastic"]
description = """
Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan
follow-on activity.
"""
false_positives = [
    """
    Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation
    tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected
    noise and exclude any known FP's from the rule.
    """,
]
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "File and Directory Discovery"
risk_score = 21
rule_id = "7b08314d-47a0-4b71-ae4e-16544176924f"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
sequence by agent.id, user.name with maxspan=1m
[process where event.type in ("start", "process_started") and
  ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or
    process.name : "tree.com"]
[process where event.type in ("start", "process_started") and
  ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or
    process.name : "tree.com"]
[process where event.type in ("start", "process_started") and
  ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or
    process.name : "tree.com"]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1083"
name = "File and Directory Discovery"
reference = "https://attack.mitre.org/techniques/T1083/"


[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"