Skip to content

DET0370 Recursive Enumeration of Files and Directories Across Privilege Contexts

Item Value
ID DET0370
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1083 (File and Directory Discovery)

Analytics

Windows

AN1040

Execution of file enumeration commands (e.g., ‘dir’, ‘tree’) from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
CommandLineRegex Allows tuning based on tools/scripts used for enumeration (e.g., tree, dir /s /b)
UserContext Scoping for standard vs elevated or service accounts
TimeWindow Defines burst activity over short periods (e.g., >50 directory queries in 30s)

Linux

AN1041

Use of file enumeration commands (e.g., ‘ls’, ‘find’, ‘locate’) executed by suspicious users or scripts accessing broad file hierarchies or restricted directories.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Access (DC0055) auditd:PATH PATH
Mutable Elements
Field Description
FilePathDepth Max depth of recursive access to tune noise vs anomaly
UserContext Helpful to exclude known scripts or automation accounts

macOS

AN1042

Execution of file or directory discovery commands (e.g., ‘ls’, ‘find’) from terminal or script-based tooling, especially outside normal user workflows.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog log collect –predicate
File Access (DC0055) fs:fsusage Filesystem Call Monitoring
Mutable Elements
Field Description
PredicateScope Adjust macOS unified log filter to include/exclude system paths
TimeWindow Tune based on burst access patterns

ESXi

AN1043

Execution of esxcli commands to enumerate datastore, configuration files, or directory structures by unauthorized or remote users.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:shell Shell Access/Command Execution
File Access (DC0055) esxi:hostd vSphere File API Access
Mutable Elements
Field Description
CLICommandPattern Match on esxcli storage
AccessSource Limit alerting to non-vCenter or remote IPs

Network Devices

AN1044

Execution of file discovery commands (e.g., ‘dir’, ‘show flash’, ‘nvram:’) from CLI interfaces, especially by unauthorized users or from abnormal source IPs.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog CLI Command Logging
Mutable Elements
Field Description
CommandWhitelist Filter allowed commands by account or IP
SessionOrigin Tunable to restrict detection to remote terminal or Telnet/SSH