Detection rules › Splunk
File and Directory Discovery Output to File - Windows (PowerShell)
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1083 File and Directory Discovery |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '16818.27143'
title: File and Directory Discovery Output to File - Windows
description: 'Adversaries may enumerate files and directories or may search in specific
locations of a host or network share for certain information within a file system.
Adversaries may use the information from File and Directory Discovery during automated
discovery to shape follow-on behaviors, including whether or not the adversary fully
infects the target and/or attempts specific actions. -- Threat Actor Association:
APT28 (aka. Fancy Bear, Forest Blizzard, Strontium, Tsar Team) -- Atomics T1083
Test #1 Atomics T1083 Test #5'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") (TERM(tree) OR TERM(dir)
OR TERM(Get-ChildItem) OR TERM(gci) OR TERM(ls) OR TERM(locate) OR TERM(find)) (TERM(>>)
OR ">>" OR TERM(Out-File)) | table _time, host, user process, process_*, parent_process_name
| bin span=1s | stats values(*) as * by _time, host '
techniques:
- discovery:file and directory discovery
technique_id:
- T1083
data_category:
- PowerShell logs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md#atomic-test-1---file-and-directory-discovery-cmdexe
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR "<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") (TERM(tree) OR TERM(dir) OR TERM(Get-ChildItem) OR TERM(gci) OR TERM(ls) OR TERM(locate) OR TERM(find)) (TERM(>>) OR ">>" OR TERM(Out-File))
Stage 2: table
| table _time, host, user process, process_*, parent_process_name
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | TERM |
| 1 | "<EventID>4104<" |
| 1 | TERM |
| 1 | tree |
| 1 | TERM |
| 1 | dir |
| 1 | "Get-ChildItem" |
| 1 | TERM |
| 1 | gci |
| 1 | TERM |
| 1 | ls |
| 1 | TERM |
| 1 | locate |
| 1 | TERM |
| 1 | find |
| 1 | ">>" |
| 1 | ">>" |
| 1 | "Out-File" |