Detection rules › Splunk
Remote Share Directory Listing - Windows (Windows Event Log)
Threat actors may seek to enumerate local administrative access on remote systems during reconnaissance activities. This use case detects commands to list files and directories on administrative shares (C$, Admin$, or IPC$). Note: dir and tree commands do not generate process creation logs and will only be detected if called with another executable, e.g. "cmd.exe /c dir".
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1083 File and Directory Discovery |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '22624.40798'
title: Remote Share Directory Listing - Windows
description: 'Threat actors may seek to enumerate local administrative access on remote
systems during reconnaissance activities. This use case detects commands to list
files and directories on administrative shares (C$, Admin$, or IPC$). Note: dir
and tree commands do not generate process creation logs and will only be detected
if called with another executable, e.g. "cmd.exe /c dir".'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) (TERM(dir) OR TERM(ls) OR TERM(Get-ChildItem)
OR TERM(gci) OR TERM(tree)) ("C$" OR "ADMIN$" OR "IPC$") | regex process="(?i)\x5c\x5c(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})\x5c(C|ADMIN|IPC)\$"
| table _time, host, user user, process, process_*, parent_process_* | bin span=1s
| stats values(*) as * by _time, host '
techniques:
- discovery:file and directory discovery
technique_id:
- T1083
data_category:
- Process command-line parameters
- Windows event logs
references:
- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) (TERM(dir) OR TERM(ls) OR TERM(Get-ChildItem) OR TERM(gci) OR TERM(tree)) ("C$" OR "ADMIN$" OR "IPC$")
Stage 2: regex
| regex process="(?i)\x5c\x5c(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})\x5c(C|ADMIN|IPC)\$"
Stage 3: table
| table _time, host, user user, process, process_*, parent_process_*
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | TERM |
| 1 | dir |
| 1 | TERM |
| 1 | ls |
| 1 | "Get-ChildItem" |
| 1 | TERM |
| 1 | gci |
| 1 | TERM |
| 1 | tree |
| 1 | "C$" |
| 1 | "ADMIN$" |
| 1 | "IPC$" |