Home  >  APT29  >  Results  >  Elastic  >  File and Directory Discovery

Technique Results: File and Directory Discovery (T1083) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Searched filesystem for document and media files using PowerShell 
powershell.exe executing (Get-)ChildItem
2.A.1
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The event was correlated to a parent General detection for malicious file execution. [1]
Enumerated user's temporary directory path using PowerShell
powershell.exe executing $env:TEMP
4.C.1
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:TEMP. The event was correlated to a parent General detection for malicious file execution. [1]
Searched filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem​
9.B.2
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
11.A.9
Telemetry
Telemetry showed PowerShell executing Get-Item for the current path. [1]
Enumerated the System32 directory using PowerShell
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
12.A.1
General (Correlated, Alert)
A General alert detection for "Stealthy PowerShell Commands" (medium severity) was generated for PowerShell executing the timestomp function. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe enumerating System32. The event was correlated to a parent General detection for a suspicious Windows script. [1]