Discovery (TA0007)

Sub-technique: T1083 - File and Directory Discovery

Objective: Detect reconnaissance activities aimed at discovering sensitive files and directories.

1. Detect Directory Listing Commands

//Basic Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("dir", "ls")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessParentFileName

//Advanced Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("dir", "ls")
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Identify commands used to list directory contents.

1. Monitor Access to Sensitive Directories

//Basic Search
DeviceFileEvents
| where FolderPath has_any ("C:\\Users", "C:\\Windows\\System32", "C:\\ProgramData")
| project Timestamp, DeviceName, FileName, FolderPath

//Advanced Search
DeviceFileEvents
| where FolderPath has_any ("C:\\Users", "C:\\Windows\\System32", "C:\\ProgramData")
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Detect access to directories likely to contain sensitive information.

1. Detect Searches for Specific File Types

//Basic Search
DeviceFileEvents 
| where FileName endswith ".txt" or FileName endswith ".docx" 
| project Timestamp, DeviceName, FileName, FolderPath

//Advanced Search
DeviceFileEvents
| where FileName endswith ".txt" or FileName endswith ".docx"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Monitor searches for file types that may contain sensitive data.

1. Identify Access to Security Configuration Files

//Basic Search
DeviceFileEvents 
| where FileName in ("secpol.msc", "gpedit.msc") 
| project Timestamp, DeviceName, FileName, FolderPath

//Advanced Search
DeviceFileEvents
| where FileName in ("secpol.msc", "gpedit.msc")
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Detect access to files used to configure security settings.

1. Monitor for Password Files

//Basic Search
DeviceFileEvents 
| where FileName has_any ("password", "credentials") 
| project Timestamp, DeviceName, FileName, FolderPath

//Advanced Search
DeviceFileEvents
| where FileName has_any ("password", "credentials")
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Identify attempts to locate files that may contain passwords.

1. Detect Unauthorized Access to Network Shares

//Basic Search
DeviceNetworkEvents 
| where RemotePort == 445 
| summarize count() by RemoteIP, LocalIP 
| where count() > 50

//Advanced Search
DeviceNetworkEvents
| where RemotePort == 445
| summarize count() by RemoteIP, LocalIP
| where count() > 50
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceFileEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook")
    | summarize FileEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, RemoteIP, LocalIP, NetworkEventCount, FileEventCount
| order by Timestamp desc

Purpose: Monitor excessive access to network shares.

1. Detect Access to Administrator Directories

//Basic Search
DeviceFileEvents 
| where FolderPath has "C:\\Users\\Administrator" 
| project Timestamp, DeviceName, FileName, FolderPath

//Advanced Search
DeviceFileEvents
| where FolderPath has "C:\\Users\\Administrator"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Identify access to administrator directories.

1. Monitor for Hidden File Access

DeviceFileEvents
| where FileAttributes has "Hidden"
| project Timestamp, DeviceName, FileName, FolderPath

//Advanced Search
DeviceFileEvents
| where FileAttributes has "Hidden"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Detect attempts to access hidden files.

1. Detect Access to Backup Directories

//Basic Search
DeviceFileEvents
| where FolderPath has "Backup"
| project Timestamp, DeviceName, FileName, FolderPath

//Advanced Search
DeviceFileEvents
| where FolderPath has "Backup"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Identify access to backup directories.

1. Detect Enumeration of Program Files Directory

//Basic Search
DeviceFileEvents
| where FolderPath has "C:\\Program Files"
| project Timestamp, DeviceName, FileName, FolderPath

//Advanced Search
DeviceFileEvents
| where FolderPath has "C:\\Program Files"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("dir", "ls", "powershell", "cmd", "explorer", "taskmgr", "regedit", "notepad", "msconfig", "services", "mmc", "control", "winword", "excel", "outlook", "chrome", "firefox", "edge", "svchost", "wscript", "cscript", "schtasks", "wmic")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Monitor attempts to enumerate the Program Files directory.