Esc
File and Directory Discovery - T1083

(ATT&CK® Technique)
Definition

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1083["File and Directory Discovery"] --> |accesses| Directory["Directory"]; class T1083 OffensiveTechniqueNode;
        class Directory ArtifactNode; click Directory href "../../../dao/artifact/d3f:Directory";
        click T1083 href "../../../offensive-technique/attack/T1083/"; click Directory href "../../../dao/artifact/d3f:Directory"; T1083["File and Directory Discovery"] --> |accesses| File["File"]; class T1083 OffensiveTechniqueNode;
        class File ArtifactNode; click File href "../../../dao/artifact/d3f:File";
        click T1083 href "../../../offensive-technique/attack/T1083/"; click File href "../../../dao/artifact/d3f:File";                          FileEviction["File Eviction"] -->
          | deletes | File["File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1083["File and Directory Discovery"] ;
          class FileEviction DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEviction href "../../../technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | File["File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1083["File and Directory Discovery"] ;
          class FileEncryption DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEncryption href "../../../technique/d3f:FileEncryption";                           FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | File["File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1083["File and Directory Discovery"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring";              DecoyFile["Decoy File"] -->
          | spoofs | File["File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1083["File and Directory Discovery"] ;
          class DecoyFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click DecoyFile href "../../../technique/d3f:DecoyFile"; ContentQuarantine["Content Quarantine"] -->
          | quarantines | File["File"];

          ContentQuarantine["Content Quarantine"] -.->
            | may-isolate | T1083["File and Directory Discovery"] ;
          class ContentQuarantine DefensiveTechniqueNode;
          class File ArtifactNode;
          click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
          | modifies | File["File"];

          ContentModification["Content Modification"] -.->
            | may-isolate | T1083["File and Directory Discovery"] ;
          class ContentModification DefensiveTechniqueNode;
          class File ArtifactNode;
          click ContentModification href "../../../technique/d3f:ContentModification";                                        LocalFilePermissions["Local File Permissions"] -->
          | restricts | File["File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1083["File and Directory Discovery"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class File ArtifactNode;
          click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | Directory["Directory"];

          
          class LocalFilePermissions DefensiveTechniqueNode;
          class Directory ArtifactNode;
          click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
          | restores | File["File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1083["File and Directory Discovery"] ;
          class RestoreFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click RestoreFile href "../../../technique/d3f:RestoreFile";                                        RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | File["File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1083["File and Directory Discovery"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class File ArtifactNode;
          click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";        ContentFiltering["Content Filtering"] -->
          | filters | File["File"];

          ContentFiltering["Content Filtering"] -.->
            | may-isolate | T1083["File and Directory Discovery"] ;
          class ContentFiltering DefensiveTechniqueNode;
          class File ArtifactNode;
          click ContentFiltering href "../../../technique/d3f:ContentFiltering"; FileAnalysis["File Analysis"] -->
          | analyzes | File["File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1083["File and Directory Discovery"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileAnalysis href "../../../technique/d3f:FileAnalysis";
json