T1083 is among the techniques with the highest number of documented procedure examples in the MITRE ATT&CK knowledge base. Over 300 malware families and threat groups have been observed using file and directory discovery, spanning espionage operations, ransomware campaigns, financially motivated crime, and destructive wipers. Its near-universal adoption reflects a fundamental truth about cyberattacks: every adversary, regardless of motivation or sophistication, needs to understand the target filesystem before acting on objectives. The technique appears across every platform — Windows, Linux, macOS, ESXi, and network devices — and has no sub-techniques, because the variations in how it is implemented are procedural rather than structural.
T1083 falls under the Discovery tactic (TA0007). Discovery techniques do not cause direct harm. They do not exfiltrate data, escalate privileges, or encrypt files. Instead, they provide the situational awareness that informs every subsequent phase of an attack. When a ransomware payload enumerates files before encryption, when an infostealer searches the Desktop and Documents folders for PDFs and spreadsheets, when an APT implant catalogs the contents of a network share to identify high-value intelligence targets — all of these are T1083 in action.
The detection challenge is significant. File and directory enumeration is among the noisiest categories of legitimate activity on any system. Administrators use dir and ls constantly. Backup software scans every directory on every drive. Search indexers walk the entire filesystem on a schedule. EDR tools themselves enumerate files as part of their detection logic. This makes T1083 a high-volume, high-false-positive detection target where context — who is running the command, from what process, targeting which directories, and at what time — matters far more than the raw event.
How File and Directory Discovery Works
The technique is straightforward in concept: adversaries enumerate files and directories to understand the target environment. The implementation varies enormously depending on the platform, the attacker's tooling, and their objectives. There are several distinct patterns of file and directory discovery that defenders should understand.
Command-Line Enumeration
Windows. The dir command is the workhorse. Adversaries frequently run recursive directory listings to map entire drives: dir /s /a c:\ dumps the full contents of the C: drive, including hidden and system files, into a format that can be piped to a file for later exfiltration. The tree command provides a hierarchical view of directory structures. forfiles allows adversaries to search for files by extension, modification date, or size — APT28 (Fancy Bear) has been observed using forfiles to locate PDF, Excel, and Word documents on compromised systems. The where command can locate specific binaries across the PATH.
Linux and macOS. The find command is the most versatile discovery tool available, allowing adversaries to search by name, extension, modification time, size, permissions, and owner. A single command like find / -name "*.pdf" -o -name "*.docx" 2>/dev/null can identify every document on the system while suppressing permission errors. The ls command with the -laR flags provides recursive listings with full metadata. locate queries a pre-built database of file paths, returning results almost instantly. tree gives a visual directory hierarchy. On macOS specifically, adversaries may use mdfind to query the Spotlight index for fast file discovery.
Network devices. Adversaries who have gained access to routers, switches, or firewalls use device-specific CLI commands to enumerate the filesystem. On Cisco devices, dir and show flash list stored firmware images, configuration backups, and log files. On Fortinet appliances, similar commands expose configuration exports and VPN credential stores.
PowerShell and Scripting
PowerShell's Get-ChildItem cmdlet (aliased as gci, ls, and dir) provides rich file discovery capabilities with built-in filtering, recursion, and pipeline integration. Adversaries use it to enumerate specific file types across entire directory trees: Get-ChildItem -Path C:\ -Recurse -Include *.pdf,*.docx,*.xlsx -ErrorAction SilentlyContinue. PowerShell Script Block Logging captures these commands in full, making it one of the strongest detection data sources for T1083 on Windows. The MAZE ransomware family was documented using PowerShell specifically for directory enumeration before launching its encryption routine.
Native API Calls
Sophisticated malware bypasses command-line tools entirely and interacts directly with the operating system's Native API. On Windows, functions like FindFirstFile, FindNextFile, GetFileAttributesW, FindFirstVolumeW, and FindNextVolumeW allow malware to enumerate files, directories, and disk volumes without spawning a child process. This approach is harder to detect through process monitoring because no cmd.exe or powershell.exe is involved — the file enumeration happens entirely within the malware's own process. Ransomware families including Akira, Black Basta, and Embargo use these native functions extensively to identify files for encryption while avoiding behavioral detection rules that trigger on shell commands.
Targeted File Searches
Rather than enumerating entire filesystems, many threat actors search for specific file types that align with their objectives. Espionage-focused groups like Kimsuky (APT43) search for .hwp (Hangul Word Processor), .pdf, .doc, and .ppt files that are likely to contain intelligence value. The AppleSeed backdoor, attributed to Kimsuky, has the ability to search specified directories for exactly these file types. Financial crime groups search for cryptocurrency wallet files (wallet.dat), browser credential stores, and SSH keys. Ransomware enumerates files to build encryption target lists while excluding system files that would render the machine unbootable.
Why T1083 Matters in the Attack Lifecycle
File and directory discovery serves different strategic purposes depending on where it falls in the attack chain.
Pre-encryption reconnaissance (ransomware). Every modern ransomware family performs file discovery before encryption. The malware needs to identify which files to encrypt, which to skip (system files, its own components), and which drives and volumes are available. Ransomware families like LockBit, Black Basta, Clop, and Medusa all implement file enumeration routines that traverse local drives, mounted volumes, and accessible network shares. The Embargo ransomware iterates device volumes using FindFirstVolumeW() and FindNextVolumeW(), then calls GetVolumePathNamesForVolumeNameW() to retrieve drive letters and mount points for each volume. This is T1083 in service of T1486 (Data Encrypted for Impact).
Intelligence collection (espionage). State-sponsored groups use file discovery to locate documents with intelligence value. COLDRIVER (Star Blizzard), a Russian government-backed threat group attributed to the FSB, deployed the LOSTKEYS malware in 2025 to steal files from a hard-coded list of extensions and directories. Targets included advisors to Western governments and militaries, journalists, think tanks, and NGOs connected to Ukraine. The malware functioned as a targeted file vacuum, scanning specific directories for specific file types and exfiltrating matches to attacker-controlled infrastructure.
Anti-analysis and environment profiling. Malware commonly enumerates directories to detect security software, virtual machines, or sandbox environments. Checking for the existence of directories like C:\Program Files\VMware\, C:\agent\, or AV-specific installation paths allows malware to determine whether it is running in a real target environment or an analyst's sandbox. The Amadey botnet has been observed searching for folders associated with antivirus software specifically to identify and evade security controls.
Destructive operations (wipers). Wiper malware uses file discovery to identify targets for destruction. AcidPour, a wiper targeting Linux-based embedded devices observed in Ukraine in 2024, identified specific files and directories corresponding to storage devices before initiating its wiping routine. HermeticWiper, deployed against Ukrainian organizations in February 2022, enumerated common folders such as My Documents, Desktop, and AppData before overwriting their contents.
Real-World Case Studies
COLDRIVER / LOSTKEYS — Targeted File Theft from Western Targets (2025)
Google's Threat Intelligence Group (GTIG) identified the LOSTKEYS malware in campaigns observed in January, March, and April 2025, attributed to COLDRIVER (also tracked as UNC4057, Star Blizzard, and Callisto). The infection chain began with a fake CAPTCHA lure page that tricked victims into pasting and executing PowerShell commands — a technique known as ClickFix. The multi-stage delivery chain ultimately installed LOSTKEYS, a VBS-based malware designed specifically for file discovery and exfiltration.
LOSTKEYS was configured with hard-coded lists of file extensions and directories to search. Once executed, it scanned the target machine, collected matching files along with system information and running process lists, and transmitted everything to attacker-controlled command-and-control servers. Targets included current and former advisors to Western governments and militaries, journalists, think tanks, NGOs, and individuals connected to Ukraine. When GTIG published its findings in May 2025, COLDRIVER abandoned LOSTKEYS within five days and deployed three new malware families — NOROBOT, YESROBOT, and MAYBEROBOT — demonstrating the group's aggressive development tempo and ability to rapidly retool when exposed.
Lazarus Group — Multi-Platform File Enumeration for Espionage and Theft
North Korea's Lazarus Group has demonstrated persistent use of T1083 across decades of campaigns spanning espionage, cryptocurrency theft, and destructive attacks. Lazarus malware routinely enumerates files and directories to identify targets for exfiltration, using a common function that identifies files by their extension. In the Operation GhostSecret campaign, Lazarus deployed tools that gathered information for all connected drives and searched for files matching predefined extension lists. Their Destover-like variants include dedicated file listing capabilities that enumerate every connected drive and feed results back to C2 infrastructure.
The InvisibleFerret malware, deployed through the Contagious Interview campaign (also attributed to North Korean actors), takes file discovery a step further. It uses cross-platform scripts that check file names, file extensions, and avoid certain paths, scanning Windows, macOS, and Linux systems for files of interest. On Windows, InvisibleFerret uses findstr to search for files; on macOS, it uses the native find command. The malware's ssh_upload command includes dedicated subcommands (.sdira, sdir, sfile, sfinda, sfindr, sfind) specifically for directory and file discovery operations.
BlackCat (ALPHV) — DirLister for Pre-Encryption Reconnaissance
The BlackCat ransomware operation has been observed using a utility called DirLister to create comprehensive lists of accessible directories and files on target systems before initiating encryption. DirLister is a lightweight tool designed for rapid filesystem enumeration, producing output that operators can review to understand the scope of available data and identify high-value targets. This pre-encryption reconnaissance allows BlackCat operators to make informed decisions about which systems to encrypt, what data to prioritize for exfiltration (as part of their double-extortion model), and whether the target is worth the operational risk. The use of a dedicated tool rather than built-in commands reflects the professionalization of ransomware operations, where purpose-built utilities are deployed for each phase of the attack.
Medusa Ransomware — Systematic File Enumeration for Double Extortion
The Medusa ransomware group, which escalated operations significantly through 2025, uses systematic file discovery to support its double-extortion model. According to a joint advisory from CISA, FBI, and MS-ISAC published in March 2025, Medusa searches the victim environment for files suitable for both encryption and exfiltration. The malware identifies files associated with remote management services as part of its reconnaissance, ensuring it can disable or evade administrative tools before beginning encryption. Medusa's file discovery is not limited to local drives — the group searches across network shares and mounted volumes to maximize the scope of impact and the volume of data available for extortion.
Gamaredon Group — Automated Document Discovery in Ukraine
Russia's Gamaredon Group (also known as Primitive Bear or Shuckworm), which has relentlessly targeted Ukrainian government and military organizations, demonstrates aggressive automated file discovery. Their backdoors automatically list files of interest found on compromised systems, with a particular focus on Office documents. Gamaredon's malware also scans for Microsoft Word and Excel files specifically to inject them with additional malicious macros, turning T1083 (Discovery) into a vector for T1080 (Taint Shared Content). Their GammaSteele tool identifies directory trees, folders, and files across the compromised host as part of a comprehensive data collection operation designed to vacuum up intelligence from Ukrainian government networks.
Detection Strategies
Detecting T1083 is fundamentally different from detecting techniques like process injection or credential dumping. The commands and API calls used for file discovery are entirely legitimate and occur constantly in normal operations. Effective detection requires contextual analysis: who is running the enumeration, from what process lineage, targeting which directories, and whether the pattern of activity matches known-good behavior for that user or system.
T1083 detection rules will generate significant noise in environments where administrators, backup software, search indexers, and deployment tools routinely enumerate files. Baseline your environment thoroughly before deploying these rules in alerting mode. Start with logging and analysis, establish normal patterns, then tune detection thresholds based on observed behavior.
Key Monitoring Points
| Data Source | What to Monitor | Detection Logic |
|---|---|---|
| Sysmon Event ID 1 (Process Creation) | Command-line arguments for file enumeration | Flag dir /s, tree, forfiles, where executions with recursive flags, especially when the parent process is cmd.exe or powershell.exe spawned by an unusual parent |
| PowerShell Script Block Logging (Event ID 4104) | Get-ChildItem with -Recurse and file type filters | Flag scripts that enumerate broad directory trees while filtering for document extensions (.pdf, .docx, .xlsx, .pptx) or credential files (wallet.dat, .kdbx, id_rsa) |
| Sysmon Event ID 1 — Linux | find, ls -R, locate, tree executions | Flag find commands targeting the root filesystem or home directories with extension-based filters, recursive ls from non-interactive shells, and locate with broad search patterns |
| Windows API Monitoring / EDR | FindFirstFile / FindNextFile call frequency | Flag processes that make an unusually high volume of file enumeration API calls in a short time window, especially unsigned binaries or processes running from user-writable directories |
| Sysmon Event ID 1 | Enumeration output redirected to files | Flag dir or ls output piped to temp files (>> %temp%\*.tmp), which indicates the adversary is staging discovery results for later collection |
| EDR / Process Telemetry | File enumeration from unexpected process lineage | Flag file discovery commands spawned by rundll32.exe, regsvr32.exe, mshta.exe, or other LOLBins that would not normally enumerate files |
| Network Traffic | Large directory listing transfers to C2 | Monitor for outbound transfers containing directory listing artifacts (sequential file paths, known extension patterns) to external infrastructure |
Splunk Detection Queries
Query 1: Recursive Directory Enumeration via Command Line
Detects recursive file discovery commands commonly used by adversaries to map target filesystems. Focuses on commands that write output to temporary files, a strong indicator of adversarial staging.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name=cmd.exe OR process_name=powershell.exe)
(CommandLine="*dir /s*" OR CommandLine="*dir /a*" OR CommandLine="*tree /f*"
OR CommandLine="*forfiles*" OR CommandLine="*Get-ChildItem*-Recurse*")
(CommandLine="*>>*" OR CommandLine="*> *" OR CommandLine="*Out-File*")
| eval suspicious_target=if(match(CommandLine,"(?i)(temp|tmp|appdata|public)"),1,0)
| table _time host user process_name CommandLine parent_process_name suspicious_target
| sort -_timeQuery 2: PowerShell File Discovery Targeting Sensitive Document Types
Detects PowerShell scripts that enumerate directories while filtering for document types commonly targeted by espionage and ransomware operations.
index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104
(ScriptBlockText="*Get-ChildItem*" OR ScriptBlockText="*gci *" OR ScriptBlockText="*ls *")
(ScriptBlockText="*-Recurse*" OR ScriptBlockText="*-r *")
(ScriptBlockText="*.pdf*" OR ScriptBlockText="*.docx*" OR ScriptBlockText="*.xlsx*"
OR ScriptBlockText="*.pptx*" OR ScriptBlockText="*.hwp*" OR ScriptBlockText="*.kdbx*"
OR ScriptBlockText="*wallet*" OR ScriptBlockText="*id_rsa*")
| table _time host UserName ScriptBlockText
| sort -_timeQuery 3: Linux File Discovery with Suspicious Patterns
Detects common Linux file discovery commands used by adversaries, including broad filesystem searches and searches targeting sensitive file types.
index=linux sourcetype=syslog OR sourcetype=linux_audit
("find /" OR "find /home" OR "find /root" OR "find /etc" OR "find /var")
("-name *.pdf" OR "-name *.doc*" OR "-name *.xls*" OR "-name *.key"
OR "-name *.pem" OR "-name *.pgp" OR "-name id_rsa" OR "-name *.kdbx"
OR "-iname *.wallet*")
| table _time host user command
| sort -_timeQuery 4: High-Volume File Enumeration API Calls (EDR Data)
Detects processes making an unusually high number of file enumeration API calls, which may indicate malware performing pre-encryption file discovery or data staging.
index=edr (event_type="api_call" OR event_type="file_access")
(api_name="FindFirstFile" OR api_name="FindNextFile"
OR api_name="GetFileAttributesW" OR api_name="NtQueryDirectoryFile")
| stats count as api_calls dc(target_path) as unique_paths by host process_name process_path
| where api_calls > 10000 AND unique_paths > 500
| eval risk=case(
match(process_path,"(?i)(temp|appdata|public|downloads)"), "HIGH",
NOT match(process_path,"(?i)(windows|program files|system32)"), "MEDIUM",
1=1, "LOW")
| where risk IN ("HIGH","MEDIUM")
| sort -api_callsKnown Threat Actors and Malware
T1083 has one of the longest lists of documented procedure examples in the entire MITRE ATT&CK knowledge base. The following is a representative selection, organized by motivation.
State-Sponsored Espionage
| Actor / Malware | Attribution | T1083 Usage |
|---|---|---|
| COLDRIVER / LOSTKEYS | Russia (FSB) | Hard-coded file extension and directory lists for targeted document theft from Western government advisors, journalists, and NGOs |
| APT28 (Fancy Bear) | Russia (GRU) | Used forfiles to locate PDF, Excel, and Word documents on compromised systems including the German Bundestag and DCCC |
| Gamaredon Group | Russia (FSB) | Automated discovery and listing of Office documents on compromised Ukrainian government systems via GammaSteele |
| Kimsuky (APT43) | North Korea | AppleSeed backdoor searches for .hwp, .pdf, .doc, .ppt, .txt in targeted directories on South Korean government systems |
| APT41 | China | Executed file /bin/pwd on exploited victims for architecture reconnaissance during global intrusion campaigns |
| APT5 | China | Used BLOODMINE utility to discover files with web-related extensions in Pulse Secure Connect VPN logs |
| Turla / Epic | Russia (FSB) | Recursively searches for all .doc files on the system, collects directory listings from Desktop, %TEMP%, and %WINDOWS%\Temp |
Ransomware and Financially Motivated Groups
| Actor / Malware | T1083 Usage |
|---|---|
| Black Basta | Enumerates specific files for encryption across local drives and ESXi systems |
| BlackCat (ALPHV) | Uses DirLister tool to create accessible directory and file lists before encryption |
| LockBit 2.0 / 3.0 | Excludes files associated with core system functions from encryption via file discovery |
| Medusa | Searches victim environments for files for both encryption and exfiltration (double extortion) |
| Clop | Searches folders and subfolders for files to encrypt |
| Conti | Discovers files on local systems for targeted encryption |
| Embargo | Iterates device volumes via FindFirstVolumeW() and enumerates drives for encryption |
| Akira / Akira v2 | Examines files via GetFileAttributesW to determine encryption eligibility |
Destructive Operations and Wipers
| Actor / Malware | T1083 Usage |
|---|---|
| AcidPour / AcidRain | Identifies Linux filesystem paths corresponding to storage devices for targeted wiping |
| HermeticWiper | Enumerates My Documents, Desktop, and AppData for destruction |
| CaddyWiper | Enumerates all files and directories on the host before overwriting |
| Industroyer | Data wiper component enumerates specific files on all Windows drives |
| KillDisk | Uses FindNextFile as part of its systematic file deletion process |
Defensive Recommendations
1. Enable comprehensive command-line and script logging
The single highest-value defensive action for T1083 is ensuring full visibility into what commands are being executed. On Windows, enable Sysmon with a configuration that logs all process creation events (Event ID 1) with full command-line arguments. Enable PowerShell Module Logging and Script Block Logging (Event IDs 4103 and 4104) to capture Get-ChildItem and other file discovery cmdlets. On Linux, configure auditd to log execve system calls for shell commands, and use tools like sysmon-for-linux for process creation events. Without this telemetry, T1083 is effectively invisible.
2. Establish behavioral baselines for file enumeration activity
Before deploying detection rules, invest time in understanding what normal file discovery activity looks like in your environment. Identify which service accounts run recursive directory listings, which backup tools enumerate files on a schedule, and which administrative scripts perform regular file searches. Build baseline profiles that define expected patterns, then alert on deviations. A recursive dir /s c:\ from a service account at 2:00 AM during the backup window is normal. The same command from a user account at 3:00 PM on a Tuesday, piped to a temp file, is worth investigating.
3. Monitor for file enumeration output staging
Many adversaries redirect directory listing output to temporary files for later exfiltration. Commands like dir /s c:\ >> %temp%\download or find / -type f > /tmp/filelist.txt are strong indicators of adversarial file discovery. Monitor for file creation events in temporary directories where the created file contains directory listing content. This is a lower-false-positive detection vector than monitoring the enumeration commands themselves.
4. Restrict PowerShell to Constrained Language Mode where possible
PowerShell Constrained Language Mode limits the cmdlets and .NET types available to scripts, significantly reducing the effectiveness of PowerShell-based file discovery. While this may impact legitimate administrative workflows, deploying Constrained Language Mode on workstations (where users typically do not need full PowerShell capabilities) can force adversaries to use less stealthy alternatives that are easier to detect.
5. Implement file access auditing on high-value directories
Enable Windows Security Auditing (Event ID 4663) on directories that contain sensitive data: executive desktops, finance shares, HR repositories, intellectual property stores. This provides a secondary detection layer when adversaries enumerate these directories, capturing the access even if the enumeration command itself was not logged. Focus auditing on directory traversal events rather than individual file reads to manage log volume.
6. Deploy canary files and directories
Place decoy files with enticing names (passwords.xlsx, salary_data_2026.pdf, vpn_credentials.docx) in directories that adversaries commonly target during file discovery: Desktop, Documents, network share root directories, and user home folders. Any access to these files is a strong indicator of compromise because legitimate users know these files do not contain real data. Canary files provide a high-fidelity, low-false-positive alerting mechanism that detects T1083 activity regardless of the enumeration method used.
7. Limit directory listing permissions on network shares
Apply the principle of least privilege to network share permissions. Users should only have listing access to directories they need for their work. This limits the scope of adversarial file discovery during lateral movement and prevents a single compromised account from enumerating the entire file server. Use access-based enumeration (ABE) on Windows file servers to hide directories that users do not have permissions to access, reducing the information available to adversaries during discovery.
8. Correlate T1083 activity with other Discovery techniques
File and directory discovery rarely occurs in isolation. When T1083 is observed alongside T1082 (System Information Discovery), T1057 (Process Discovery), T1016 (System Network Configuration Discovery), and T1049 (System Network Connections Discovery), it strongly suggests an adversary is conducting comprehensive reconnaissance. Build correlation rules that fire when multiple discovery techniques are observed from the same user or process within a short time window. This context-enriched detection approach dramatically reduces false positives compared to alerting on T1083 alone.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1083 |
| Technique Name | File and Directory Discovery |
| Tactics | Discovery (TA0007) |
| Platforms | Windows, Linux, macOS, ESXi, Network Devices |
| Sub-Techniques | None (no sub-techniques defined) |
| Data Sources | Process (Creation), Command (Execution), File (Access) |
| Version | 1.7 (last modified October 2025) |
| MITRE Reference | attack.mitre.org/techniques/T1083 |
Sources and References
- MITRE ATT&CK — T1083 File and Directory Discovery: attack.mitre.org
- Google Threat Intelligence Group — COLDRIVER Using New Malware (LOSTKEYS) to Steal Documents from Western Targets and NGOs: cloud.google.com
- Google Threat Intelligence Group — New Malware Attributed to Russia State-Sponsored COLDRIVER (NOROBOT, YESROBOT, MAYBEROBOT): cloud.google.com
- CISA, FBI, MS-ISAC — #StopRansomware: Medusa Ransomware (AA25-071A): cisa.gov
- Picus Security — Red Report 2026: picussecurity.com
- Red Canary — Atomic Red Team T1083 Tests: github.com
- Symantec — Shuckworm Targets Ukraine with GammaSteele: security.com
- CISA — #StopRansomware: LockBit 3.0 (AA23-075A): cisa.gov
- Cyble — Embargo Ransomware Analysis: cyble.com
- SentinelOne — AcidPour: New Embedded Wiper Variant of AcidRain: sentinelone.com