Detectionlowtest

DirLister Execution

Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sat Aug 20Updated Sat Feb 04b4dc61f5-6cce-468e-a608-b48b469feaa2windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - OriginalFileName: 'DirLister.exe'
        - Image|endswith: '\DirLister.exe'
    condition: selection

False Positives

Legitimate use by users

References

Testing & Validation

Simulations

atomic-red-teamT1083

View on ART

Launch DirLister Executable

GUID: c5bec457-43c9-4a18-9a24-fe151d8971b7

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0007 · Discovery

Techniques

T1083 · File and Directory Discovery

Rule Metadata

Rule ID

b4dc61f5-6cce-468e-a608-b48b469feaa2

Status

test

Level

low

Type

Detection

Created

Sat Aug 20

Modified

Sat Feb 04

Author

François Hubaut

Path

rules/windows/process_creation/proc_creation_win_dirlister_execution.yml

Raw Tags

attack.discoveryattack.t1083

View on GitHub