AN1040: Analytic 1040
Execution of file enumeration commands (e.g., 'dir', 'tree') from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations.
Analyst context for executives and security teams
This analytic matters because file and directory enumeration from unusual Windows processes or user contexts can be an early signal that an account, script, or process is being used to map the environment before follow-on activity. For leaders, the decision value is whether the SOC can distinguish routine administration from unusual discovery-like behavior, especially when sensitive locations are accessed recursively.
Executive priority
Prioritize validation of Windows endpoint and identity telemetry that can show who ran enumeration commands, from which parent process, and against which directories. This supports incident triage, audit evidence, and resilience planning by helping teams identify suspicious access to sensitive file locations before the investigation depends only on after-the-fact user interviews or incomplete logs.
Technical view
Validate coverage for Windows command execution involving file enumeration utilities such as dir and tree, especially when launched by non-standard parent processes, unexpected automation, or unusual user contexts. Because no ATT&CK tactic, relationship context, or official detection logic is supplied, teams should treat this as a behavior-focused analytic and tune it against local baselines for administrative activity, software deployment tools, help desk workflows, and scheduled scripts.
Likely telemetry
- Windows process creation events with command line arguments
- Parent-child process relationships
- User and logon context associated with process execution
- Current working directory and target path information where available
- File system access or directory traversal telemetry for sensitive locations
Detection direction
- Confirm that process command lines are captured for Windows endpoints where this analytic is expected to operate.
- Baseline legitimate use of dir, tree, and similar enumeration commands by administrators, service accounts, scripts, and management tooling.
- Prioritize alerts where enumeration is recursive, targets sensitive locations, or originates from an unusual parent process or user context.
- Review false positives from logon scripts, inventory jobs, backup operations, software deployment, and help desk troubleshooting.
- Use local asset criticality and directory sensitivity to raise or lower severity, since the supplied ATT&CK object provides no relationship context or tactic mapping.
Mitigation priorities
- Improve endpoint logging and retention for Windows process creation and command-line visibility before relying on this analytic operationally.
- Restrict and monitor privileged or service account use so unusual user contexts are easier to identify.
- Apply least-privilege access to sensitive directories so enumeration attempts have reduced scope and better auditability.
- Document approved administrative enumeration patterns to support SOC tuning and compliance evidence.
- Use incident response playbooks that quickly verify user legitimacy, parent process lineage, and whether sensitive locations were accessed.
Analyst notes and limits
This is a detection analytic for Windows focused on file enumeration commands from non-standard processes or unusual user contexts, followed by recursive traversal or access to sensitive locations. With no supplied relationships and no official detection pseudocode, the strongest use is as a validation prompt for SOC telemetry, baselining, and triage logic rather than a complete detection rule.
The supplied object has no tactic mapping, no relationship context, and no official detection text. It does not support claims about specific adversaries, active exploitation, impact, or guaranteed detection. Local environment baselines are required to define what counts as a non-standard process, unusual user context, recursive traversal, or sensitive location.
Analytic 1040
Execution of file enumeration commands (e.g., 'dir', 'tree') from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d3923c4ac12b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1040Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.