Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0370: Recursive Enumeration of Files and Directories Across Privilege Contexts

DET0370 is a detection strategy concept for spotting recursive file and directory enumeration across privilege contexts. In business terms, this matters be...

EnterpriseDET0370Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0370 is a detection strategy concept for spotting recursive file and directory enumeration across privilege contexts. In business terms, this matters because broad filesystem discovery is often the reconnaissance step that helps an intruder decide what data, systems, or follow-on actions are worth pursuing. The supplied ATT&CK relationship ties it to File and Directory Discovery (T1083), a Discovery technique relevant to ESXi, Linux, macOS, and network devices.

Executive priority

Treat this as a validation item for discovery-stage visibility, not as proof of compromise by itself. Leaders should ask whether SOC and incident response teams can see unusual recursive enumeration on the platforms in scope, especially where privileged accounts, administrative shells, infrastructure devices, or virtualized environments are involved. The decision value is in confirming whether early attacker reconnaissance would create usable evidence for triage, containment decisions, and audit-ready monitoring coverage.

Technical view

The official detection strategy object does not provide detection logic, platforms, tactics, or a detection description, but its name and relationship indicate a focus on recursive file and directory enumeration associated with T1083 File and Directory Discovery. Detection engineering should validate telemetry for command execution and filesystem traversal patterns on ESXi, Linux, macOS, and network devices where available. Because legitimate administration, backup, indexing, security tooling, and inventory jobs can also enumerate directories recursively, detections should be tuned around context: privilege level, account type, execution source, scope of traversal, unusual paths, timing, and deviation from known administrative baselines.

Likely telemetry

  • Process or command execution logs showing recursive listing, search, or filesystem traversal activity
  • Shell history or command-line audit records where available
  • Filesystem access or audit events showing broad directory traversal
  • Privilege context indicators such as user, effective user, sudo/admin context, service account, or device administrator role
  • Network device or appliance command logs where supported

Detection direction

  • Validate that recursive enumeration activity can be observed on the related T1083 platforms: ESXi, Linux, macOS, and network devices.
  • Baseline legitimate recursive discovery from administrators, backup tools, vulnerability scanners, indexing services, EDR tools, and configuration management jobs to reduce false positives.
  • Prioritize unusual combinations of broad traversal plus elevated privilege, unexpected account, interactive shell, sensitive directories, unusual execution time, or activity from rarely used administrative paths.
  • Correlate filesystem enumeration with surrounding discovery behavior where available, rather than treating a single recursive listing command as high confidence on its own.
  • Check for telemetry blind spots on network devices and virtualization infrastructure, where command logging and file access visibility may be weaker than on standard endpoints.

Mitigation priorities

  • First, confirm logging and retention for command execution, administrative activity, and filesystem access on the platforms actually in scope.
  • Use least privilege and administrative role separation so broad enumeration across privilege contexts is limited and attributable.
  • Review service accounts and automation jobs that legitimately perform recursive traversal, document expected behavior, and constrain their scope where possible.
  • Ensure incident response playbooks include triage questions for discovery activity: which account, which host or device, which paths, what privilege context, and what happened before and after.
  • Use the ATT&CK mapping to T1083 as compliance and monitoring evidence only after local telemetry and detection behavior have been validated.
Analyst notes and limits

This object is a detection strategy, not a technique. The supplied object has no official description or detection text, so the take relies on the name, external reference, and the stated relationship that it detects T1083 File and Directory Discovery. The most important local validation is whether recursive enumeration can be distinguished from normal administration and automation.

Platforms and tactics are not specified on DET0370 itself. Platform relevance comes from the related T1083 context only. No official analytic logic, thresholds, data sources, mitigations, or adversary examples were supplied, so detection and mitigation guidance must be adapted to local logging, operating procedures, and asset criticality.

Official MITRE ATT&CK definition

Recursive Enumeration of Files and Directories Across Privilege Contexts

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1083 File and Directory Discovery This object detects File and Directory Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1083: File and Directory Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0e963e5d430797d7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0e963e5d4307…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0370
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use