File and Directory Discovery
View on attack.mitre.org →9 syscalls implement this technique
- NtQueryInformationByName
Queries file information by path without an open handle, introduced in Windows 10 RS5.
- NtOpenFile
Opens a handle to an existing file or device — the lighter no-create counterpart of NtCreateFile.
- NtQueryDirectoryFile
Enumerates a directory at the IRP layer — used by rootkits to hide files by tampering with the returned list.
- NtNotifyChangeDirectoryFile
Registers an asynchronous notification request for filesystem changes within an opened directory handle.
- NtNotifyChangeDirectoryFileEx
Extended directory-change notification that lets the caller pick the FILE_NOTIFY_INFORMATION class returned in the buffer.
- NtQueryVolumeInformationFile
Retrieves filesystem and volume properties (label, size, device type, attributes) for the volume backing a file handle.
- NtOpenDirectoryObject
Opens an existing directory object in the Windows object manager namespace.
- NtQueryDirectoryObject
Enumerates the entries (name + type) inside an object-manager directory.
- NtOpenSymbolicLinkObject
Opens an existing object-manager symbolic link by name, returning a handle for later query or deletion.