enumerate files on Linux

rule:
  meta:
    name: enumerate files on Linux
    namespace: host-interaction/file-system/files/list
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Discovery::File and Directory Discovery [T1083]
    mbc:
      - Discovery::File and Directory Discovery [E1083]
    examples:
      - 7351f8a40c5450557b24622417fc478d:0x405438
  features:
    - and:
      - or:
        - os: linux
        - os: android
      - or:
        - and:
          - match: create or open file
          - or:
            - api: getdents
            - api: getdents64
        - and:
          - api: opendir
          - api: readdir