File and Directory Discovery

File and Directory Discovery
Technique
ID T1083
Tactic Discovery
Platform Linux, macOS, Windows
System Requirements Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls
Data Sources File monitoring, Process command-line parameters, Process monitoring

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

Contents

Windows

Example utilities used to obtain this information are dir and tree.1 Custom tools may also be used to gather file and directory information and interact with the Windows API.

Mac and Linux

In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.

Examples

• APT28 has a utility to list detailed information about files and directories 2
• APT3 has a tool that looks for files and directories on the local file system.3 4
• BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.5
• Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.6
• Ke3chang uses command-line interaction to search files and directories.7
• Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families also enumerate files and directories on lettered drives.8
• Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.9
• A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.10
• Sowbug identified and extracted all Word documents on a server by using a command containing *.doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.11
• Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.12
• admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download13
• 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.14
• 4H RAT has the capability to obtain file and directory listings.14
• ADVSTORESHELL can list files and directories.1516
• AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.17
• BACKSPACE allows adversaries to search for files.18
• BBSRAT can list file and directory information.19
• BLACKCOFFEE has the capability to enumerate files.20
• Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.21
• BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry.22 BlackEnergy has searched for given file types.23
• An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.15
• ChChes identifies the file path for the %TEMP% director and sets its current working directory to that path.24
• ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.25
• CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.26
• Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.27
• Derusbi is capable of obtaining a directory listing.28
• DustySky scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software.29
• ELMER is capable of performing directory listings.30
• A variant of Elise executes dir C:\progra~1 when initially run.31
• FALLCHILL can search files on a victim.32
• FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.18
• GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.33
• HTTPBrowser is capable of listing files, folders, and drives on a victim.3435
• Kasidet has the ability to search for a given filename on a victim.36
• Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.6
• MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, browser bookmarks, SMS content, contacts, and calling history.37
• MoonWind has a command to return a directory listing for a specified directory.38
• NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.18
• OwaAuth has a command to list its directory and logical drives.34
• POWRUNER may enumerate user directories on a victim.39
• PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.33
• Pisloader has commands to list drives on the victim machine and to list file information for a given directory.40
• PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.41
• A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.42
• Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.37
• Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.43
• RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.44
• RTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.45
• RedLeaves can enumerate and search for files and directories.4625
• Remsec is capable of listing contents of folders on the victim.4748 Remsec also searches for custom network encryption software on victims.49
• ... further results

Mitigation

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting50 tools, like AppLocker,151 or Software Restriction Policies52 where appropriate.53

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.