File and Directory Discovery

Jump to: navigation, search
File and Directory Discovery
ID T1083
Tactic Discovery
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux
System Requirements Some folders may require Administrator, SYSTEM or specific user
Permissions Required User, Administrator, SYSTEM
Data Sources File monitoring, Process command-line parameters, Process monitoring

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Example utilities used to obtain this information are dir and tree.1 Custom tools may also be used to gather file and directory information and interact with the Windows API.


  • Ke3chang uses command-line interaction to search files and directories.2
  • Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.3
  • admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: ** dir c:\ >> %temp%\download ** dir "c:\Documents and Settings" >> %temp%\download ** dir "c:\Program Files\" >> %temp%\download ** dir d:\ >> %temp%\download4
  • Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.5
  • Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families also enumerate files and directories on lettered drives.6
  • A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.7
  • Derusbi is capable of obtaining a directory listing.8
  • An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.9
  • BACKSPACE allows adversaries to search for files.10
  • NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.10
  • SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.10
  • FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.10
  • ADVSTORESHELL can list files and directories.911
  • PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.12
  • GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.12
  • CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.13
  • RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.14
  • WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.15
  • DustySky scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software.16
  • SHOTPUT has a command to obtain a directory listing.17
  • ELMER is capable of performing directory listings.18
  • 4H RAT has the capability to obtain file and directory listings.19
  • 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.19
  • BLACKCOFFEE has the capability to enumerate files.20
  • HTTPBrowser is capable of listing files, folders, and drives on a victim.2122
  • OwaAuth has a command to list its directory and logical drives.21
  • Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.23
  • MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, browser bookmarks, SMS content, contacts, and calling history.23
  • A variant of Elise executes dir C:\progra~1 when initially run.24
  • Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.5
  • ZLib has the ability to enumerate files and drives.5
  • Kasidet has the ability to search for a given filename on a victim.25
  • BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry.26 BlackEnergy has searched for given file types.27
  • Rover automatically searches for files on local drives based on a predefined list of file extensions.28
  • Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.29
  • cmd can be used to find files and directories with native functionality such as dir commands.30
  • A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.31
  • Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.32
  • Pisloader has commands to list drives on the victim machine and to list file information for a given directory.33
  • Remsec is capable of listing contents of folders on the victim.3435 Remsec also searches for custom network encryption software on victims.36
  • BBSRAT can list file and directory information.37
  • AutoIt is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.38
  • TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.38
  • USBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.3940
  • PowerDuke has commands to get its current directory name as well as the size of a file.41
  • Shamoon attempts to access the ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on the victim with its current privileges.42
  • StreamEx has the ability to enumerate drive types.43
  • ChChes identifies the file path for the %TEMP% director and sets its current working directory to that path.44
  • Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.45
  • RTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.46
  • ... further results


File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting47 tools, like AppLocker,148 or Software Restriction Policies49 where appropriate.50


System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.


  1. a b  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  2. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  3. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  4. ^  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  5. a b c  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved February 25, 2016.
  6. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  7. ^  Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  8. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  9. a b  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  10. a b c d  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  11. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  12. a b  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  13. ^  F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  14. ^  Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  15. ^  Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  16. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  17. ^  Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  18. ^  Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  19. a b  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  20. ^  FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  21. a b  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  22. ^  Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  23. a b  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  24. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  25. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  1. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  2. ^  Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  3. ^  Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  4. ^  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  5. ^  Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  6. ^  Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  7. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  8. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  9. ^  Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  10. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  11. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  12. ^  Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  13. a b  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  14. ^  Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  15. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  16. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  17. ^  FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  18. ^  Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  19. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  20. ^  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  21. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  22. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  23. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  24. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  25. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.