File and Directory Discovery

From enterprise
Jump to: navigation, search
File and Directory Discovery
Technique
ID T1083
Tactic Discovery
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X
System Requirements Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls
Permissions Required User, Administrator, SYSTEM
Data Sources File monitoring, Process command-line parameters, Process monitoring

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

Windows

Example utilities used to obtain this information are dir and tree.1 Custom tools may also be used to gather file and directory information and interact with the Windows API.

Mac and Linux

In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.

Examples

  • APT28 has a utility to list detailed information about files and directories 2
  • Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.3
  • Ke3chang uses command-line interaction to search files and directories.4
  • Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families also enumerate files and directories on lettered drives.5
  • A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.6
  • Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.7
  • admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories:
      • dir c:\ >> %temp%\download
      • dir "c:\Documents and Settings" >> %temp%\download
      • dir "c:\Program Files\" >> %temp%\download
      • dir d:\ >> %temp%\download8
  • 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.9
  • 4H RAT has the capability to obtain file and directory listings.9
  • ADVSTORESHELL can list files and directories.1011
  • AutoIt is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.12
  • BACKSPACE allows adversaries to search for files.13
  • BBSRAT can list file and directory information.14
  • BLACKCOFFEE has the capability to enumerate files.15
  • Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.16
  • BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry.17 BlackEnergy has searched for given file types.18
  • An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.10
  • ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.19
  • ChChes identifies the file path for the %TEMP% director and sets its current working directory to that path.20
  • CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.21
  • Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.22
  • Derusbi is capable of obtaining a directory listing.23
  • DustySky scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software.24
  • ELMER is capable of performing directory listings.25
  • A variant of Elise executes dir C:\progra~1 when initially run.26
  • FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.13
  • GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.27
  • HTTPBrowser is capable of listing files, folders, and drives on a victim.2829
  • Kasidet has the ability to search for a given filename on a victim.30
  • Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.3
  • MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, browser bookmarks, SMS content, contacts, and calling history.31
  • MoonWind has a command to return a directory listing for a specified directory.32
  • NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.13
  • OwaAuth has a command to list its directory and logical drives.28
  • PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.27
  • Pisloader has commands to list drives on the victim machine and to list file information for a given directory.33
  • PowerDuke has commands to get its current directory name as well as the size of a file.34
  • A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.35
  • Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.31
  • Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.36
  • RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.37
  • RTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.38
  • RedLeaves can enumerate and search for files and directories.3919
  • Remsec is capable of listing contents of folders on the victim.4041 Remsec also searches for custom network encryption software on victims.42
  • Rover automatically searches for files on local drives based on a predefined list of file extensions.43
  • SHOTPUT has a command to obtain a directory listing.44
  • SOUNDBITE is capable of enumerating and manipulating files and directories.45
  • SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.13
  • Shamoon attempts to access the ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on the victim with its current privileges.46
  • StreamEx has the ability to enumerate drive types.47
  • ... further results

Mitigation

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting48 tools, like AppLocker,149 or Software Restriction Policies50 where appropriate.51

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. a b  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  2. ^  Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  3. a b  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  4. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  5. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  6. ^  Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  7. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  8. ^  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  9. a b  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  10. a b  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  11. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  12. ^  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  13. a b c d  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  14. ^  Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  15. ^  FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  16. ^  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  17. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  18. ^  Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  19. a b  FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  20. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  21. ^  F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  22. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  23. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  24. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  25. ^  Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  26. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  1. a b  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  2. a b  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  3. ^  Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  4. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  5. a b  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  6. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  7. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  8. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  9. ^  Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  10. ^  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  11. ^  Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  12. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  13. ^  PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  14. ^  Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  15. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  16. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  17. ^  Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  18. ^  Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  19. ^  Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  20. ^  FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  21. ^  Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  22. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  23. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  24. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  25. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.