File and Directory Discovery
|File and Directory Discovery|
|Platform||Linux, macOS, Windows|
|System Requirements||Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls|
|Permissions Required||User, Administrator, SYSTEM|
|Data Sources||File monitoring, Process command-line parameters, Process monitoring|
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Example utilities used to obtain this information are
tree.1 Custom tools may also be used to gather file and directory information and interact with the Windows API.
Mac and Linux
In Mac and Linux, this kind of discovery is accomplished with the
- APT28 has a utility to list detailed information about files and directories 2
- APT3 has a tool that looks for files and directories on the local file system.3 4
- BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.5
- Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.6
- Ke3chang uses command-line interaction to search files and directories.7
- Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families also enumerate files and directories on lettered drives.8
- Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.9
- A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.10
- Sowbug identified and extracted all Word documents on a server by using a command containing *.doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.11
- Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.12
- admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories:
dir c:\ >> %temp%\download
dir "c:\Documents and Settings" >> %temp%\download
dir "c:\Program Files\" >> %temp%\download
dir d:\ >> %temp%\download13
- 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.14
- 4H RAT has the capability to obtain file and directory listings.14
- ADVSTORESHELL can list files and directories.1516
- AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.17
- BACKSPACE allows adversaries to search for files.18
- BBSRAT can list file and directory information.19
- BLACKCOFFEE has the capability to enumerate files.20
- Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.21
- BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry.22 BlackEnergy has searched for given file types.23
- An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.15
- ChChes identifies the file path for the %TEMP% director and sets its current working directory to that path.24
- ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.25
- CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.26
- Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.27
- Derusbi is capable of obtaining a directory listing.28
- DustySky scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software.29
- ELMER is capable of performing directory listings.30
- A variant of Elise executes
dir C:\progra~1when initially run.31
- FALLCHILL can search files on a victim.32
- FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.18
- GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.33
- HTTPBrowser is capable of listing files, folders, and drives on a victim.3435
- Kasidet has the ability to search for a given filename on a victim.36
- Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.6
- MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, browser bookmarks, SMS content, contacts, and calling history.37
- MoonWind has a command to return a directory listing for a specified directory.38
- NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.18
- OwaAuth has a command to list its directory and logical drives.34
- POWRUNER may enumerate user directories on a victim.39
- PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.33
- Pisloader has commands to list drives on the victim machine and to list file information for a given directory.40
- PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.41
- A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.42
- Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.37
- Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.43
- RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.44
- RTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.45
- RedLeaves can enumerate and search for files and directories.4625
- Remsec is capable of listing contents of folders on the victim.4748 Remsec also searches for custom network encryption software on victims.49
- ... further results
File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting50 tools, like AppLocker,151 or Software Restriction Policies52 where appropriate.53
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
- Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
- Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
- FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
- Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.