# T1083 File and Directory Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information.(Citation: US-CERT-TA18-106A)

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to gather file and directory information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use of commands being run by non-standard users from non-standard locations.  

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Linux

  * macOS

  * Windows

  * Network

### System Requirements:

  * Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls

### Data Sources:

  * **Process:** OS API Execution

  * **Process:** Process Creation

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.(Citation: TrendMicro Confucius APT Aug 2021)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.(Citation: Avira Mustang Panda January 2020)| 
| Windigo | [Windigo](https://attack.mitre.org/groups/G0124) has used a script to check for the presence of files created by OpenSSH backdoors.(Citation: ESET ForSSHe December 2018)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used malware to collect information on files and directories.(Citation: ATT Sidewinder January 2021)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) obtained information about the configured Exchange virtual directory using <code>Get-WebServicesVirtualDirectory</code>.(Citation: Volexity SolarWinds)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used WizTree to obtain network files and directory listings.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has gathered a recursive directory listing to find files and directories of interest.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has utilized multiple commands to identify data of interest in file and directory listings.(Citation: NCC Group Chimera January 2021)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) used a file listing plugin to collect information about file and directories both on local and remote drives.(Citation: Symantec Inception Framework March 2018)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) has executed <code>file /bin/pwd</code> on exploited victims, perhaps to return architecture related information.(Citation: FireEye APT41 March 2020)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has the ability to enumerate all files and directories on an infected system.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used tools with the ability to search for files on a compromised host.(Citation: FBI FLASH APT39 September 2020)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) have enumerated files and directories, or searched in specific locations within a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has monitored files' modified time.(Citation: TrendMicro Tropic Trooper May 2020)	| 
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072)'s service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.(Citation: McAfee Honeybee)| 
| Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) collected file listings of all default Windows directories.(Citation: Lookout Dark Caracal Jan 2018)| 
| Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.(Citation: Symantec Leafminer July 2018)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."(Citation: Securelist MuddyWater Oct 2018)| 
| Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.(Citation: Symantec Sowbug Nov 2017)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.(Citation: Unit 42 Magic Hound Feb 2017)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor possesses the capability to list files and directories on a machine. (Citation: ESET OceanLotus Mar 2019)	
| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.(Citation: ESET Gamaredon June 2020)(Citation: Unit 42 Gamaredon February 2022)	| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.(Citation: Symantec Cicada November 2020)| 
| Winnti Group | [Winnti Group](https://attack.mitre.org/groups/G0044) has used a program named ff.exe to search for specific documents on compromised hosts.(Citation: Kaspersky Winnti April 2013)| 
| Patchwork | A [Patchwork](https://attack.mitre.org/groups/G0040) payload has searched all fixed drives on the victim for files matching a specified list of extensions.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used a batch script to gather folder and file names from victim hosts.(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has enumerated files on a compromised host.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018)| 
| Lazarus Group | Several [Lazarus Group](https://attack.mitre.org/groups/G0032) has conducted word searches on compromised machines to identify specific documents of interest. [Lazarus Group](https://attack.mitre.org/groups/G0032) malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)(Citation: ClearSky Lazarus Aug 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)| 
| Dust Storm | [Dust Storm](https://attack.mitre.org/groups/G0031) has used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)| 
| APT18 | [APT18](https://attack.mitre.org/groups/G0026) can list files information for specific directories.(Citation: PaloAlto DNS Requests May 2016)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that looks for files and directories on the local file system.(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)| 
| admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following commands after exploiting a machine with [LOWBALL](https://attack.mitre.org/software/S0042) malware to obtain information about files and directories: <code>dir c:\ >> %temp%\download</code> <code>dir "c:\Documents and Settings" >> %temp%\download</code> <code>dir "c:\Program Files\" >> %temp%\download</code> <code>dir d:\ >> %temp%\download</code>(Citation: FireEye admin@338)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) obtained information about the configured Exchange virtual directory using <code>Get-WebServicesVirtualDirectory</code>.(Citation: Volexity SolarWinds)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has used malware that searched for files with specific patterns.(Citation: Microsoft DUBNIUM July 2016)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also searched for files matching the <code>lPH*.dll</code> pattern.(Citation: ESET Turla PowerShell May 2019)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used [Forfiles](https://attack.mitre.org/software/S0193) to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.(Citation: Überwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) uses command-line interaction to search files and directories.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1083)

  * [Windows Commands Jpcert](https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html), Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.

  * [Us-Cert-Ta18-106A](https://www.us-cert.gov/ncas/alerts/TA18-106A), US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

  * [Capec](https://capec.mitre.org/data/definitions/127.html)

  * [Capec](https://capec.mitre.org/data/definitions/497.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use either native command-line tools or custom tools to query a filesystem for files and directories

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### APT28	
- APT28 has used Forfiles to locate PDF, Excel, and Word documents during. The group also searched a compromised DCCC computer for specific terms.

#### Turla	
- Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent. Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.

## Detection Blindspots

- Information Here

## Analytical References

  * [Attack on German Parliament (netzpolitik)](https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/)
  * [Epic Turla Operation (securelist)](https://securelist.com/the-epic-turla-operation/65545/)
  * [ESET Turla ComRAT (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)
  * [Atomic Red Team T1083 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md)
  * [Windows Commands Abused (jpcert)](https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html)
  * [Turla Powershell Usage 2019 (welivesecurity)](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- This technique focuses on File and Directory discover, operators should also look in Remote System Discovery(T1018), System Information Discovery(T1082), and System Service Discovery(/T1007) as these are often used in tandem.

#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event_id:1 AND (command_line:"*forfiles* OR command_line:"dir*" OR command_line:"find*")```
  * **Query:** ```event_id: (1 or 5 or 4688 or 4689) AND process.name : (dir or tree or forfiles or attrib or set or systeminfo)```

#### Analytic 2

  * **Information:** Adversaries can probe the filesystem for contents then send that data to a file in a temp or benign directory.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Look for outliers

  * **Query Pseudo:** ```process.command.line or (process.parent.command_line) :*temp* or *tmp* or *appdata*```
  
#### Analytic 3

  * **Information:** Identifying what the cmd prompt or powershell is executing can be valuable insight to activity.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Baseline activity of environment
  
  * **Query Pseudo:** ```Event_id : (1 or 5 or 4688 or 4689) AND process.parent.name : (cmd.exe or powershell.exe)```
  



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.
- Once particular technique was done through custom malware that lacked any apparent effort to obfuscate code, and created a beacon that would reach out to malicious IP (176.31.112.10) for C2 every 3 seconds. Monitoring network traffic for similar loud patterns can reveal this type of quick collection.

#### Analytic 1

  * **Information:** Remote access tools with built-in features may interact directly with the Windows API to gather information.

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** Need to determine what dcerpc commands would be associated with ttp.

  * **Query:** ```protocols == dcerpc```