Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
Some files and directories may require elevated or specific user permissions to access.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1083 | File and Directory Discovery |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of File and Directory Discovery attacks. This integrated solution improves CrowdStrike Falcon, enabling it to detect and mitigate cyber threats earlier in the kill chain, with minimal impact on system performance.
File and Directory Discovery attacks involve adversaries attempting to map or enumerate files, directories, or system resources to identify sensitive information or potential targets for further exploitation. These activities often form the basis for lateral movement, privilege escalation, or data exfiltration. Intel TDT plays a crucial role in detecting these types of attacks by providing deep, real-time telemetry on program execution, memory access, and control flow. This telemetry allows for the rapid identification of suspicious behaviors, such as abnormal access to or enumeration of files and directories, which may indicate an ongoing discovery attack.
Additionally, CAMS offloads the performance-intensive task of memory scanning from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activities without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized access attempts to sensitive file locations or attempts to probe the file system for valuable assets.
References
|