Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
Some files and directories may require elevated or specific user permissions to access.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Profile host | Enumerating the state of the current host | related-to | T1083 | File and Directory Discovery | |
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1083 | File and Directory Discovery | |
| action.malware.variety.Profile host | Enumerating the state of the current host | related-to | T1083 | File and Directory Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1083 | File and Directory Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes modules for finding files of interest on hosts and network shares, but does not address other procedures.
References
|
| docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | technique_scores | T1083 | File and Directory Discovery |
Comments
This control may provide recommendations to ensure sensitive host system directories are not mounted in the container.
References
|