T1083: File and Directory Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir
, tree
, ls
, find
, and locate
. Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir
, show flash
, and/or nvram
).
Some files and directories may require elevated or specific user permissions to access.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_discovery: PT-CR-322: File_Directory_Discovery: An attempt to retrieve a list of existing system files and folders is detected
postgresql_database: PT-CR-1829: PostgreSQL_Structure_Discovery: Execution of certain SQL commands may indicate reconnaissance of the internal structure of the PostgreSQL database, which may indicate attacker activity
mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host
mssql_database: PT-CR-416: MSSQL_file_system_discovery: An attempt to get information from the file system using a database
mssql_database: PT-CR-556: MSSQL_backup_location_discovery: An attempt to get information about the database backup locations
clickhouse: PT-CR-1564: ClickHouse_users_directory_discovery: An attempt to receive information about the location of DBMS user files is detected
clickhouse: PT-CR-1565: ClickHouse_backup_directory_discovery: An attempt to receive information about the location of DBMS object backup copies is detected
dnsmasq: PT-CR-2149: Dnsmasq_TFTP_File_Recon: Multiple failed attempts to access a file via TFTP
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. |
---|