T1083: File and Directory Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).
Some files and directories may require elevated or specific user permissions to access.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
clickhouse: PT-CR-1565: ClickHouse_Backup_directory_discovery: An attempt to receive information about the location of DBMS object backup copies is detected clickhouse: PT-CR-1564: ClickHouse_Users_Directory_Discovery: An attempt to receive information about the location of DBMS user files is detected microsoft_exchange: PT-CR-2503: Exchange_NTLM_Scan: Scanning of NTLM directories dnsmasq: PT-CR-2149: Dnsmasq_TFTP_File_Recon: Multiple failed attempts to access a file via TFTP mysql_database: PT-CR-613: MySQL_Structure_Discovery: Execution of certain SQL commands may indicate reconnaissance of the internal structure of the MySQL database, which may indicate attacker activity mssql_database: PT-CR-416: MSSQL_File_System_Discovery: An attempt to get information from the file system using a database mssql_database: PT-CR-556: MSSQL_Backup_Location_Discovery: An attempt to get information about the database backup locations postgresql_database: PT-CR-1829: PostgreSQL_Structure_Discovery: Execution of certain SQL commands may indicate reconnaissance of the internal structure of the PostgreSQL database, which may indicate attacker activity mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host mitre_attck_discovery: PT-CR-322: File_Directory_Discovery: An attempt to retrieve a list of existing system files and folders is detected
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
|---|
| ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
|---|