Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Many command shell utilities can be used to obtain this information. Examples include
dir,tree,ls,find, andlocate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API.
Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of all of the data discovery commands.
Supported Platforms: Windows
auto_generated_guid: 0e36303b-6762-4500-b003-127743b80ba6
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
tree /F >> %temp%\downloadFind or discover files on the file system. Upon execution, file and folder information will be displayed.
Supported Platforms: Windows
auto_generated_guid: 2158908e-b7ef-4c21-8a83-3ce4dd05a924
ls -recurse
get-childitem -recurse
gci -recurseFind or discover files on the file system
References:
http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
https://perishablepress.com/list-files-folders-recursively-terminal/
Supported Platforms: macOS, Linux
auto_generated_guid: ffc8b249-372a-4b74-adcd-e4c0430842de
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file used to store the results. | path | /tmp/T1083.txt |
ls -a >> #{output_file}
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
file */* *>> #{output_file}
cat #{output_file} 2>/dev/null
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which shrm #{output_file}Find or discover files on the file system
Supported Platforms: macOS, Linux
auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file used to store the results. | path | /tmp/T1083.txt |
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}
find . -type f -name ".*"rm #{output_file}