Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Many command shell utilities can be used to obtain this information. Examples include
dir,tree,ls,find, andlocate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API.
Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of all of the data discovery commands.
Supported Platforms: Windows
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
tree /F >> %temp%\downloadFind or discover files on the file system. Upon execution, file and folder information will be displayed.
Supported Platforms: Windows
ls -recurse
get-childitem -recurse
gci -recurseFind or discover files on the file system
References:
http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
https://perishablepress.com/list-files-folders-recursively-terminal/
Supported Platforms: macOS, Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file used to store the results. | path | /tmp/T1083.txt |
ls -a >> #{output_file}
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
file */* *>> #{output_file}
cat #{output_file} 2>/dev/null
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which shrm #{output_file}Find or discover files on the file system
Supported Platforms: macOS, Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file used to store the results. | path | /tmp/T1083.txt |
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}
find . -type f -name ".*"rm #{output_file}