Description
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)
Some files and directories may require elevated or specific user permissions to access.
Platforms
Threat Groups (51)
| ID | Group | Context |
|---|---|---|
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has enumerated directories containing vulnerability testing and cyber related content and facili... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has conducted key word searches within files and directories on a compromised hosts to i... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used `vmtoolsd.exe` to enumerate files on guest machines.(Citation: Google Cloud Threat Intellig... |
| G0040 | Patchwork | A [Patchwork](https://attack.mitre.org/groups/G0040) payload has searched all fixed drives on the victim for files matching a specified list of extens... |
| G0054 | Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) identified and extracted all Word documents on a server by using a command containing * .doc and *.doc... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) macros can scan for Microsoft Word and Excel files to inject with additional malicious macros... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has searched for files within the victim environment for encryption and exfiltration.(Citation: ... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used a batch script to gather folder and file names from victim hosts.(Citation: US-CERT TA18-0... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) have enumerated files and directories, or searched in specific locations within a compromised host.(Cit... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used [Forfiles](https://attack.mitre.org/software/S0193) to locate PDF, Excel, and Word documents d... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) used a file listing plugin to collect information about file and directories both on local and remo... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has run commands to check the content of folders on compromised hosts and has specifically targete... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has searched for and collected files on local and network drives.(Citation: therecord_redcurl)(Citati... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) has enumerated local files and folders on victim devices.(Citation: Sygnia VelvetAnt 2024A) |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has utilized multiple commands to identify data of interest in file and directory listings.(Citation:... |
| G0018 | admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following commands after exploiting a machine with [LOWBALL](https://attack.mitre.o... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) uses command-line interaction to search files and directories.(Citation: Mandiant Operation Ke3chang... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has enumerated files on a compromised host.(Citation: US District Court Indictment GRU Unit 744... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used malware to collect information on files and directories.(Citation: ATT Sidewinder January... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) Spider enumerates a target organization for files and directories of interest, including sou... |
Associated Software (305)
| ID | Name | Type | Context |
|---|---|---|---|
| S0069 | BLACKCOFFEE | Malware | [BLACKCOFFEE](https://attack.mitre.org/software/S0069) has the capability to enumerate files.(Citation: FireEye APT17) |
| S0229 | Orz | Malware | [Orz](https://attack.mitre.org/software/S0229) can gather victim drive information.(Citation: Proofpoint Leviathan Oct 2017) |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) has a plugin that enumerates files with specific extensions on all hard disk drives and stores file i... |
| S0136 | USBStealer | Malware | [USBStealer](https://attack.mitre.org/software/S0136) searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.... |
| S0461 | SDBbot | Malware | [SDBbot](https://attack.mitre.org/software/S0461) has the ability to get directory listings or drive information on a compromised host.(Citation: Proo... |
| S0599 | Kinsing | Malware | [Kinsing](https://attack.mitre.org/software/S0599) has used the find command to search for specific files.(Citation: Aqua Kinsing April 2020) |
| S1025 | Amadey | Malware | [Amadey](https://attack.mitre.org/software/S1025) has searched for folders associated with antivirus software.(Citation: Korean FSI TA505 2020) |
| S1065 | Woody RAT | Malware | [Woody RAT](https://attack.mitre.org/software/S1065) can list all files and their associated attributes, including filename, type, owner, creation tim... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has a module to enumerate drives and find files recursively.(Citation: Eset PlugX Korplug Mustang Pan... |
| S1129 | Akira | Malware | [Akira](https://attack.mitre.org/software/S1129) examines files prior to encryption to determine if they meet requirements for encryption and can be e... |
| S0180 | Volgmer | Malware | [Volgmer](https://attack.mitre.org/software/S0180) can list directories on a victim.(Citation: US-CERT Volgmer Nov 2017) |
| S9031 | AshTag | Malware | The [AshTag](https://attack.mitre.org/software/S9031) AshenOrchestrator component can enumerate files on victim hosts.(Citation: Palo Alto Ashen Lepus... |
| S0598 | P.A.S. Webshell | Malware | [P.A.S. Webshell](https://attack.mitre.org/software/S0598) has the ability to list files and file characteristics including extension, size, ownership... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can enumerate the victim's desktop.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 J... |
| S0115 | Crimson | Malware | [Crimson](https://attack.mitre.org/software/S0115) contains commands to list files and directories, as well as search for files matching certain exten... |
| S0242 | SynAck | Malware | [SynAck](https://attack.mitre.org/software/S0242) checks its directory location in an attempt to avoid launching in a sandbox.(Citation: SecureList Sy... |
| S0248 | yty | Malware | [yty](https://attack.mitre.org/software/S0248) gathers information on victim’s drives and has a plugin for document listing.(Citation: ASERT Donot Mar... |
| S0586 | TAINTEDSCRIBE | Malware | [TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can use <code>DirectoryList</code> to enumerate files in a specified directory.(Citation: CIS... |
| S0064 | ELMER | Malware | [ELMER](https://attack.mitre.org/software/S0064) is capable of performing directory listings.(Citation: FireEye EPS Awakens Part 2) |
| S1042 | SUGARDUMP | Malware | [SUGARDUMP](https://attack.mitre.org/software/S1042) can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, i... |
References
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Frequently Asked Questions
What is T1083 (File and Directory Discovery)?
T1083 is a MITRE ATT&CK technique named 'File and Directory Discovery'. It belongs to the Discovery tactic(s). Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [F...
How can T1083 be detected?
Detection of T1083 (File and Directory Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1083?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1083?
Known threat groups using T1083 include: Volt Typhoon, Contagious Interview, UNC3886, Patchwork, Sowbug, Gamaredon Group, Medusa Group, Dragonfly.