File and Directory Discovery

Information

• Name: File and Directory Discovery

• ID: T1083

• Tactics: TA0007

Introduction

File and Directory Discovery is categorized under the MITRE ATT&CK framework as technique T1083. It involves adversaries systematically exploring the file system and directory structures of compromised hosts to identify valuable data, sensitive information, or system configurations. Attackers commonly execute this technique to map out the environment, locate critical files, and plan further stages of their intrusion, such as data exfiltration or lateral movement.

Deep Dive Into Technique

File and Directory Discovery typically involves built-in operating system commands, third-party utilities, or custom scripts to enumerate files, directories, and their attributes. Attackers leverage various methods to achieve this:

• Native Operating System Commands:

  • Windows:

    • dir: Lists files and directories in the current or specified directory.

    • tree: Displays directory structure in a hierarchical format.

    • Get-ChildItem: PowerShell cmdlet used for recursive file system enumeration.

  • Linux/Unix:

    • ls: Lists files and directories along with their attributes.

    • find: Enables advanced searches based on file attributes, names, and modification times.

    • locate: Quickly finds files based on indexed database.

    • tree: Similar to Windows, shows directory hierarchy visually.

• Scripting and Automation:

  • Attackers use scripts (e.g., PowerShell, Bash, Python) to automate enumeration, recursively scan directories, and identify files matching specific patterns or extensions.

  • Custom scripts may also parse file contents or metadata to identify sensitive or valuable information.

• Third-party Tools and Utilities:

  • Attackers may deploy specialized enumeration utilities like Sysinternals Suite (Windows), WinDirStat, or custom enumeration binaries.

  • Tools such as BloodHound or SharpHound may also indirectly leverage file and directory enumeration to map out domain environments.

• Mechanisms and Procedures:

  • Attackers often search for specific file types such as configuration files (*.xml, *.ini, *.conf), documents (*.docx, *.pdf, *.xlsx), credentials (*.key, *.pem, *.pfx), or backups (*.bak, *.zip, *.tar).

  • Enumeration may be targeted, focusing on directories known to contain sensitive data (e.g., user profiles, SSH keys, databases, web server directories).

When this Technique is Usually Used

File and Directory Discovery is commonly employed by adversaries at multiple stages of the attack lifecycle:

• Initial Reconnaissance:

  • After initial compromise, attackers enumerate file systems to understand the environment structure, identify user accounts, and locate sensitive files.

• Privilege Escalation:

  • Attackers search directories for configuration files, scripts, and binaries with insecure permissions or credentials that could be exploited for privilege escalation.

• Credential Access:

  • Attackers enumerate directories to locate stored credentials, SSH keys, password files, or application configuration files containing sensitive data.

• Discovery Stage:

  • Attackers comprehensively map out the file system to identify valuable data and plan subsequent actions such as data exfiltration.

• Lateral Movement:

  • Attackers search for configuration files or scripts containing credentials or network information to facilitate lateral movement to other hosts.

• Exfiltration Stage:

  • Attackers identify and catalog targeted data files for exfiltration.

How this Technique is Usually Detected

Detection of File and Directory Discovery involves monitoring and analyzing system activities, file access patterns, and command execution behaviors:

• Command-line and Process Monitoring:

  • Monitor execution of file enumeration commands (dir, ls, find, tree, Get-ChildItem) with unusual frequency, depth, or parameters.

  • Analyze command-line arguments for suspicious patterns such as recursive searches, searches for sensitive file extensions, or enumeration of protected directories.

• File System Auditing and Logging:

  • Enable audit logging for file and directory access events on critical systems.

  • Monitor and alert on unusual access patterns, particularly large-scale enumeration or repeated access attempts to sensitive directories.

• Endpoint Detection and Response (EDR) Tools:

  • Deploy EDR solutions capable of detecting anomalous file system enumeration activities.

  • Utilize behavioral analysis to flag processes or scripts performing extensive file system scanning.

• SIEM and Log Analysis:

  • Aggregate logs from endpoints and servers into a Security Information and Event Management (SIEM) platform.

  • Create rules or use analytics to detect anomalous file enumeration patterns or excessive file access events.

• Indicators of Compromise (IoCs):

  • Unusual command-line arguments (e.g., find / -name "*.pem", Get-ChildItem -Recurse -Include *.key).

  • Frequent or recursive enumeration of sensitive directories (/etc, /home, %USERPROFILE%\Documents, %APPDATA%).

  • Presence of known enumeration scripts or binaries (e.g., custom enumeration scripts, Sysinternals tools like AccessChk.exe, PsFile.exe).

Why it is Important to Detect This Technique

Early detection of File and Directory Discovery is critical due to several potential impacts:

• Data Exfiltration:

  • Attackers enumerate files to identify sensitive or valuable data, leading directly to data theft and potential breaches of confidentiality.

• Credential Theft:

  • Enumeration activities can uncover stored credentials, keys, or configuration files, enabling attackers to escalate privileges or move laterally within the network.

• Privilege Escalation:

  • Attackers may exploit insecure file permissions or sensitive configuration files discovered through enumeration to gain elevated privileges.

• Attack Preparation and Persistence:

  • File enumeration provides attackers with detailed knowledge of the environment, enabling them to maintain persistence, avoid detection, and effectively plan subsequent attacks.

• Compliance and Regulatory Risks:

  • Undetected enumeration activities increase risks of regulatory non-compliance, data privacy violations, and subsequent legal or reputational damage.

Prompt detection and response can significantly reduce the attacker’s window of opportunity, limiting potential damage and preventing further compromise.

Examples

Real-world examples demonstrating File and Directory Discovery:

• APT29 (Cozy Bear):

  • Utilized PowerShell commands (Get-ChildItem) extensively to recursively enumerate files and directories, searching for sensitive documents, credentials, and configuration files during intrusion campaigns.

• FIN7:

  • Employed custom scripts and native Windows commands (dir, tree) to identify point-of-sale (POS) systems and enumerate directories containing payment card data before exfiltration.

• Carbanak Group:

  • Conducted extensive file enumeration using built-in Windows commands and scripting to locate banking software configuration files and credentials, enabling fraudulent transactions and large-scale financial theft.

• Ransomware Attacks (Ryuk, Conti, LockBit):

  • Attackers routinely perform file enumeration using automated scripts to identify critical business files for encryption and exfiltration, increasing ransom leverage and pressure on victim organizations.

• Operation Cloud Hopper (APT10):

  • Attackers used Linux commands (find, ls) to systematically search for files containing intellectual property, sensitive client data, and confidential business information across compromised managed service providers (MSPs).

These examples highlight the frequency, versatility, and critical impact of File and Directory Discovery across diverse threat actor groups and attack scenarios.