T1083
File and Directory Discovery
Description from ATT&CK
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)
Some files and directories may require elevated or specific user permissions to access.
Tests
Test #1 - Copy files from desktop
FileGrabber grabs files from desktop and copies them to a temporary folder
Input Arguments:
| Argument | Type | Default Value |
|---|---|---|
| destinationPath | str | /tmp/FileGrabber |
set fileGrabberFolderPath to "/tmp/FileGrabber"
set extensionsList to {"txt", "docx", "rtf", "doc", "wallet", "keys", "key", "env", "md", "kdbx"}
try
set desktopFiles to every file of desktop
repeat with aFile in desktopFiles
try
set fileExtension to name extension of aFile
if fileExtension is in extensionsList then
set fileSize to size of aFile
if fileSize < 51200 then
set destinationFolder to (POSIX file fileGrabberFolderPath) as alias
duplicate aFile to destinationFolder with replacing
end if
end if
end try
end repeat
end tryDownload Files
Download .scpt Download .swift Download Binary Download Application BundleTest #2 - List files and directories in Macintosh HD
Enumerate files and directories in the root filesystem using Finder application via AppleScript
⚠️ TCC RequiredInput Arguments:
| Argument | Type | Default Value |
|---|---|---|
| folderName | str | / |
tell application "Finder" to get name of every item of folder POSIX file "/"Download Files
Download .scpt Download .swift Download Binary Download Application BundleTest #3 - List files and directories in root directory
Perform directory listing of root filesystem using AppleScript list folder command
Input Arguments:
| Argument | Type | Default Value |
|---|---|---|
| folderName | str | / |
list folder "/"Download Files
Download .scpt Download .swift Download Binary Download Application Bundle