File and Directory Discovery (T1083)
Tactic: Discovery · Platforms: ESXi, Linux, macOS, Network Devices, Windows
The interactive view maps 1 detection strategy, 51 threat groups, 305 software entries, 13 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).
Some files and directories may require elevated or specific user permissions to access.