atomic-red-team/atomics/T1083/T1083.md

# T1083 - File and Directory Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1083)
<blockquote>

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)

Some files and directories may require elevated or specific user permissions to access.

</blockquote>

## Atomic Tests

- [Atomic Test #1 - File and Directory Discovery (cmd.exe)](#atomic-test-1---file-and-directory-discovery-cmdexe)

- [Atomic Test #2 - File and Directory Discovery (PowerShell)](#atomic-test-2---file-and-directory-discovery-powershell)

- [Atomic Test #3 - Nix File and Directory Discovery](#atomic-test-3---nix-file-and-directory-discovery)

- [Atomic Test #4 - Nix File and Directory Discovery 2](#atomic-test-4---nix-file-and-directory-discovery-2)

- [Atomic Test #5 - Simulating MAZE Directory Enumeration](#atomic-test-5---simulating-maze-directory-enumeration)

- [Atomic Test #6 - Launch DirLister Executable](#atomic-test-6---launch-dirlister-executable)

- [Atomic Test #7 - ESXi - Enumerate VMDKs available on an ESXi Host](#atomic-test-7---esxi---enumerate-vmdks-available-on-an-esxi-host)

- [Atomic Test #8 - Identifying Network Shares - Linux](#atomic-test-8---identifying-network-shares---linux)

- [Atomic Test #9 - Recursive Enumerate Files And Directories By Powershell](#atomic-test-9---recursive-enumerate-files-and-directories-by-powershell)


<br/>

## Atomic Test #1 - File and Directory Discovery (cmd.exe)
Find or discover files on the file system.  Upon successful execution, this test will output the results of all the data discovery commands to a specified file.

**Supported Platforms:** Windows


**auto_generated_guid:** 0e36303b-6762-4500-b003-127743b80ba6





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | File to output results to | string | %temp%&#92;T1083Test1.txt|


#### Attack Commands: Run with `command_prompt`! 


```cmd
dir /s c:\ >> #{output_file}
dir /s "c:\Documents and Settings" >> #{output_file}
dir /s "c:\Program Files\" >> #{output_file}
dir "%systemdrive%\Users\*.*" >> #{output_file}
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> #{output_file}
dir "%userprofile%\Desktop\*.*" >> #{output_file}
tree /F >> #{output_file}
```

#### Cleanup Commands:
```cmd
del #{output_file}
```





<br/>
<br/>

## Atomic Test #2 - File and Directory Discovery (PowerShell)
Find or discover files on the file system. Upon execution, file and folder information will be displayed.

**Supported Platforms:** Windows


**auto_generated_guid:** 2158908e-b7ef-4c21-8a83-3ce4dd05a924






#### Attack Commands: Run with `powershell`! 


```powershell
ls -recurse
get-childitem -recurse
gci -recurse
```






<br/>
<br/>

## Atomic Test #3 - Nix File and Directory Discovery
Find or discover files on the file system

References:

http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/

https://perishablepress.com/list-files-folders-recursively-terminal/

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** ffc8b249-372a-4b74-adcd-e4c0430842de





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file used to store the results. | path | /tmp/T1083.txt|


#### Attack Commands: Run with `sh`! 


```sh
ls -a >> #{output_file}
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
file */* *>> #{output_file}
cat #{output_file} 2>/dev/null
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh
```

#### Cleanup Commands:
```sh
rm #{output_file}
```





<br/>
<br/>

## Atomic Test #4 - Nix File and Directory Discovery 2
Find or discover files on the file system

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 13c5e1ae-605b-46c4-a79f-db28c77ff24e





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file used to store the results. | path | /tmp/T1083.txt|


#### Attack Commands: Run with `sh`! 


```sh
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}
find . -type f -name ".*"
```

#### Cleanup Commands:
```sh
rm #{output_file}
```





<br/>
<br/>

## Atomic Test #5 - Simulating MAZE Directory Enumeration
This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents

**Supported Platforms:** Windows


**auto_generated_guid:** c6c34f61-1c3e-40fb-8a58-d017d88286d8





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| File_to_output | File to output results to | string | $env:temp&#92;T1083Test5.txt|


#### Attack Commands: Run with `powershell`! 


```powershell
$folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
$UsersFolder = "$env:homedrive\Users\"
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
{
foreach ($secondarydirectory in $folderarray)
 {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
}
cat #{File_to_output}
```

#### Cleanup Commands:
```powershell
remove-item #{File_to_output} -ErrorAction SilentlyContinue
```





<br/>
<br/>

## Atomic Test #6 - Launch DirLister Executable
Launches the DirLister executable for a short period of time and then exits.

Recently seen used by [BlackCat ransomware](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/) to create a list of accessible directories and files.

**Supported Platforms:** Windows


**auto_generated_guid:** c5bec457-43c9-4a18-9a24-fe151d8971b7





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dirlister_path | Path to the DirLister executable | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;DirLister.exe|


#### Attack Commands: Run with `powershell`! 


```powershell
Start-Process "#{dirlister_path}"
Start-Sleep -Second 4
Stop-Process -Name "DirLister"
```




#### Dependencies:  Run with `powershell`!
##### Description: DirLister.exe must exist in the specified path #{dirlister_path}
##### Check Prereq Commands:
```powershell
if (Test-Path "#{dirlister_path}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
$parentpath = Split-Path "#{dirlister_path}"
New-Item -ItemType Directory -Force -Path $parentpath | Out-Null
Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4\*" "$parentpath" -Recurse
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip","PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4" -Recurse -ErrorAction Ignore
```




<br/>
<br/>

## Atomic Test #7 - ESXi - Enumerate VMDKs available on an ESXi Host
An adversary uses the find command to enumerate vmdks on an ESXi host.
[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)

**Supported Platforms:** Windows


**auto_generated_guid:** 4a233a40-caf7-4cf1-890a-c6331bbc72cf





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
| plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
| cli_script | Path to script with file discovery commands | path | PathToAtomicsFolder&#92;T1083&#92;src&#92;esxi_file_discovery.txt|


#### Attack Commands: Run with `command_prompt`! 


```cmd
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
```




#### Dependencies:  Run with `powershell`!
##### Description: Check if plink is available.
##### Check Prereq Commands:
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```




<br/>
<br/>

## Atomic Test #8 - Identifying Network Shares - Linux
If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
Attackers may then attempt to access these shares for lateral movement or data exfiltration.

**Supported Platforms:** Linux


**auto_generated_guid:** 361fe49d-0c19-46ec-a483-ccb92d38e88e






#### Attack Commands: Run with `sh`! 


```sh
findmnt -t nfs
```






<br/>
<br/>

## Atomic Test #9 - Recursive Enumerate Files And Directories By Powershell
Adversary attempting to discover and collect sensitive documents and archives
from a user’s system. The test recursively enumerates common user folders
(Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc,
.docx, .xls, .xlsx, .txt, .zip, .rar, and .7z.
This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025,
where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix.

**Supported Platforms:** Windows


**auto_generated_guid:** 95a21323-770d-434c-80cd-6f6fbf7af432





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | File to output results. | string | $env:TEMP&#92;T1083-Enumerate-net.txt|


#### Attack Commands: Run with `powershell`! 


```powershell
$out = "#{output_file}"
$dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
$exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
$userProfile = [Environment]::GetFolderPath('UserProfile')
$tr = [System.Collections.Generic.List[string]]::new()

function MatchesExtension($path) {
  try {
    $e = [System.IO.Path]::GetExtension($path).ToLower()
    return $exts -contains $e
  } catch { return $false }
}

function Scan-Dir($root) {
  try {
    $match = $false
    foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
    if (-not $match) { return }

    [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
      if (MatchesExtension $_) {
        $fi = [System.IO.FileInfo]::new($_)
        $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
      }
    }

    [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
      Scan-Dir $_
    }
  } catch [System.UnauthorizedAccessException] {
    $tr.Add("[AccessDenied] $root")
  } catch {
    $tr.Add("[Error] $root => $($_.Exception.Message)")
  }
}

[System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }

# Ensure output dir exists
$outDir = [System.IO.Path]::GetDirectoryName($out)
if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
  New-Item -Path $outDir -ItemType Directory -Force | Out-Null
}

# Write results
$tr | Out-File -FilePath $out -Encoding UTF8
Write-Output "Enumeration complete. Results written to: $out"
```

#### Cleanup Commands:
```powershell
Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue
```





<br/>