attack_technique: T1083 display_name: File and Directory Discovery atomic_tests: - name: File and Directory Discovery (cmd.exe) auto_generated_guid: 0e36303b-6762-4500-b003-127743b80ba6 description: | Find or discover files on the file system. Upon successful execution, this test will output the results of all the data discovery commands to a specified file. supported_platforms: - windows input_arguments: output_file: description: File to output results to type: string default: '%temp%\T1083Test1.txt' executor: command: | dir /s c:\ >> #{output_file} dir /s "c:\Documents and Settings" >> #{output_file} dir /s "c:\Program Files\" >> #{output_file} dir "%systemdrive%\Users\*.*" >> #{output_file} dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> #{output_file} dir "%userprofile%\Desktop\*.*" >> #{output_file} tree /F >> #{output_file} cleanup_command: | del #{output_file} name: command_prompt - name: File and Directory Discovery (PowerShell) auto_generated_guid: 2158908e-b7ef-4c21-8a83-3ce4dd05a924 description: | Find or discover files on the file system. Upon execution, file and folder information will be displayed. supported_platforms: - windows executor: command: | ls -recurse get-childitem -recurse gci -recurse name: powershell - name: Nix File and Directory Discovery auto_generated_guid: ffc8b249-372a-4b74-adcd-e4c0430842de description: | Find or discover files on the file system References: http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/ https://perishablepress.com/list-files-folders-recursively-terminal/ supported_platforms: - linux - macos input_arguments: output_file: description: Output file used to store the results. type: path default: /tmp/T1083.txt executor: command: | ls -a >> #{output_file} if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi; file */* *>> #{output_file} cat #{output_file} 2>/dev/null find . -type f ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/' locate * which sh cleanup_command: | rm #{output_file} name: sh - name: Nix File and Directory Discovery 2 auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e description: | Find or discover files on the file system supported_platforms: - linux - macos input_arguments: output_file: description: Output file used to store the results. type: path default: /tmp/T1083.txt executor: command: | cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file} if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi; find . -type f -iname *.pdf >> #{output_file} cat #{output_file} find . -type f -name ".*" cleanup_command: 'rm #{output_file}' name: sh - name: Simulating MAZE Directory Enumeration auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8 description: | This test emulates MAZE ransomware's ability to enumerate directories using Powershell. Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents supported_platforms: - windows input_arguments: File_to_output: description: File to output results to type: string default: $env:temp\T1083Test5.txt executor: command: | $folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming") Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output} Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output} Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output} $UsersFolder = "$env:homedrive\Users\" foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) { foreach ($secondarydirectory in $folderarray) {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}} } cat #{File_to_output} cleanup_command: | remove-item #{File_to_output} -ErrorAction SilentlyContinue name: powershell - name: Launch DirLister Executable auto_generated_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7 description: |- Launches the DirLister executable for a short period of time and then exits. Recently seen used by [BlackCat ransomware](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/) to create a list of accessible directories and files. supported_platforms: - windows input_arguments: dirlister_path: description: 'Path to the DirLister executable ' type: string default: PathToAtomicsFolder\..\ExternalPayloads\DirLister.exe dependency_executor_name: powershell dependencies: - description: | DirLister.exe must exist in the specified path #{dirlister_path} prereq_command: | if (Test-Path "#{dirlister_path}") {exit 0} else {exit 1} get_prereq_command: | $parentpath = Split-Path "#{dirlister_path}" New-Item -ItemType Directory -Force -Path $parentpath | Out-Null Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip" Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4" -Force Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4\*" "$parentpath" -Recurse Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip","PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4" -Recurse -ErrorAction Ignore executor: command: | Start-Process "#{dirlister_path}" Start-Sleep -Second 4 Stop-Process -Name "DirLister" name: powershell - name: ESXi - Enumerate VMDKs available on an ESXi Host auto_generated_guid: 4a233a40-caf7-4cf1-890a-c6331bbc72cf description: | An adversary uses the find command to enumerate vmdks on an ESXi host. [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/) supported_platforms: - windows input_arguments: vm_host: description: Specify the host name of the ESXi Server type: string default: atomic.local vm_user: description: Specify the privilege user account on ESXi Server type: string default: root vm_pass: description: Specify the privilege user password on ESXi Server type: string default: pass plink_file: description: Path to Plink type: path default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe' cli_script: description: Path to script with file discovery commands type: path default: PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt dependency_executor_name: powershell dependencies: - description: | Check if plink is available. prereq_command: | if (Test-Path "#{plink_file}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" executor: command: | echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}" name: command_prompt elevation_required: false - name: Identifying Network Shares - Linux auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e description: | If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares. Attackers may then attempt to access these shares for lateral movement or data exfiltration. supported_platforms: - linux executor: command: | findmnt -t nfs name: sh - name: Recursive Enumerate Files And Directories By Powershell auto_generated_guid: 95a21323-770d-434c-80cd-6f6fbf7af432 description: | Adversary attempting to discover and collect sensitive documents and archives from a user’s system. The test recursively enumerates common user folders (Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc, .docx, .xls, .xlsx, .txt, .zip, .rar, and .7z. This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025, where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix. supported_platforms: - windows input_arguments: output_file: description: File to output results. type: string default: '$env:TEMP\T1083-Enumerate-net.txt' executor: name: powershell command: | $out = "#{output_file}" $dirsFilter = @('Documents','Downloads','Desktop','OneDrive') $exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z') $userProfile = [Environment]::GetFolderPath('UserProfile') $tr = [System.Collections.Generic.List[string]]::new() function MatchesExtension($path) { try { $e = [System.IO.Path]::GetExtension($path).ToLower() return $exts -contains $e } catch { return $false } } function Scan-Dir($root) { try { $match = $false foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } } if (-not $match) { return } [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object { if (MatchesExtension $_) { $fi = [System.IO.FileInfo]::new($_) $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)") } } [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object { Scan-Dir $_ } } catch [System.UnauthorizedAccessException] { $tr.Add("[AccessDenied] $root") } catch { $tr.Add("[Error] $root => $($_.Exception.Message)") } } [System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ } # Ensure output dir exists $outDir = [System.IO.Path]::GetDirectoryName($out) if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) { New-Item -Path $outDir -ItemType Directory -Force | Out-Null } # Write results $tr | Out-File -FilePath $out -Encoding UTF8 Write-Output "Enumeration complete. Results written to: $out" cleanup_command: | Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue