security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1083/T1083.md
T
CircleCI Atomic Red Team doc generator 91e86258e6 Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-24 17:09:43 +00:00

112 lines
3.0 KiB
Markdown
Raw Blame History

# T1083 - File and Directory Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1083)
<blockquote>Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
### Windows
Example utilities used to obtain this information are <code>dir</code> and <code>tree</code>. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Windows API.
### Mac and Linux
In Mac and Linux, this kind of discovery is accomplished with the <code>ls</code>, <code>find</code>, and <code>locate</code> commands.</blockquote>
## Atomic Tests
- [Atomic Test #1 - File and Directory Discovery](#atomic-test-1---file-and-directory-discovery)
- [Atomic Test #2 - File and Directory Discovery](#atomic-test-2---file-and-directory-discovery)
- [Atomic Test #3 - Nix File and Diectory Discovery](#atomic-test-3---nix-file-and-diectory-discovery)
- [Atomic Test #4 - Nix File and Directory Discovery](#atomic-test-4---nix-file-and-directory-discovery)
<br/>
## Atomic Test #1 - File and Directory Discovery
Find or discover files on the file system
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
tree /F >> %temp%\download
```
<br/>
<br/>
## Atomic Test #2 - File and Directory Discovery
Find or discover files on the file system
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
ls -recurse
get-childitem -recurse
gci -recurse
```
<br/>
<br/>
## Atomic Test #3 - Nix File and Diectory Discovery
Find or discover files on the file system
References:
http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
https://perishablepress.com/list-files-folders-recursively-terminal/
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
ls -a > allcontents.txt
ls -la /Library/Preferences/ > detailedprefsinfo.txt
file */* *>> ../files.txt
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh
```
<br/>
<br/>
## Atomic Test #4 - Nix File and Directory Discovery
Find or discover files on the file system
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
find . -type f -iname *.pdf > /tmp/loot.txt
find . -type f -name ".*"
```
<br/>
Reference in New Issue View Git Blame Copy Permalink