File and Directory Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram). Some files and directories may require elevated or specific user permissions to access.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Further, Network Device CLI commands may also be used to gather file and directory information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use of commands being run by non-standard users from non-standard locations.
Observed actors
G0082APT3
G0022Kimsuky
G0094admin@338
G0018Volt Typhoon
G1017Patchwork
G0040APT41
G0096Dragonfly
G0035menuPass
G0045APT32
G0050HAFNIUM
G0125MuddyWater
G0069Gamaredon Group
G0047Leafminer
G0077TeamTNT
G0139Sandworm Team
G0034APT18
G0026Sidewinder
G0121Mustang Panda
G0129Scattered Spider
G1015APT39
G0087Windigo
G0124Tropic Trooper
G0081Aoqin Dragon
G1007Ke3chang
G0004Confucius
G0142Winter Vivern
G1035Turla
G0010RedCurl
G1039APT29
G0016Dark Caracal
G0070Chimera
G0114BRONZE BUTLER
G0060Darkhotel
G0012ToddyCat
G1022LuminousMoth
G1014APT28
G0007APT5
G1023Fox Kitten
G0117Winnti Group
G0044Lazarus Group
G0032Sowbug
G0054Inception
G0100Play
G1040Magic Hound
G0059FIN13
G1016
Correlated CTI and IR reports
Israel Threat Actors CTI · explicit report mentionATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionCTI Research: Kubernetes & Cloud-Native Threat Landscape
1200km CTI repository · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionCTI Research Kubernetes Cloud Native Threat Landscape
1200km Medium · authored report mention