T1083Techniquediscoveryagent-callable

T1083File and Directory Discovery

Platforms: Linux · macOS · Windows · Network

ATT&CK version: 14.1

What it is

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)

ATT&CK tactics· 1

Discovery

References

  1. https://attack.mitre.org/techniques/T1083
  2. https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
  3. https://www.us-cert.gov/ncas/alerts/TA18-106A
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.