File and Directory Discovery

3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.^[3]

4H RAT has the capability to obtain file and directory listings.^[3]

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download^[4]

ADVSTORESHELL can list files and directories.^[5][6]

AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.^[7]

APT18 can list files information for specific directories.^[8]

APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.^[9][10]

APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.^[11]

APT3 has a tool that looks for files and directories on the local file system.^[12][13]

APT32's backdoor possesses the capability to list files and directories on a machine. ^[14]

APT38 have enumerated files and directories, or searched in specific locations within a compromised host.^[15]

APT39 has used tools with the ability to search for files on a compromised host.^[16]

APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.^[17]

Aria-body has the ability to gather metadata from a file and to search for file and directory names.^[18]

Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.^[19]

AuditCred can search through folders and files on the system.^[20]

AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.^[21]

Avaddon has searched for specific files prior to encryption.^[22]

Avenger has the ability to browse files in directories such as Program Files and the Desktop.^[23]

Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.^[24]

Babuk has the ability to enumerate files on a targeted system.^[25][26]

BabyShark has used dir to search for "programfiles" and "appdata".^[27]

BackConfig has the ability to identify folders and files related to previous infections.^[28]

Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.^[29]

BACKSPACE allows adversaries to search for files.^[30]

BADFLICK has searched for files on the infected host.^[31]

BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.^[32]

BadPatch searches for files with specific file extensions.^[33]

Bandook has a command to list files on a system.^[34]

Bankshot searches for files on the victim's machine.^[35]

Bazar can enumerate the victim's desktop.^[36][37]

BBSRAT can list file and directory information.^[38]

Bisonal can retrieve a file listing from the system.^[39][40]

BLACKCOFFEE has the capability to enumerate files.^[41]

BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.^[42][43]

BlackMould has the ability to find files on the targeted system.^[44]

BLINDINGCAN can search, read, write, move, and execute files.^[45][46]

BLUELIGHT can enumerate files and collect associated metadata.^[47]

BoomBox can search for specific files and directories on a machine.^[48]

BoxCaon has searched for files on the system, such as documents located in the desktop folder.^[49]

Brave Prince gathers file and directory information from the victim’s machine.^[50]

BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.^[51]

CaddyWiper can enumerate all files and directories on a compromised host.^[52]

Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.^[53]

Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).^[54]

Caterpillar WebShell can search for files in directories.^[55]

CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.^[56]

ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.^[57]

Chimera has utilized multiple commands to identify data of interest in file and directory listings.^[58]

China Chopper's server component can list directory contents.^[59]

An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.^[5]

Clambling can browse directories on a compromised host.^[60][61]

Clop has searched folders and subfolders for files to encrypt.^[62]

cmd can be used to find files and directories with native functionality such as dir commands.^[63]

Cobalt Strike can explore files on a compromised system.^[64]

Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.^[65]

Conti can discover files on a local system.^[66]

CookieMiner has looked for files in the user's home directory with "wallet" in their name using find.^[67]

CORALDECK searches for specified files.^[68]

CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.^[69]

CrackMapExec can discover specified filetypes and log files on a targeted system.^[70]

Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.^[71][72]

CrossRAT can list all files on a system.

Cryptoistic can scan a directory to identify files for deletion.^[73]

Cuba can enumerate files by using a variety of functions.^[74]

Cyclops Blink can use the Linux API statvfs to enumerate the current working directory.^[75][76]

Dacls can scan directories on a compromised host.^[77]

Dark Caracal collected file listings of all default Windows directories.^[78]

Darkhotel has used malware that searched for files with specific patterns.^[79]

DarkWatchman has the ability to enumerate file and folder names.^[80]

DDKONG lists files on the victim’s machine.^[81]

DEATHRANSOM can use loop operations to enumerate directories on a compromised host.^[82]

Denis has several commands to search directories for files.^[83][84]

Derusbi is capable of obtaining directory, file, and drive listings.^[85][59]

Diavol has a command to traverse the files and directories in a given path.^[86]

Doki has resolved the path of a process PID to use as a script argument.^[87]

down_new has the ability to list the directories on a compromised host.^[23]

Dragonfly has used a batch script to gather folder and file names from victim hosts.^[88][89][90]

DropBook can collect the names of all files and folders in the Program Files directories.^[91][92]

Dtrack can list files on available disk volumes.^[93][94]

Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.^[95]

DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.^[96][97]

Ebury can list directory entries.^[98]

A variant of Elise executes dir C:\progra~1 when initially run.^[99][100]

ELMER is capable of performing directory listings.^[101]

Empire includes various modules for finding files of interest on hosts and network shares.^[102]

Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.^[103][104]

FALLCHILL can search files on a victim.^[105]

FatDuke can enumerate directories on target machines.^[106]

FinFisher enumerates directories and scans for certain files.^[107][108]

FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.^[109][110]

FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.^[30]

FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.^[111]

Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)^[9]

Fox Kitten has used WizTree to obtain network files and directory listings.^[112]

FruitFly looks for specific files and file types.^[113]

FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.^[114]

Fysbis has the ability to search for files.^[115]

Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.^[116][117]

Gelsemium can retrieve specific Windows directories.^[118]

GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.^[119]

Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.^[50]

GoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.^[120]

GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.^[121]

GrimAgent has the ability to enumerate files and directories on a compromised host.^[122]

HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.^[123][124]

Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.^[125]

HOPLIGHT has been observed enumerating system drives and partitions.^[126]

HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.^[127]

HTTPBrowser is capable of listing files, folders, and drives on a victim.^[128][129]

Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.^[130][131]

Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.^[132]

Inception used a file listing plugin to collect information about file and directories both on local and remote drives.^[133]

Industroyer’s data wiper component enumerates specific files on all the Windows drives.^[134]

InnaputRAT enumerates directories and obtains file attributes on a system.^[135]

InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.^[136]

Ixeshe can list file and directory information.^[137]

JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.^[138]

jRAT can browse file systems.^[139][140]

Kasidet has the ability to search for a given filename on a victim.^[141]

Kazuar finds a specified directory, lists the files and metadata about those files.^[142]

Ke3chang uses command-line interaction to search files and directories.^[143][144]

KeyBoy has a command to launch a file browser or explorer on the system.^[145]

KEYMARBLE has a command to search for files on the victim’s machine.^[146]

KGH_SPY can enumerate files and directories on a compromised host.^[147]

KillDisk has used the FindNextFile command as part of its file deletion process.^[148]

Kimsuky has the ability to enumerate all files and directories on an infected system.^{[149][150][151]}

Kinsing has used the find command to search for specific files.^[152]

Kivars has the ability to list drives on the infected host.^[153]

Koadic can obtain a list of directories.^[154]

A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.^[155]

Kwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> "C:\windows\TEMP[RANDOM].tmp".^[156]

Several Lazarus Group has conducted word searches on compromised machines to identify specific documents of interest. Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.^{[157][158][159][160][161]}

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.^[162]

Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.^[163]

Lokibot can search for specific files on an infected host.^[164]

LookBack can retrieve file listings from the victim machine.^[165]

Machete produces file listings in order to search for files to be exfiltrated.^{[166][167][168]}

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.^[169]

MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.^[170]

MegaCortex can parse the available drives and directories to determine which files to encrypt.^[171]

menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.^[172]

MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.^[173]

Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.^{[174][175][176]}

Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.^[177]

MiniDuke can enumerate local drives.^[106]

Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.^[95]

MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.^[178]

MoonWind has a command to return a directory listing for a specified directory.^[179]

MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."^[180]

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.^[181]

NDiskMonitor can obtain a list of all files and directories as well as logical drives.^[32]

Nebulae can list files and directories on a compromised host.^[182]

NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.^[30]

NETWIRE has the ability to search for files on the compromised host.^[183]

njRAT can browse file systems using a file manager module.^[184]

NotPetya searches for files ending with dozens of different file extensions prior to encryption.^[185]

ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.^[186]

OceanSalt can extract drive information from the endpoint and search files on the system.^[187]

Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.^{[188][189][190]}

Okrum has used DriveLetterView to enumerate drive information.^[191]

Operation Wocao has gathered a recursive directory listing to find files and directories of interest.^[192]

Orz can gather victim drive information.^[193]

OSX/Shlayer uses the command appDir="$(dirname $(dirname "$currentDir"))" and $(dirname "$(pwd -P)") to construct installation paths.^[194][195]

OwaAuth has a command to list its directory and logical drives.^[128]

P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.^[196]

Pasam creates a backdoor through which remote attackers can retrieve lists of files.^[197]

A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.^[198][32]

Penquin can use the command code do_vslist to send file names, size, and status to C2.^[199]

Peppy can identify specific files for exfiltration.^[71]

PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.^[119]

Pisloader has commands to list drives on the victim machine and to list file information for a given directory.^[200]

PLEAD has the ability to list drives and files on the compromised host.^[153][201]

PlugX has a module to enumerate drives and find files recursively.^[202][203]

PoetRAT has the ability to list files upon receiving the ls command from C2.^[204]

POORAIM can conduct file browsing.^[68]

PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.^[205]

PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.^[206]

POWRUNER may enumerate user directories on a victim.^[207]

A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.^[208]

Proxysvc lists files in directories.^[158]

Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.^[178]

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.^[209]

Pupy can walk through directories and recursively search for strings in files.^[210]

QakBot can identify whether it has been run previously on a host by checking for a specified folder.^[211]

QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.^[212]

RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.^[182]

Ramsay can collect directory and file lists.^[213][214]

RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.^[215]

RedLeaves can enumerate and search for files and directories.^[216][57]

Remcos can search for files on the infected machine.^[217]

Remexi searches for files on the system. ^[218]

RemoteUtilities can enumerate files and directories on a target machine.^[219]

Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.^{[220][221][222]}

REvil has the ability to identify specific files and directories that are not to be encrypted.^{[223][224][225][226][227][228]}

Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.^[229]

ROKRAT has the ability to gather a list of files and directories on the infected system.^{[230][231][232]}

Rover automatically searches for files on local drives based on a predefined list of file extensions.^[233]

RTM can check for specific files and directories associated with virtualization and malware analysis.^[234]

Ryuk has enumerated files and folders on all mounted drives.^[235]

Sandworm Team has enumerated files on a compromised host.^[185][236]

SDBbot has the ability to get directory listings or drive information on a compromised host.^[237]

Seasalt has the capability to identify the drive type on a victim.^[187]

ShimRat can list directories.^[238]

SHOTPUT has a command to obtain a directory listing.^[239]

SideTwist has the ability to search for specific files.^[240]

Sidewinder has used malware to collect information on files and directories.^[241]

SILENTTRINITY has several modules, such as ls.py, pwd.py, and recentFiles.py, to enumerate directories and files.^[242]

Siloscape searches for the Kubernetes config file and other related files using a regular expression.^[243]

Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. ^[244]

Sliver can enumerate files on a target system.^[245]

SLOTHFULMEDIA can enumerate files and directories.^[246]

Smoke Loader recursively searches through directories for files.^[247]

SombRAT can execute enum to enumerate files in storage on a compromised system.^[248]

SoreFang has the ability to list directories.^[249]

SOUNDBITE is capable of enumerating and manipulating files and directories.^[250]

Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.^[251]

SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.^[30]

StreamEx has the ability to enumerate drive types.^[252]

StrongPity can parse the hard drive on a compromised host to identify specific file extensions.^[253]

Stuxnet uses a driver to scan for specific filesystem driver objects.^[254]

SUNBURST had commands to enumerate files and directories.^[255][256]

SUNSPOT enumerated the Orion software Visual Studio solution directory path.^[257]

SynAck checks its directory location in an attempt to avoid launching in a sandbox.^[258][259]

SysUpdate can search files on a compromised host.^[260]

Taidoor can search for specific files.^[261]

TAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.^[262]

TajMahal has the ability to index files from drives, user profiles, and removable drives.^[263]

ThreatNeedle can obtain file and directory information.^[264]

TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.^[21]

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.^[265][266]

Trojan.Karagany can enumerate files and directories on a compromised host.^[267]

Tropic Trooper has monitored files' modified time.^[268]

TSCookie has the ability to discover drive information on the infected host.^[269]

Turian can search for specific files and list directories.^[270]

Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.^[103][271] Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.^[272]

TYPEFRAME can search directories for files on the victim’s machine.^[273]

UPPERCUT has the capability to gather the victim's current directory.^[274]

USBferry can detect the victim's file or folder list.^[268]

USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.^[275][276]

Volgmer can list directories on a victim.^[277]

WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.^[278][279]

WarzoneRAT can enumerate directories on a compromise host.^[280]

WastedLocker can enumerate files and directories just prior to encryption.^[281]

WhisperGate can locate files based on hardcoded file extensions.^{[282][283][284][285]}

Windigo has used a script to check for the presence of files created by OpenSSH backdoors.^[286]

WindTail has the ability to enumerate the users home directory and the path to its own application bundle.^[287][288]

WINERACK can enumerate files and directories.^[68]

WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.^[289]

Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.^[290]

Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.^[291]

XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.^[292] XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.^[292]

yty gathers information on victim’s drives and has a plugin for document listing.^[293]

Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.^{[294][295][296]} Zebrocy can obtain the current execution path as well as perform drive enumeration.^[297][298]

Zeus Panda searches for specific directories on the victim’s machine.^[299]

ZLib has the ability to enumerate files and drives.^[95]

Zox can enumerate files on a compromised host.^[300]

zwShell can browse the file system.^[301]

ZxShell has a command to open a file manager and explorer on the system.^[302]