File and Directory Discovery, Technique T1083 - Enterprise (original) (raw)
During the 2025 Poland Wiper Attacks, the adversaries obtained the contents of users’ directories using dir /s /b C:\Users command.[3]
3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.[4]
4H RAT has the capability to obtain file and directory listings.[4]
AcidPour can identify specific files and directories within the Linux operating system corresponding with storage devices for follow-on wiping activity, similar to AcidRain.[5]
AcidRain identifies specific files and directories in the Linux operating system associated with storage devices.[6]
Action RAT has the ability to collect drive and file information on an infected machine.[7]
admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download[8]
ADVSTORESHELL can list files and directories.[9][10]
Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as GetFileAttributesW.[11][12]
Akira _v2 can target specific files and folders for encryption.[13][12][14]
Amadey has searched for folders associated with antivirus software.[15]
ANELLDR can enumerate files in the current directory to search for encrypted payload files.[16]
Anthropic AI-orchestrated Campaign
During the Anthropic AI-orchestrated Campaign, the adversary leveraged Claude Code to identify sensitive data within the victim environment for extraction.[17]
Aoqin Dragon has run scripts to identify file formats including Microsoft Word.[18]
AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.[19]
APT18 can list files information for specific directories.[20]
APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.[21][22]
APT3 has a tool that looks for files and directories on the local file system.[23][24]
APT32's backdoor possesses the capability to list files and directories on a machine. [25]
APT38 have enumerated files and directories, or searched in specific locations within a compromised host.[26]
APT39 has used tools with the ability to search for files on a compromised host.[27]
APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.[28]
APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.[29]
Aria-body has the ability to gather metadata from a file and to search for file and directory names.[30]
The AshTag AshenOrchestrator component can enumerate files on victim hosts.[31]
Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.[32]
AuditCred can search through folders and files on the system.[33]
AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[34]
Avaddon has searched for specific files prior to encryption.[35]
Avenger has the ability to browse files in directories such as Program Files and the Desktop.[36]
AvosLocker has searched for files and directories on a compromised network.[37][38]
Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.[39]
Babuk has the ability to enumerate files on a targeted system.[40][41]
BabyShark has used dir to search for "programfiles" and "appdata".[42]
BackConfig has the ability to identify folders and files related to previous infections.[43]
Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.[44]
BACKSPACE allows adversaries to search for files.[45]
BADFLICK has searched for files on the infected host.[46]
BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.[47]
BadPatch searches for files with specific file extensions.[48]
Bandook has a command to list files on a system.[49]
Bankshot searches for files on the victim's machine.[50]
Bazar can enumerate the victim's desktop.[51][52]
BBSRAT can list file and directory information.[53]
BeaverTail has searched for .ldb and .log files stored in browser extension directories for collection and exfiltration.[54][55][56]
Bisonal can retrieve a file listing from the system.[57][58]
Black Basta can enumerate specific files for encryption.[59][60][61][62][63][64][65][66]
BlackCat can enumerate files for encryption.[67]
BLACKCOFFEE has the capability to enumerate files.[68]
BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.[69][70]
BlackMould has the ability to find files on the targeted system.[71]
BLINDINGCAN can search, read, write, move, and execute files.[72][73]
BLUELIGHT can enumerate files and collect associated metadata.[74]
BOLDMOVE can list information of all files in the system recursively from the root directory or from a specified directory.[75]
BoomBox can search for specific files and directories on a machine.[76]
BoxCaon has searched for files on the system, such as documents located in the desktop folder.[77]
Brave Prince gathers file and directory information from the victim’s machine.[78]
BRICKSTORM has identified specific files and directories within targeted hosts and systems for modification, execution, collection and exfiltration.[79][80][81][82][83][84]
BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.[85]
During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful.[86]
CaddyWiper can enumerate all files and directories on a compromised host.[87]
Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.[88]
Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).[89]
Caterpillar WebShell can search for files in directories.[90]
ccf32 can parse collected files to identify specific file extensions.[91]
CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.[92]
ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[93]
Cheerscrypt can search for log and VMware-related files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions.[94]
Chimera has utilized multiple commands to identify data of interest in file and directory listings.[95]
CHIMNEYSWEEP has the ability to enumerate directories for files that match a set list.[96]
China Chopper's server component can list directory contents.[97][98]
An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.[9]
Clambling can browse directories on a compromised host.[99][100]
Clop has searched folders and subfolders for files to encrypt.[101]
cmd can be used to find files and directories with native functionality such as dir commands.[102]
COATHANGER will survey the contents of system files during installation.[103]
Cobalt Strike can explore files on a compromised system.[104]
Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.[105]
Contagious Interview has conducted key word searches within files and directories on a compromised hosts to identify files for exfiltration.[56][106]
Conti can discover files on a local system.[107]
CookieMiner has looked for files in the user's home directory with "wallet" in their name using find.[108]
CORALDECK searches for specified files.[109]
CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[110]
CrackMapExec can discover specified filetypes and log files on a targeted system.[111]
CreepyDrive can specify the local file path to upload files from.[112]
Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.[113][114][115]
CrossRAT can list all files on a system.[116]
Cryptoistic can scan a directory to identify files for deletion.[117]
Cuba can enumerate files by using a variety of functions.[118]
Cuckoo Stealer can search for files associated with specific applications.[119][120]
Cyclops Blink can use the Linux API statvfs to enumerate the current working directory.[121][122]
Dacls can scan directories on a compromised host.[123]
Dark Caracal collected file listings of all default Windows directories.[116]
Some versions of DarkGate search for the hard-coded folder C:\Program Files\e Carte Bleue.[124]
Darkhotel has used malware that searched for files with specific patterns.[125]
DarkWatchman has the ability to enumerate file and folder names.[126]
DDKONG lists files on the victim’s machine.[127]
DEATHRANSOM can use loop operations to enumerate directories on a compromised host.[128]
Denis has several commands to search directories for files.[129][130]
Derusbi is capable of obtaining directory, file, and drive listings.[131][97]
Diavol has a command to traverse the files and directories in a given path.[132]
If executed with elevated privileges, Diskpart can list all volumes, including virtual disks.[133]
Doki has resolved the path of a process PID to use as a script argument.[134]
down_new has the ability to list the directories on a compromised host.[36]
Dragonfly has used a batch script to gather folder and file names from victim hosts.[135][136][137]
DropBook can collect the names of all files and folders in the Program Files directories.[138][139]
Dtrack can list files on available disk volumes.[140][141]
DUSTTRAP can enumerate files and directories.[142]
DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.[143][144]
DynoWiper has used the Microsoft Windows native FindFirstFile() and FindNextFile() to recursively enumerate directories and files on the system.[3]
A variant of Elise executes dir C:\progra~1 when initially run.[145][146]
ELMER is capable of performing directory listings.[147]
Embargo has searched for folders, subfolders and other networked or mounted drives for follow on encryption actions.[148] Embargo has also iterated device volumes using FindFirstVolumeW() and FindNextVolumeW() functions and then calls the GetVolumePathNamesForVolumeNameW() function to retrieve a list of drive letters and mounted folder paths for each specified volume.[148]
Empire includes various modules for finding files of interest on hosts and network shares.[149]
Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.[150][151]
Exbyte enumerates all document files on an infected machine, then creates a summary of these items including filename and directory location prior to exfiltration to cloud hosting services.[152]
FALLCHILL can search files on a victim.[153]
FatDuke can enumerate directories on target machines.[154]
FIN13 has used the Windows dir command to enumerate files and directories in a victim's network.[155]
FinFisher enumerates directories and scans for certain files.[156][157]
FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.[158][159]
FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.[45]
FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.[160]
Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)[21]
Fox Kitten has used WizTree to obtain network files and directory listings.[161]
FruitFly looks for specific files and file types.[162]
FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.[91]
FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.[163]
Fysbis has the ability to search for files.[164]
Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.[165][166][167] Gamaredon Group has also identified directory trees, folders and files on the compromised host.[168]
Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.[169]
GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.[170]
Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.[78]
GoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.[171]
Gomir collects information about directory and file structures, including total number of subdirectories, total number of files, and total size of files on infected systems.[172]
GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[173]
GrimAgent has the ability to enumerate files and directories on a compromised host.[174]
HAFNIUM has searched file contents on a compromised host.[98]
The Havoc interface can display a file explorer view of the compromised host.[175]
HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.[176][177]
Heyoka Backdoor has the ability to search the compromised host for files.[18]
HOPLIGHT has been observed enumerating system drives and partitions.[178]
HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.[179]
HTTPBrowser is capable of listing files, folders, and drives on a victim.[180][181]
Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.[182][183]
The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size.[184]
Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.[185]
INC Ransomware can receive command line arguments to encrypt specific files and directories.[186][187]
Inception used a file listing plugin to collect information about file and directories both on local and remote drives.[188]
Industroyer’s data wiper component enumerates specific files on all the Windows drives.[189]
InnaputRAT enumerates directories and obtains file attributes on a system.[190]
InvisibleFerret has identified specific directories and files for exfiltration using the ssh_upload command which contains subcommands of .sdira, sdir, sfile, sfinda, sfindr, sfind.[56][191] InvisibleFerret also has the capability to scan and upload files of interest from multiple OS systems through the use of scripts that check file names, file extensions, and avoids certain path names.[192][106] InvisibleFerret has utilized the findstr on Windows or the macOS find commands to search for files of interest.[193]
InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.[194]
Ixeshe can list file and directory information.[195]
JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.[196]
jRAT can browse file systems.[197][198]
Kasidet has the ability to search for a given filename on a victim.[199]
Kazuar finds a specified directory, lists the files and metadata about those files.[200]
Ke3chang uses command-line interaction to search files and directories.[201][202]
KeyBoy has a command to launch a file browser or explorer on the system.[203]
KEYMARBLE has a command to search for files on the victim’s machine.[204]
KGH_SPY can enumerate files and directories on a compromised host.[205]
KillDisk has used the FindNextFile command as part of its file deletion process.[206]
Kimsuky has the ability to enumerate all files and directories on an infected system.[207][208][209] Kimsuky has used a custom script with a function called CreateFileList() that can scan all filesystem drives, prioritizing C:\Users, to locate files and file extensions of interest that ultimately generates a file called FileList.txt saved within the victims %TEMP% Directory that contains the findings and the respective pathways.[210]
Kinsing has used the find command to search for specific files.[211]
Kivars has the ability to list drives on the infected host.[212]
Koadic can obtain a list of directories.[213]
A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.[214]
KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: \/usr\/sbin\/, \/usr\/bin\/, \/sbin\/, \/pfrm2.0\/bin\/, \/usr\/local\/bin\/.[215]
Kwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> "C:\windows\TEMP[RANDOM].tmp".[216]
LAMEHUG can target directories on victim machines for file collection.[217][218]
Latrodectus can collect desktop filenames.[219][220][221]
Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.[222][223][224][225]
LazyWiper can specifically target multiple files by extension including: .rar, .tar.gz, .zip, .7z, .json, .bcp, .bak, .gho, .erf, .edb, .onepkg, .pst, and .ldiff.[3]
Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[226]
LightSpy uses the NSFileManager to move, create and delete files. LightSpy can also use the assembly bt instruction to determine a file's executable permissions.[227]
Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.[228]
LITTLELAMB.WOOLTEA can monitor for system upgrade events by checking for the presence of /tmp/data/root/dev.[229]
LockBit 2.0 can exclude files associated with core system functions from encryption.[230]
LockBit 3.0 can exclude files associated with core system functions from encryption.[231]
LODEINFO has the ability to designate specific files and folders to encryption.[232][233]
LoFiSe can monitor the file system to identify files less than 6.4 MB in size with file extensions including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .odt, .ods, .odp, .eml, and .msg.[234]
Lokibot can search for specific files on an infected host.[235]
LookBack can retrieve file listings from the victim machine.[236]
Lotus Blossom has used commands such as dir to examine the local filesystem of victim machines.[237]
LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.[238][239]
LunarMail can search its staging directory for output files it has produced.[240]
LunarWeb has the ability to retrieve directory listings.[240]
Machete produces file listings in order to search for files to be exfiltrated.[241][242][243]
MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.[244]
Mafalda can search for files and directories.[245]
Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[246]
Mango can enumerate the contents of current working or other specified directories.[247]
Manjusaka can gather information about specific files on the victim system.[248]
MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.[249]
Medusa Group has searched for files within the victim environment for encryption and exfiltration.[250][251][252] Medusa Group has also identified files associated with remote management services.[250][251]
Medusa Ransomware has searched for files within the victim environment for encryption and exfiltration.[250][251][252] Medusa Ransomware has also identified files associated with remote management services.[250][251]
MegaCortex can parse the available drives and directories to determine which files to encrypt.[253]
Megazord can ignore specified directories for encryption.[14]
menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.[254]
MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.[255]
metaMain can recursively enumerate files in an operator-provided directory.[245][256]
Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.[257][258][259]
Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.[260]
MiniDuke can enumerate local drives.[154]
MirrorFace has run commands to check the content of folders on compromised hosts and has specifically targeted files with .doc, .ppt, .xls, .jtd, .eml, .xps, and .pdf extensions.[232][261][262]
Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[263]
Mispadu searches for various filesystem paths to determine what banking applications are installed on the victim’s machine.[264]
MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.[265]
MoonWind has a command to return a directory listing for a specified directory.[266]
MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."[267]
MultiLayer Wiper generates a list of all files and paths on the fixed drives of an infected system, enumerating all files on the system except specific folders defined in a hardcoded list.[268]
Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[269][270]
NDiskMonitor can obtain a list of all files and directories as well as logical drives.[47]
Nebulae can list files and directories on a compromised host.[271]
NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.[45]
NETWIRE has the ability to search for files on the compromised host.[272]
During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system.[273]
NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files.[274]
Ninja has the ability to enumerate directory content.[275][234]
njRAT can browse file systems using a file manager module.[276]
NotPetya searches for files ending with dozens of different file extensions prior to encryption.[277]
ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.[278]
OceanSalt can extract drive information from the endpoint and search files on the system.[279]
Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.[280][281][282]
ODAgent can identify the current working directory.[283]
Okrum has used DriveLetterView to enumerate drive information.[284]
During Operation AkaiRyū, MirrorFace enumerated file system details in compromised environments.[16]
During Operation CuckooBees, the threat actors used dir c:\\ to search for files.[285]
During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.[286]
During Operation Honeybee, the threat actors used a malicious DLL to search for files with specific keywords.[287]
During Operation Wocao, threat actors gathered a recursive directory listing to find files and directories of interest.[288]
Orz can gather victim drive information.[289]
OSX/Shlayer has used the command appDir="$(dirname <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mo stretchy="false">(</mo><mi>d</mi><mi>i</mi><mi>r</mi><mi>n</mi><mi>a</mi><mi>m</mi><mi>e</mi><mi mathvariant="normal">"</mi></mrow><annotation encoding="application/x-tex">(dirname "</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mopen">(</span><span class="mord mathnormal">d</span><span class="mord mathnormal">i</span><span class="mord mathnormal" style="margin-right:0.02778em;">r</span><span class="mord mathnormal">nam</span><span class="mord mathnormal">e</span><span class="mord">"</span></span></span></span>currentDir"))" and $(dirname "$(pwd -P)") to construct installation paths.[290][291]
OutSteel can search for specific file extensions, including zipped files.[292]
OwaAuth has a command to list its directory and logical drives.[180]
P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.[293]
PACEMAKER can parse /proc/"process_name"/cmdline to look for the string dswsd within the command line.[294]
Pasam creates a backdoor through which remote attackers can retrieve lists of files.[295]
A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.[296][47]
Pcexter has the ability to search for files in specified directories.[234]
Penquin can use the command code do_vslist to send file names, size, and status to C2.[297]
Peppy can identify specific files for exfiltration.[113]
PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.[170]
PingPull can enumerate storage volumes and folder contents of a compromised host.[298]
Pisloader has commands to list drives on the victim machine and to list file information for a given directory.[299]
Play has used the Grixba information stealer to list security files and processes.[300]
Playcrypt can avoid encrypting files with a .PLAY, .exe, .msi, .dll, .lnk, or .sys file extension.[300]
PLEAD has the ability to list drives and files on the compromised host.[212][301]
PlugX has a module to enumerate drives and find files recursively.[302][303][304][305] PlugX has also checked the path from which it is running for specific parameters prior to execution. [302][306][307]
PoetRAT has the ability to list files upon receiving the ls command from C2.[308]
POORAIM can conduct file browsing.[109]
PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[309]
PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.[310]
POWRUNER may enumerate user directories on a victim.[311]
Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.[312]
A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.[313]
Proxysvc lists files in directories.[223]
Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.[265]
Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.[314]
Pupy can walk through directories and recursively search for strings in files.[315]
QakBot can identify whether it has been run previously on a host by checking for a specified folder.[316]
Qilin can exclude specific directories and files from encryption.[317][318]
QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.[319]
Raccoon Stealer identifies target files and directories for collection based on a configuration file.[320][321]
RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.[271]
Ramsay can collect directory and file lists.[322][323]
RansomHub has the ability to only encrypt specific files.[324]
RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.[325]
Raspberry Robin will check to see if the initial executing script is located on the user's Desktop as an anti-analysis check.[326]
Rclone can list files and directories with the ls, lsd, and lsl commands.[327]
RedCurl has searched for and collected files on local and network drives.[328][329][330]
RedLeaves can enumerate and search for files and directories.[331][93]
Remcos can search for files on the infected machine.[332][333]
Remexi searches for files on the system. [334]
RemoteUtilities can enumerate files and directories on a target machine.[335]
Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.[336][337][338]
REvil has the ability to identify specific files and directories that are not to be encrypted.[339][340][341][342][343][344]
Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.[345]
ROADSWEEP can enumerate files on infected devices and avoid encrypting files with .exe, .dll, .sys, .lnk, or . lck extensions.[96][346][347]
ROKRAT has the ability to gather a list of files and directories on the infected system.[348][349][350]
Rover automatically searches for files on local drives based on a predefined list of file extensions.[351]
Royal can identify specific files and directories to exclude from the encryption process.[352][353][354]
RTM can check for specific files and directories associated with virtualization and malware analysis.[355]
Ryuk has enumerated files and folders on all mounted drives.[356]
Saint Bot can search a compromised host for specific files.[292]
During Salesforce Data Exfiltration, threat actors queried customers' Salesforce environments to identify sensitive information for exfiltration.[357]
SameCoin can list all system files and can avoid wiping specific directories such as Program Files, Windows, and Users.[358]
Samurai can use a specific module for file enumeration.[275]
Sandworm Team has enumerated files on a compromised host.[277][359]
Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code, user provisioning, MFA device registration, network diagrams, and shared credentials in documents or spreadsheets.[360][361][362][363][364]
SDBbot has the ability to get directory listings or drive information on a compromised host.[365]
Seasalt has the capability to identify the drive type on a victim.[279]
SharePoint ToolShell Exploitation
During SharePoint ToolShell Exploitation, threat actors leveraged commands to locate accessible file shares, backup paths, or SharePoint content.[366]
SharpDisco can identify recently opened files by using an LNK format parser to extract the original file path from LNK files found in either %USERPROFILE%\Recent (Windows XP) or %APPDATA%\Microsoft\Windows\Recent (newer Windows versions) .[274]
ShimRat can list directories.[367]
SHOTPUT has a command to obtain a directory listing.[368]
SideTwist has the ability to search for specific files.[369]
Sidewinder has used malware to collect information on files and directories.[370]
SILENTTRINITY has several modules, such as ls.py, pwd.py, and recentFiles.py, to enumerate directories and files.[371]
Siloscape searches for the Kubernetes config file and other related files using a regular expression.[372]
Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. [373]
Sliver can enumerate files on a target system.[374]
SLOTHFULMEDIA can enumerate files and directories.[375]
Smoke Loader recursively searches through directories for files.[376]
During the SolarWinds Compromise, APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.[377]
SombRAT can execute enum to enumerate files in storage on a compromised system.[378]
SoreFang has the ability to list directories.[379]
SOUNDBITE is capable of enumerating and manipulating files and directories.[380]
Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.[381]
SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[45]
Spica can list filesystem contents on targeted systems.[382]
SplatCloak has used Windows API to identify files associated with Windows Defender and Kaspersky.[383]
StealBit can be configured to exfiltrate specific file types.[230][384]
StreamEx has the ability to enumerate drive types.[385]
StrifeWater can enumerate files on a compromised host.[386]
StrongPity can parse the hard drive on a compromised host to identify specific file extensions.[387]
Stuxnet uses a driver to scan for specific filesystem driver objects.[388]
SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string Profile in its name.[389]
SUNBURST had commands to enumerate files and directories.[390][391]
SUNSPOT enumerated the Orion software Visual Studio solution directory path.[392]
SynAck checks its directory location in an attempt to avoid launching in a sandbox.[393][394]
SysUpdate can search files on a compromised host.[395][396]
Taidoor can search for specific files.[397]
TAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.[398]
TajMahal has the ability to index files from drives, user profiles, and removable drives.[399]
TeamTNT has used a script that checks /proc/*/environ for environment variables related to AWS.[400]
ThreatNeedle can obtain file and directory information.[401]
TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.[34]
ToddyCat has run scripts to enumerate recently modified documents having either a .pdf, .doc, .docx, .xls or .xlsx extension.[234]
TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[402][403]
Trojan.Karagany can enumerate files and directories on a compromised host.[404]
Troll Stealer can enumerate and collect items from local drives and folders.[405]
Tropic Trooper has monitored files' modified time.[406]
TruffleHog has can browse and scan individual files and directories.[407][408][409]
TSCookie has the ability to discover drive information on the infected host.[410]
Turian can search for specific files and list directories.[411]
Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.[150][412] Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.[413]
TYPEFRAME can search directories for files on the victim’s machine.[414]
UNC3886 has used vmtoolsd.exe to enumerate files on guest machines.[415][416]
UPPERCUT has the capability to gather the victim's current directory.[417]
Uroburos can search for specific files on a compromised system.[418]
USBferry can detect the victim's file or folder list.[406]
USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.[419][420]
Velvet Ant has enumerated local files and folders on victim devices.[421]
Volgmer can list directories on a victim.[422]
Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings.[423]
WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.[424][425]
WarzoneRAT can enumerate directories on a compromise host.[426]
WastedLocker can enumerate files and directories just prior to encryption.[427]
WhisperGate can locate files based on hardcoded file extensions.[428][429][430][431]
Windigo has used a script to check for the presence of files created by OpenSSH backdoors.[432]
WindTail has the ability to enumerate the users home directory and the path to its own application bundle.[433][434]
WINERACK can enumerate files and directories.[109]
WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.[435]
Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.[436]
Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.[437]
Winter Vivern delivered malicious JavaScript payloads capable of listing folders and emails in exploited email servers.[438]
Woody RAT can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions.[439]
XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.[440] XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.[440]
XCSSET has used mdfind to enumerate a list of apps known to grant screen sharing permissions and leverages a module to run the command ls -la ~/Desktop.[441][442]
yty gathers information on victim’s drives and has a plugin for document listing.[443]
Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.[444][445][446] Zebrocy can obtain the current execution path as well as perform drive enumeration.[447][448]
Zeus Panda searches for specific directories on the victim’s machine.[449]
ZIPLINE can find and append specific files on Ivanti Connect Secure VPNs based upon received commands.[450]
ZLib has the ability to enumerate files and drives.[263]
Zox can enumerate files on a compromised host.[451]
zwShell can browse the file system.[273]
ZxShell has a command to open a file manager and explorer on the system.[452]