Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.===Windows===
Example utilities used to obtain this information are
dirandtree. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Windows API.===Mac and Linux===
In Mac and Linux, this kind of discovery is accomplished with the
ls,find, andlocatecommands.Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Permissions Required: User, Administrator, SYSTEM
System Requirements: Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls
Find or discovery files on the file system
Supported Platforms: Windows
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*"
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*"
dir "%userprofile%\Desktop\*.*"
tree /F >> %temp%\download