Back

Cyber Adversaries Exploit File Enumeration and Data Collection Techniques

Severity: Medium (Score: 51.9)

Sources: attack.mitre.org

Summary

Recent reports detail the tactics employed by various cyber adversaries to enumerate files and directories on compromised systems. Adversaries utilize command shell utilities and custom tools to gather sensitive information, which aids in follow-on attacks. Notable malware such as Action RAT, Amadey, and APT28 have been identified as capable of collecting local data from infected machines. Specific commands like 'dir' and 'Forfiles' are frequently used to identify files of interest, including documents and configuration files. The scope of impact includes organizations with compromised systems, leading to potential data exfiltration and further exploitation. Adversaries like APT38 and APT41 have been particularly active in gathering sensitive data. The current status indicates ongoing threats, with multiple actors leveraging similar techniques to achieve their objectives. Key Points: • Adversaries use file enumeration techniques to gather sensitive data from compromised systems. • Malware such as Action RAT and APT28 are actively involved in local data collection. • Commands like 'dir' and 'Forfiles' are commonly used for file discovery and exfiltration.

Key Entities

  • APT1 (apt_group)
  • Apt18 (apt_group)
  • Apt28 (apt_group)
  • Apt29 (apt_group)
  • APT3 (apt_group)
  • Badflick (malware)
  • Badnews (malware)
  • BadPatch (malware)
  • Bandook (malware)
  • Bankshot (malware)
  • Octopus (campaign)
  • C0015 (campaign)
  • Contagious Interview (campaign)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Ransomware (attack_type)
  • microsoft.net (domain)
  • Black Basta (ransomware_group)
  • Clop (ransomware_group)
  • Akira (ransomware_group)
  • Avaddon (ransomware_group)
  • AvosLocker (ransomware_group)
  • Cuba (country)
  • Epic (platform)
  • Ivanti Connect Secure VPNs (platform)
  • Linux (platform)
  • Windows (platform)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059.003 - Windows Command Shell (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1083 - File And Directory Discovery (mitre_attack)
  • CrackMapExec (tool)
  • Forfiles (tool)
  • Wevtutil (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed