S0066 3PARA RAT
3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.[3]
S0065 4H RAT4H RAT has the capability to obtain file and directory listings.[3]
G0018 admin@338admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download[4]
S0045 ADVSTORESHELLADVSTORESHELL can list files and directories.[5][6]
S0622 AppleSeedAppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.[7]
G0026 APT18APT18 can list files information for specific directories.[8]
G0007 APT28APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.[9][10]
G0016 APT29APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.[11]
G0022 APT3APT3 has a tool that looks for files and directories on the local file system.[12][13]
G0050 APT32APT32's backdoor possesses the capability to list files and directories on a machine. [14]
G0082 APT38APT38 have enumerated files and directories, or searched in specific locations within a compromised host.[15]
G0087 APT39APT39 has used tools with the ability to search for files on a compromised host.[16]
G0096 APT41APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.[17]
S0456 Aria-bodyAria-body has the ability to gather metadata from a file and to search for file and directory names.[18]
S0438 AttorAttor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.[19]
S0347 AuditCredAuditCred can search through folders and files on the system.[20]
S0129 AutoIt backdoorAutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[21]
S0640 AvaddonAvaddon has searched for specific files prior to encryption.[22]
S0473 AvengerAvenger has the ability to browse files in directories such as Program Files and the Desktop.[23]
S0344 AzorultAzorult can recursively search for files in folders and collects files from the desktop with certain extensions.[24]
S0638 BabukBabuk has the ability to enumerate files on a targeted system.[25][26]
S0414 BabySharkBabyShark has used dir to search for "programfiles" and "appdata".[27]
S0475 BackConfigBackConfig has the ability to identify folders and files related to previous infections.[28]
S0093 Backdoor.OldreaBackdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.[29]
S0031 BACKSPACEBACKSPACE allows adversaries to search for files.[30]
S0642 BADFLICKBADFLICK has searched for files on the infected host.[31]
S0128 BADNEWSBADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.[32]
S0337 BadPatchBadPatch searches for files with specific file extensions.[33]
S0234 BandookBandook has a command to list files on a system.[34]
S0239 BankshotBankshot searches for files on the victim's machine.[35]
S0534 BazarBazar can enumerate the victim's desktop.[36][37]
S0127 BBSRATBBSRAT can list file and directory information.[38]
S0268 BisonalBisonal can retrieve a file listing from the system.[39][40]
S0069 BLACKCOFFEEBLACKCOFFEE has the capability to enumerate files.[41]
S0089 BlackEnergyBlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.[42][43]
S0564 BlackMouldBlackMould has the ability to find files on the targeted system.[44]
S0520 BLINDINGCANBLINDINGCAN can search, read, write, move, and execute files.[45][46]
S0657 BLUELIGHTBLUELIGHT can enumerate files and collect associated metadata.[47]
S0635 BoomBoxBoomBox can search for specific files and directories on a machine.[48]
S0651 BoxCaonBoxCaon has searched for files on the system, such as documents located in the desktop folder.[49]
S0252 Brave PrinceBrave Prince gathers file and directory information from the victim’s machine.[50]
G0060 BRONZE BUTLERBRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.[51]
S0693 CaddyWiperCaddyWiper can enumerate all files and directories on a compromised host.[52]
S0351 CannonCannon can obtain victim drive information as well as a list of folders in C:\Program Files.[53]
S0348 Cardinal RATCardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path [else it will rewrite the payload].[54]
S0572 Caterpillar WebShellCaterpillar WebShell can search for files in directories.[55]
S0674 CharmPowerCharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.[56]
S0144 ChChesChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[57]
G0114 ChimeraChimera has utilized multiple commands to identify data of interest in file and directory listings.[58]
S0020 China ChopperChina Chopper's server component can list directory contents.[59]
S0023 CHOPSTICKAn older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.[5]
S0660 ClamblingClambling can browse directories on a compromised host.[60][61]
S0611 ClopClop has searched folders and subfolders for files to encrypt.[62]
S0106 cmdcmd can be used to find files and directories with native functionality such as dir commands.[63]
S0154 Cobalt StrikeCobalt Strike can explore files on a compromised system.[64]
G0142 ConfuciusConfucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.[65]
S0575 ContiConti can discover files on a local system.[66]
S0492 CookieMinerCookieMiner has looked for files in the user's home directory with "wallet" in their name using find.[67]
S0212 CORALDECKCORALDECK searches for specified files.[68]
S0050 CosmicDukeCosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[69]
S0488 CrackMapExecCrackMapExec can discover specified filetypes and log files on a targeted system.[70]
S0115 CrimsonCrimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.[71][72]
S0235 CrossRATCrossRAT can list all files on a system.
S0498 CryptoisticCryptoistic can scan a directory to identify files for deletion.[73]
S0625 CubaCuba can enumerate files by using a variety of functions.[74]
Cyclops Blink can use the Linux API statvfs to enumerate the current working directory.[75][76]
S0497 DaclsDacls can scan directories on a compromised host.[77]
G0070 Dark CaracalDark Caracal collected file listings of all default Windows directories.[78]
G0012 DarkhotelDarkhotel has used malware that searched for files with specific patterns.[79]
S0673 DarkWatchmanDarkWatchman has the ability to enumerate file and folder names.[80]
S0255 DDKONGDDKONG lists files on the victim’s machine.[81]
S0616 DEATHRANSOMDEATHRANSOM can use loop operations to enumerate directories on a compromised host.[82]
S0354 DenisDenis has several commands to search directories for files.[83][84]
S0021 DerusbiDerusbi is capable of obtaining directory, file, and drive listings.[85][59]
S0659 DiavolDiavol has a command to traverse the files and directories in a given path.[86]
S0600 DokiDoki has resolved the path of a process PID to use as a script argument.[87]
S0472 down_newdown_new has the ability to list the directories on a compromised host.[23]
G0035 DragonflyDragonfly has used a batch script to gather folder and file names from victim hosts.[88][89][90]
S0547 DropBookDropBook can collect the names of all files and folders in the Program Files directories.[91][92]
S0567 DtrackDtrack can list files on available disk volumes.[93][94]
G0031 Dust StormDust Storm has used Android backdoors capable of enumerating specific files on the infected devices.[95]
S0062 DustySkyDustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.[96][97]
S0377 EburyEbury can list directory entries.[98]
S0081 EliseA variant of Elise executes dir C:\progra~1 when initially run.[99][100]
S0064 ELMERELMER is capable of performing directory listings.[101]
S0363 EmpireEmpire includes various modules for finding files of interest on hosts and network shares.[102]
S0091 EpicEpic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.[103][104]
S0181 FALLCHILLFALLCHILL can search files on a victim.[105]
S0512 FatDukeFatDuke can enumerate directories on target machines.[106]
S0182 FinFisherFinFisher enumerates directories and scans for certain files.[107][108]
S0618 FIVEHANDSFIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.[109][110]
S0036 FLASHFLOODFLASHFLOOD searches for interesting files [either a default or customized set of file extensions] on the local system and removable media.[30]
S0661 FoggyWebFoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.[111]
S0193 ForfilesForfiles can be used to locate certain types of files/directories in a system.[ex: locate all files with a specific extension, name, and/or age][9]
G0117 Fox KittenFox Kitten has used WizTree to obtain network files and directory listings.[112]
S0277 FruitFlyFruitFly looks for specific files and file types.[113]
S0628 FYAntiFYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.[114]
S0410 FysbisFysbis has the ability to search for files.[115]
G0047 Gamaredon GroupGamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files [such as Office documents] found on a system.[116][117]
S0666 GelsemiumGelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.[118]
S0049 GeminiDukeGeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.[119]
S0249 Gold DragonGold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.[50]
S0493 GoldenSpyGoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.[120]
S0237 GravityRATGravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[121]
S0632 GrimAgentGrimAgent has the ability to enumerate files and directories on a compromised host.[122]
S0697 HermeticWiperHermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.[123][124]
G0072 HoneybeeHoneybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.[125]
S0376 HOPLIGHTHOPLIGHT has been observed enumerating system drives and partitions.[126]
S0431 HotCroissantHotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.[127]
S0070 HTTPBrowserHTTPBrowser is capable of listing files, folders, and drives on a victim.[128][129]
S0203 HydraqHydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.[130][131]
S0434 Imminent MonitorImminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.[132]
G0100 InceptionInception used a file listing plugin to collect information about file and directories both on local and remote drives.[133]
S0604 IndustroyerIndustroyer’s data wiper component enumerates specific files on all the Windows drives.[134]
S0259 InnaputRATInnaputRAT enumerates directories and obtains file attributes on a system.[135]
S0260 InvisiMoleInvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.[136]
S0015 IxesheIxeshe can list file and directory information.[137]
S0201 JPINJPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.[138]
S0283 jRATjRAT can browse file systems.[139][140]
S0088 KasidetKasidet has the ability to search for a given filename on a victim.[141]
S0265 KazuarKazuar finds a specified directory, lists the files and metadata about those files.[142]
G0004 Ke3changKe3chang uses command-line interaction to search files and directories.[143][144]
S0387 KeyBoyKeyBoy has a command to launch a file browser or explorer on the system.[145]
S0271 KEYMARBLEKEYMARBLE has a command to search for files on the victim’s machine.[146]
S0526 KGH_SPYKGH_SPY can enumerate files and directories on a compromised host.[147]
S0607 KillDiskKillDisk has used the FindNextFile command as part of its file deletion process.[148]
G0094 KimsukyKimsuky has the ability to enumerate all files and directories on an infected system.[149][150][151]
S0599 KinsingKinsing has used the find command to search for specific files.[152]
S0437 KivarsKivars has the ability to list drives on the infected host.[153]
S0250 KoadicKoadic can obtain a list of directories.[154]
A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.[155]
S0236 KwampirsKwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> "C:\windows\TEMP[RANDOM].tmp".[156]
G0032 Lazarus GroupSeveral Lazarus Group has conducted word searches on compromised machines to identify specific documents of interest. Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.[157][158][159][160][161]
G0077 LeafminerLeafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[162]
S0211 LinfoLinfo creates a backdoor through which remote attackers can list contents of drives and search for files.[163]
S0447 LokibotLokibot can search for specific files on an infected host.[164]
S0582 LookBackLookBack can retrieve file listings from the victim machine.[165]
S0409 MacheteMachete produces file listings in order to search for files to be exfiltrated.[166][167][168]
G0059 Magic HoundMagic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[169]
S0652 MarkiRATMarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.[170]
S0576 MegaCortexMegaCortex can parse the available drives and directories to determine which files to encrypt.[171]
G0045 menuPassmenuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.[172]
S0443 MESSAGETAPMESSAGETAP checks for the existence of two configuration files [keyword_parm.txt and parm.txt] and attempts to read the files every 30 seconds.[173]
S0455 MetamorfoMetamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.[174][175][176]
S0339 MicropsiaMicropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.[177]
S0051 MiniDukeMiniDuke can enumerate local drives.[106]
S0083 MisdatMisdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[95]
S0079 MobileOrderMobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.[178]
S0149 MoonWindMoonWind has a command to return a directory listing for a specified directory.[179]
G0069 MuddyWaterMuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."[180]
G0129 Mustang PandaMustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[181]
S0272 NDiskMonitorNDiskMonitor can obtain a list of all files and directories as well as logical drives.[32]
S0630 NebulaeNebulae can list files and directories on a compromised host.[182]
S0034 NETEAGLENETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.[30]
S0198 NETWIRENETWIRE has the ability to search for files on the compromised host.[183]
S0385 njRATnjRAT can browse file systems using a file manager module.[184]
S0368 NotPetyaNotPetya searches for files ending with dozens of different file extensions prior to encryption.[185]
S0644 ObliqueRATObliqueRAT has the ability to recursively enumerate files on an infected endpoint.[186]
S0346 OceanSaltOceanSalt can extract drive information from the endpoint and search files on the system.[187]
S0340 OctopusOctopus can collect information on the Windows directory and searches for compressed RAR files on the host.[188][189][190]
S0439 OkrumOkrum has used DriveLetterView to enumerate drive information.[191]
G0116 Operation WocaoOperation Wocao has gathered a recursive directory listing to find files and directories of interest.[192]
S0229 OrzOrz can gather victim drive information.[193]
S0402 OSX/ShlayerOSX/Shlayer uses the command appDir="$[dirname $[dirname "$currentDir"]]" and $[dirname "$[pwd -P]"] to construct installation paths.[194][195]
S0072 OwaAuthOwaAuth has a command to list its directory and logical drives.[128]
S0598 P.A.S. WebshellP.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.[196]
S0208 PasamPasam creates a backdoor through which remote attackers can retrieve lists of files.[197]
G0040 PatchworkA Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.[198][32]
S0587 PenquinPenquin can use the command code do_vslist to send file names, size, and status to C2.[199]
S0643 PeppyPeppy can identify specific files for exfiltration.[71]
S0048 PinchDukePinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.[119]
S0124 PisloaderPisloader has commands to list drives on the victim machine and to list file information for a given directory.[200]
S0435 PLEADPLEAD has the ability to list drives and files on the compromised host.[153][201]
S0013 PlugXPlugX has a module to enumerate drives and find files recursively.[202][203]
S0428 PoetRATPoetRAT has the ability to list files upon receiving the ls command from C2.[204]
S0216 POORAIMPOORAIM can conduct file browsing.[68]
S0378 PoshC2PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[205]
S0139 PowerDukePowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.[206]
S0184 POWRUNERPOWRUNER may enumerate user directories on a victim.[207]
S0113 PrikormkaA module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.[208]
S0238 ProxysvcProxysvc lists files in directories.[158]
S0078 PsyloPsylo has commands to enumerate all storage devices and to find all files that start with a particular string.[178]
S0147 PteranodonPteranodon identifies files matching certain file extension and copies them to subdirectories it created.[209]
S0192 PupyPupy can walk through directories and recursively search for strings in files.[210]
S0650 QakBotQakBot can identify whether it has been run previously on a host by checking for a specified folder.[211]
S0686 QuietSieveQuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.[212]
S0629 RainyDayRainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.[182]
S0458 RamsayRamsay can collect directory and file lists.[213][214]
S0055 RARSTONERARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.[215]
S0153 RedLeavesRedLeaves can enumerate and search for files and directories.[216][57]
S0332 RemcosRemcos can search for files on the infected machine.[217]
S0375 RemexiRemexi searches for files on the system. [218]
S0592 RemoteUtilitiesRemoteUtilities can enumerate files and directories on a target machine.[219]
S0125 RemsecRemsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.[220][221][222]
S0496 REvilREvil has the ability to identify specific files and directories that are not to be encrypted.[223][224][225][226][227][228]
Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.[229]
S0240 ROKRATROKRAT has the ability to gather a list of files and directories on the infected system.[230][231][232]
S0090 RoverRover automatically searches for files on local drives based on a predefined list of file extensions.[233]
S0148 RTMRTM can check for specific files and directories associated with virtualization and malware analysis.[234]
S0446 RyukRyuk has enumerated files and folders on all mounted drives.[235]
G0034 Sandworm TeamSandworm Team has enumerated files on a compromised host.[185][236]
S0461 SDBbotSDBbot has the ability to get directory listings or drive information on a compromised host.[237]
S0345 SeasaltSeasalt has the capability to identify the drive type on a victim.[187]
S0444 ShimRatShimRat can list directories.[238]
S0063 SHOTPUTSHOTPUT has a command to obtain a directory listing.[239]
S0610 SideTwistSideTwist has the ability to search for specific files.[240]
G0121 SidewinderSidewinder has used malware to collect information on files and directories.[241]
S0692 SILENTTRINITYSILENTTRINITY has several modules, such as ls.py, pwd.py, and recentFiles.py, to enumerate directories and files.[242]
S0623 SiloscapeSiloscape searches for the Kubernetes config file and other related files using a regular expression.[243]
S0468 SkidmapSkidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. [244]
S0633 SliverSliver can enumerate files on a target system.[245]
S0533 SLOTHFULMEDIASLOTHFULMEDIA can enumerate files and directories.[246]
S0226 Smoke LoaderSmoke Loader recursively searches through directories for files.[247]
S0615 SombRATSombRAT can execute enum to enumerate files in storage on a compromised system.[248]
S0516 SoreFangSoreFang has the ability to list directories.[249]
S0157 SOUNDBITESOUNDBITE is capable of enumerating and manipulating files and directories.[250]
G0054 SowbugSowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.[251]
S0035 SPACESHIPSPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[30]
S0142 StreamExStreamEx has the ability to enumerate drive types.[252]
S0491 StrongPityStrongPity can parse the hard drive on a compromised host to identify specific file extensions.[253]
S0603 StuxnetStuxnet uses a driver to scan for specific filesystem driver objects.[254]
S0559 SUNBURSTSUNBURST had commands to enumerate files and directories.[255][256]
S0562 SUNSPOTSUNSPOT enumerated the Orion software Visual Studio solution directory path.[257]
S0242 SynAckSynAck checks its directory location in an attempt to avoid launching in a sandbox.[258][259]
S0663 SysUpdateSysUpdate can search files on a compromised host.[260]
S0011 TaidoorTaidoor can search for specific files.[261]
S0586 TAINTEDSCRIBETAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.[262]
S0467 TajMahalTajMahal has the ability to index files from drives, user profiles, and removable drives.[263]
S0665 ThreatNeedleThreatNeedle can obtain file and directory information.[264]
S0131 TINYTYPHONTINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.[21]
S0266 TrickBotTrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[265][266]
S0094 Trojan.KaraganyTrojan.Karagany can enumerate files and directories on a compromised host.[267]
G0081 Tropic TrooperTropic Trooper has monitored files' modified time.[268]
S0436 TSCookieTSCookie has the ability to discover drive information on the infected host.[269]
S0647 TurianTurian can search for specific files and list directories.[270]
G0010 TurlaTurla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.[103][271] Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.[272]
S0263 TYPEFRAMETYPEFRAME can search directories for files on the victim’s machine.[273]
S0275 UPPERCUTUPPERCUT has the capability to gather the victim's current directory.[274]
S0452 USBferryUSBferry can detect the victim's file or folder list.[268]
S0136 USBStealerUSBStealer searches victim drives for files matching certain extensions [".skr",".pkr" or ".key"] or names.[275][276]
S0180 VolgmerVolgmer can list directories on a victim.[277]
S0366 WannaCryWannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.[278][279]
S0670 WarzoneRATWarzoneRAT can enumerate directories on a compromise host.[280]
S0612 WastedLockerWastedLocker can enumerate files and directories just prior to encryption.[281]
S0689 WhisperGateWhisperGate can locate files based on hardcoded file extensions.[282][283][284][285]
G0124 WindigoWindigo has used a script to check for the presence of files created by OpenSSH backdoors.[286]
S0466 WindTailWindTail has the ability to enumerate the users home directory and the path to its own application bundle.[287][288]
S0219 WINERACKWINERACK can enumerate files and directories.[68]
S0059 WinMMWinMM sets a WH_CBT Windows hook to search for and capture files on the victim.[289]
S0141 Winnti for WindowsWinnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.[290]
G0044 Winnti GroupWinnti Group has used a program named ff.exe to search for specific documents on compromised hosts.[291]
S0161 XAgentOSXXAgentOSX contains the readFiles function to return a detailed listing [sometimes recursive] of a specified directory.[292] XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.[292]
S0248 ytyyty gathers information on victim’s drives and has a plugin for document listing.[293]
S0251 ZebrocyZebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.[294][295][296] Zebrocy can obtain the current execution path as well as perform drive enumeration.[297][298]
S0330 Zeus PandaZeus Panda searches for specific directories on the victim’s machine.[299]
S0086 ZLibZLib has the ability to enumerate files and drives.[95]
S0672 ZoxZox can enumerate files on a compromised host.[300]
S0350 zwShellzwShell can browse the file system.[301]
S0412 ZxShellZxShell has a command to open a file manager and explorer on the system.[302]