īlackEnergy gathers a list of installed apps from the uninstall program Registry. īLACKCOFFEE has the capability to enumerate files. īisonal can retrieve a file listing from the system. īBSRAT can list file and directory information. īazar can enumerate the victim's desktop. īankshot searches for files on the victim's machine. īandook has a command to list files on a system. īadPatch searches for files with specific file extensions. īADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory. īADFLICK has searched for files on the infected host. īACKSPACE allows adversaries to search for files.
#Classified file spy folder on desk software
It also searches for ICS-related software files. īackdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. īackConfig has the ability to identify folders and files related to previous infections. īabyShark has used dir to search for "programfiles" and "appdata". īabuk has the ability to enumerate files on a targeted system. Īzorult can recursively search for files in folders and collects files from the desktop with certain extensions. Īvenger has the ability to browse files in directories such as Program Files and the Desktop. Īvaddon has searched for specific files prior to encryption. ĪutoIt backdoor is capable of identifying documents on the victim with the following extensions. ĪuditCred can search through folders and files on the system. Īttor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files. Īria-body has the ability to gather metadata from a file and to search for file and directory names. ĪPT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information. ĪPT39 has used tools with the ability to search for files on a compromised host. ĪPT38 have enumerated files and directories, or searched in specific locations within a compromised host. ĪPT32's backdoor possesses the capability to list files and directories on a machine. ĪPT3 has a tool that looks for files and directories on the local file system. ĪPT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory. The group also searched a compromised DCCC computer for specific terms. ĪPT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. ĪPT18 can list files information for specific directories. Īoqin Dragon has run scripts to identify file formats including Microsoft Word. Īmadey has searched for folders associated with antivirus software. actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ > %temp%\download dir "c:\Documents and Settings" > %temp%\download dir "c:\Program Files\" > %temp%\download dir d:\ > %temp%\download ĪDVSTORESHELL can list files and directories. Īction RAT has the ability to collect drive and file information on an infected machine. ĤH RAT has the capability to obtain file and directory listings. 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.
0 kommentar(er)
