ID	E1083
Objective(s)	Discovery
Related ATT&CK Techniques	File and Directory Discovery (T1083)
Version	2.0
Created	2 August 2022
Last Modified	21 November 2022

File and Directory Discovery

Malware may enumerate files and directories or may search for specific files or in specific locations.

Methods

Name	ID	Description
Log File	E1083.m01	Malware may look for system log files.
Filter by Extension	E1083.m02	Malware may filter by extension (common in ransomware).

Name	Date	Method	Description
CryptoWall	2014	--	The malware searches for user files before encrypting them [1]
CryptoLocker	2013	--	The malware searches for user files before encrypting them [2]
TrickBot	2016	--	Collects local files with specified file extensions and information from the victim's machine [3]
GravityRAT	2018	--	Enumerate files on windows (This capa rule had 3 matches) [4]
Hupigon	2013	E1083, E1083.m01	Please see the Hupigon malware page for details. [4]
Kovter	2016	E1083.m01	Access the Windows event log (This capa rule had 2 matches) [4]
SamSam	2015	--	Enumerate files on windows (This capa rule had 1 match) [4]
UP007 Malware Family	2016	--	Enumerate files on windows (This capa rule had 1 match) [4]
BlackEnergy	2007	--	Get common file path (This capa rule had 3 matches) [4]
Dark Comet	2008	--	Get file version info (This capa rule had 1 match) [4]
Gamut	2014	--	Get common file path (This capa rule had 5 matches) [4]
GoBotKR	2019	--	Check if file exists (This capa rule had 1 match) [4]
Locky Bart	2017	--	Get file size (This capa rule had 1 match) [4]
Mebromi	2011	--	Get file size (This capa rule had 1 match) [4]
Redhip	2011	--	Get file size (This capa rule had 3 matches) [4]
Rombertik	2015	--	Get file version info (This capa rule had 1 match) [4]
Shamoon	2012	--	Get common file path (This capa rule had 1 match) [4]

[4] capa v4.0, analyzed at MITRE on 10/12/2022