Update T1083.yaml

[PhyoPaingHtun]

Title

Recursive Enumerate File And Directories By Powershell

Details

This atomic simulates the reconnaissance stage of a data collection campaign: an adversary enumerates user folders to locate documents and archive files of potential intelligence value (e.g., invoices, contracts, reports, archived data). The test uses .NET streaming APIs ([System.IO.Directory]::EnumerateDirectories and [System.IO.Directory]::EnumerateFiles) to perform memory-efficient, recursive enumeration of common user locations (Documents, Downloads, Desktop, OneDrive) and filters for document/archive extensions such as .pdf, .doc, .docx, .xls, .xlsx, .txt, .zip, .rar and .7z.

This pattern is consistent with reconnaissance observed in commodity stealers and targeted campaigns (for example, behaviors similar to the LOSTKEYS VBScript-based malware used by COLDRIVER), where an operator or automated tool collects file paths and metadata to decide what to compress and exfiltrate later.
Reference : https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix#:~:text=%5Bstring%5B%5D%5D%24di%20%3D%20%40(%27Documents,in%20January%202025.

Attack Commands

$out = "#{output_file}"
      $dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
      $exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
      $userProfile = [Environment]::GetFolderPath('UserProfile')
      $tr = [System.Collections.Generic.List[string]]::new()

      function MatchesExtension($path) {
        try {
          $e = [System.IO.Path]::GetExtension($path).ToLower()
          return $exts -contains $e
        } catch { return $false }
      }

      function Scan-Dir($root) {
        try {
          $match = $false
          foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
          if (-not $match) { return }

          [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
            if (MatchesExtension $_) {
              $fi = [System.IO.FileInfo]::new($_)
              $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
            }
          }

          [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
            Scan-Dir $_
          }
        } catch [System.UnauthorizedAccessException] {
          $tr.Add("[AccessDenied] $root")
        } catch {
          $tr.Add("[Error] $root => $($_.Exception.Message)")
        }
      }

      [System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }

      # Ensure output dir exists
      $outDir = [System.IO.Path]::GetDirectoryName($out)
      if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
        New-Item -Path $outDir -ItemType Directory -Force | Out-Null
      }

      # Write results
      $tr | Out-File -FilePath $out -Encoding UTF8
      Write-Output "Enumeration complete. Results written to: $out"
    cleanup_command: |
      Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue

Already tested Invoke-Atomic Test

Enumeration Results Output
T1083-Enumerate-net.txt