redcanaryco · cyberbuff · Nov 1, 2025 · Oct 31, 2025 · Oct 31, 2025 · Nov 1, 2025
diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml
@@ -91,8 +91,8 @@ atomic_tests:
 - name: Simulating MAZE Directory Enumeration
   auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
   description: |
-    This test emulates MAZE ransomware's ability to enumerate directories using Powershell. 
-    Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. 
+    This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
+    Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
     See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
   supported_platforms:
   - windows
@@ -108,7 +108,7 @@ atomic_tests:
       Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
       Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
       $UsersFolder = "$env:homedrive\Users\"
-      foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) 
+      foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
       {
       foreach ($secondarydirectory in $folderarray)
        {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
@@ -176,7 +176,7 @@ atomic_tests:
     cli_script:
       description: Path to script with file discovery commands
       type: path
-      default: PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt  
+      default: PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -201,4 +201,71 @@ atomic_tests:
   executor:
     command: |
       findmnt -t nfs
-    name: sh
+    name: sh
+- name: Recursive Enumerate Files And Directories By Powershell
+  description: |
+    Adversary attempting to discover and collect sensitive documents and archives
+    from a user’s system. The test recursively enumerates common user folders
+    (Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc,
+    .docx, .xls, .xlsx, .txt, .zip, .rar, and .7z.
+    This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025,
+    where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix.
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_file:
+      description: File to output results.
+      type: string
+      default: '$env:TEMP\T1083-Enumerate-net.txt'
+  executor:
+    name: powershell
+    command: |
+      $out = "#{output_file}"
+      $dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
+      $exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
+      $userProfile = [Environment]::GetFolderPath('UserProfile')
+      $tr = [System.Collections.Generic.List[string]]::new()
+
+      function MatchesExtension($path) {
+        try {
+          $e = [System.IO.Path]::GetExtension($path).ToLower()
+          return $exts -contains $e
+        } catch { return $false }
+      }
+
+      function Scan-Dir($root) {
+        try {
+          $match = $false
+          foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
+          if (-not $match) { return }
+
+          [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
+            if (MatchesExtension $_) {
+              $fi = [System.IO.FileInfo]::new($_)
+              $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
+            }
+          }
+
+          [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
+            Scan-Dir $_
+          }
+        } catch [System.UnauthorizedAccessException] {
+          $tr.Add("[AccessDenied] $root")
+        } catch {
+          $tr.Add("[Error] $root => $($_.Exception.Message)")
+        }
+      }
+
+      [System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }
+
+      # Ensure output dir exists
+      $outDir = [System.IO.Path]::GetDirectoryName($out)
+      if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
+        New-Item -Path $outDir -ItemType Directory -Force | Out-Null
+      }
+
+      # Write results
+      $tr | Out-File -FilePath $out -Encoding UTF8
+      Write-Output "Enumeration complete. Results written to: $out"
+    cleanup_command: |
+      Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue