Transparency of Attacker Tooling

How Open Directories Help with Threat Hunting and Incident Response

Popular web servers are configured to list files and directories of the root directory if there is no index file. Such listings are usually called open directories or directory listings. This can lead to unexpected information disclosure when private files are exposed by an accident.

Open directories offer threat hunting professionals a valuable resource for identifying exposed data and potential entry points used by malicious actors during attacks.

An open directory is a listing of files that can be downloaded via HTTP. Sometimes the root path of a web server is a home directory with all the files. Basically, it's a read-only FTP server that's available via HTTP.

For example, Python language has a built server that allows one to start using a server using one command:

Unfortunately, such simplicity comes with security problems. People usually don't understand that when you host an open directory on a popular port --- web crawlers and scanners will find it within a day. Not knowing that detail, they accidentally expose a lot of data.

Directory listings are popular among malicious actors. They use them to host malicious executables, payloads or download exfiltrated data from web servers to their local machines. And guess what? A lot of them do not follow operational security practices. They also don't understand that their data can be exposed and help with investigations.

Content of open directories

Malicious directories host a variety of files. By analyzing them, you can find the following data:

1 Executables, logs, and configuration files from command and control servers, such as Cobalt Strike, Sliver C2, Brute Ratel C4, Metasploit, and so on.

2 Bash history, where you can see various logs about hacking attempts, data exfiltration, information gathering, reconnaissance, and so on. Such history files can often help to find the victims of attacks and inform them.

3 Logs from RATs (remote administration tools) or informational stealer's that contains a lot of sensitive data from victims.

4 New malware that was not known before.

How to find malicious directories

Finding malicious directories can be challenging because there are many legit ones, and we must filter them out.

Here are some indicators that help us to classify open directories as malicious:

1 Pattern matching. An open directory can contain files known to be related to malware, red-team, or hacking tools.

2 An open directory hosted on the same IP as the command and control server or other malicious software.

3 The IP is blocklisted by third-party vendors.

4 The executables that an open directory hosts are malicious according to sandboxing tools or antiviruses.

Malicious open directories are often short-lived, and it's important to download all the files for further investigation.

Hunt does this automatically.

There are 400 GitHub projects tagged and it will be updated daily.

You can click a scan signature to see all open directories that have validated C2s on them

which looks like this:

Click on any malware tag and find all the files that have the same tag:

Do keyword searching inside of open directories to find files (it's cumulative sorted by date):

You can search for the same file across all open directories (by sha256 by clicking the magnifying glass by the sha256)

Ultimately, various strategies can be deployed to identify open directories. Utilizing pattern matching, examining IP addresses, and employing sandboxing tools can aid in identifying potentially harmful open directories. Hunt.io contributes to the proactive detection and analysis of these directories.