Transparency of Attacker Tooling

Published on

Published on

Published on

Aug 17, 2023

Aug 17, 2023

Aug 17, 2023

Transparency of Attacker Tooling
Transparency of Attacker Tooling
Transparency of Attacker Tooling
Transparency of Attacker Tooling

Transparency of Attacker Tooling

How Open Directories Help with Threat Hunting and Incident Response

Popular web servers are configured to list files and directories of the root directory if there is no index file. Such listings are usually called open directories or directory listings. This can lead to unexpected information disclosure when private files are exposed by an accident.

Open directories offer threat hunting professionals a valuable resource for identifying exposed data and potential entry points used by malicious actors during attacks.

An open directory is a listing of files that can be downloaded via HTTP. Sometimes the root path of a web server is a home directory with all the files. Basically, it's a read-only FTP server that's available via HTTP.

For example, Python language has a built server that allows one to start using a server using one command:

httpshuntioimagesblogsblog-2img-1-2xwebp

Unfortunately, such simplicity comes with security problems. People usually don't understand that when you host an open directory on a popular port --- web crawlers and scanners will find it within a day. Not knowing that detail, they accidentally expose a lot of data.

httpshuntioimagesblogsblog-2img-2-2xwebp

Directory listings are popular among malicious actors. They use them to host malicious executables, payloads or download exfiltrated data from web servers to their local machines. And guess what? A lot of them do not follow operational security practices. They also don't understand that their data can be exposed and help with investigations.

Content of open directories

Malicious directories host a variety of files. By analyzing them, you can find the following data:

1 Executables, logs, and configuration files from command and control servers, such as Cobalt Strike, Sliver C2, Brute Ratel C4, Metasploit, and so on.

2 Bash history, where you can see various logs about hacking attempts, data exfiltration, information gathering, reconnaissance, and so on. Such history files can often help to find the victims of attacks and inform them.

3 Logs from RATs (remote administration tools) or informational stealer's that contains a lot of sensitive data from victims.

4 New malware that was not known before.

How to find malicious directories

Finding malicious directories can be challenging because there are many legit ones, and we must filter them out.

Here are some indicators that help us to classify open directories as malicious:

1 Pattern matching. An open directory can contain files known to be related to malware, red-team, or hacking tools.

2 An open directory hosted on the same IP as the command and control server or other malicious software.

3 The IP is blocklisted by third-party vendors.

4 The executables that an open directory hosts are malicious according to sandboxing tools or antiviruses.

Malicious open directories are often short-lived, and it's important to download all the files for further investigation.

Hunt does this automatically.

There are 400 GitHub projects tagged and it will be updated daily.

httpshuntioimagesblogsblog-2img-3-2xwebp

You can click a scan signature to see all open directories that have validated C2s on them

which looks like this:

httpshuntioimagesblogsblog-2img-4-2xwebpUse It

Click on any malware tag and find all the files that have the same tag:

httpshuntioimagesblogsblog-2img-5-2xwebpUse It

Do keyword searching inside of open directories to find files (it's cumulative sorted by date):

httpshuntioimagesblogsblog-2img-6-2xwebpUse It

You can search for the same file across all open directories (by sha256 by clicking the magnifying glass by the sha256)

httpshuntioimagesblogsblog-2img-7-2xwebpUse It

Ultimately, various strategies can be deployed to identify open directories. Utilizing pattern matching, examining IP addresses, and employing sandboxing tools can aid in identifying potentially harmful open directories. Hunt.io contributes to the proactive detection and analysis of these directories.

Apply for an account to discover more.

How Open Directories Help with Threat Hunting and Incident Response

Popular web servers are configured to list files and directories of the root directory if there is no index file. Such listings are usually called open directories or directory listings. This can lead to unexpected information disclosure when private files are exposed by an accident.

Open directories offer threat hunting professionals a valuable resource for identifying exposed data and potential entry points used by malicious actors during attacks.

An open directory is a listing of files that can be downloaded via HTTP. Sometimes the root path of a web server is a home directory with all the files. Basically, it's a read-only FTP server that's available via HTTP.

For example, Python language has a built server that allows one to start using a server using one command:

httpshuntioimagesblogsblog-2img-1-2xwebp

Unfortunately, such simplicity comes with security problems. People usually don't understand that when you host an open directory on a popular port --- web crawlers and scanners will find it within a day. Not knowing that detail, they accidentally expose a lot of data.

httpshuntioimagesblogsblog-2img-2-2xwebp

Directory listings are popular among malicious actors. They use them to host malicious executables, payloads or download exfiltrated data from web servers to their local machines. And guess what? A lot of them do not follow operational security practices. They also don't understand that their data can be exposed and help with investigations.

Content of open directories

Malicious directories host a variety of files. By analyzing them, you can find the following data:

1 Executables, logs, and configuration files from command and control servers, such as Cobalt Strike, Sliver C2, Brute Ratel C4, Metasploit, and so on.

2 Bash history, where you can see various logs about hacking attempts, data exfiltration, information gathering, reconnaissance, and so on. Such history files can often help to find the victims of attacks and inform them.

3 Logs from RATs (remote administration tools) or informational stealer's that contains a lot of sensitive data from victims.

4 New malware that was not known before.

How to find malicious directories

Finding malicious directories can be challenging because there are many legit ones, and we must filter them out.

Here are some indicators that help us to classify open directories as malicious:

1 Pattern matching. An open directory can contain files known to be related to malware, red-team, or hacking tools.

2 An open directory hosted on the same IP as the command and control server or other malicious software.

3 The IP is blocklisted by third-party vendors.

4 The executables that an open directory hosts are malicious according to sandboxing tools or antiviruses.

Malicious open directories are often short-lived, and it's important to download all the files for further investigation.

Hunt does this automatically.

There are 400 GitHub projects tagged and it will be updated daily.

httpshuntioimagesblogsblog-2img-3-2xwebp

You can click a scan signature to see all open directories that have validated C2s on them

which looks like this:

httpshuntioimagesblogsblog-2img-4-2xwebpUse It

Click on any malware tag and find all the files that have the same tag:

httpshuntioimagesblogsblog-2img-5-2xwebpUse It

Do keyword searching inside of open directories to find files (it's cumulative sorted by date):

httpshuntioimagesblogsblog-2img-6-2xwebpUse It

You can search for the same file across all open directories (by sha256 by clicking the magnifying glass by the sha256)

httpshuntioimagesblogsblog-2img-7-2xwebpUse It

Ultimately, various strategies can be deployed to identify open directories. Utilizing pattern matching, examining IP addresses, and employing sandboxing tools can aid in identifying potentially harmful open directories. Hunt.io contributes to the proactive detection and analysis of these directories.

Apply for an account to discover more.

Related Posts:

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure
Jul 22, 2025

Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure
Jul 22, 2025

Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.

630K gov.br Subdomains Abused in SEO Poisoning Attack
Jul 17, 2025

Over 630K hijacked gov.br subdomains were exploited in a black hat SEO campaign using cloaking, keyword stuffing, and redirect techniques. Learn more.

630K gov.br Subdomains Abused in SEO Poisoning Attack
Jul 17, 2025

Over 630K hijacked gov.br subdomains were exploited in a black hat SEO campaign using cloaking, keyword stuffing, and redirect techniques. Learn more.

Announcing Hunt 2.4
Jul 15, 2025

Hunt 2.4 adds archive-aware search, deeper SQL visibility, and improved phishing intel to make threat hunting faster, clearer, and more powerful.

Announcing Hunt 2.4
Jul 15, 2025

Hunt 2.4 adds archive-aware search, deeper SQL visibility, and improved phishing intel to make threat hunting faster, clearer, and more powerful.

Eggs, Alerts, and Adversaries: Talking with Jose Hernandez from Splunk
Jul 8, 2025

Splunk’s Jose Hernandez talks building detections, curious hires, Hunt.io in action, and balancing threat research with chickens and family life.

Eggs, Alerts, and Adversaries: Talking with Jose Hernandez from Splunk
Jul 8, 2025

Splunk’s Jose Hernandez talks building detections, curious hires, Hunt.io in action, and balancing threat research with chickens and family life.

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure
Jul 22, 2025

Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.

630K gov.br Subdomains Abused in SEO Poisoning Attack
Jul 17, 2025

Over 630K hijacked gov.br subdomains were exploited in a black hat SEO campaign using cloaking, keyword stuffing, and redirect techniques. Learn more.