Transparency of Attacker Tooling

Published on

Published on

Published on

Aug 17, 2023

Aug 17, 2023

Aug 17, 2023

Transparency of Attacker Tooling
Transparency of Attacker Tooling
Transparency of Attacker Tooling

Transparency of Attacker Tooling

How Open Directories Help with Threat Hunting and Incident Response

Popular web servers are configured to list files and directories of the root directory if there is no index file. Such listings are usually called open directories or directory listings. This can lead to unexpected information disclosure when private files are exposed by an accident.

Open directories offer threat hunting professionals a valuable resource for identifying exposed data and potential entry points used by malicious actors during attacks.

An open directory is a listing of files that can be downloaded via HTTP. Sometimes the root path of a web server is a home directory with all the files. Basically, it's a read-only FTP server that's available via HTTP.

For example, Python language has a built server that allows one to start using a server using one command:

httpshuntioimagesblogsblog-2img-1-2xwebp

Unfortunately, such simplicity comes with security problems. People usually don't understand that when you host an open directory on a popular port --- web crawlers and scanners will find it within a day. Not knowing that detail, they accidentally expose a lot of data.

httpshuntioimagesblogsblog-2img-2-2xwebp

Directory listings are popular among malicious actors. They use them to host malicious executables, payloads or download exfiltrated data from web servers to their local machines. And guess what? A lot of them do not follow operational security practices. They also don't understand that their data can be exposed and help with investigations.

Content of open directories

Malicious directories host a variety of files. By analyzing them, you can find the following data:

1 Executables, logs, and configuration files from command and control servers, such as Cobalt Strike, Sliver C2, Brute Ratel C4, Metasploit, and so on.

2 Bash history, where you can see various logs about hacking attempts, data exfiltration, information gathering, reconnaissance, and so on. Such history files can often help to find the victims of attacks and inform them.

3 Logs from RATs (remote administration tools) or informational stealer's that contains a lot of sensitive data from victims.

4 New malware that was not known before.

How to find malicious directories

Finding malicious directories can be challenging because there are many legit ones, and we must filter them out.

Here are some indicators that help us to classify open directories as malicious:

1 Pattern matching. An open directory can contain files known to be related to malware, red-team, or hacking tools.

2 An open directory hosted on the same IP as the command and control server or other malicious software.

3 The IP is blocklisted by third-party vendors.

4 The executables that an open directory hosts are malicious according to sandboxing tools or antiviruses.

Malicious open directories are often short-lived, and it's important to download all the files for further investigation.

Hunt does this automatically.

There are 400 GitHub projects tagged and it will be updated daily.

httpshuntioimagesblogsblog-2img-3-2xwebp

You can click a scan signature to see all open directories that have validated C2s on them

which looks like this:

httpshuntioimagesblogsblog-2img-4-2xwebp

Use It

Click on any malware tag and find all the files that have the same tag:

httpshuntioimagesblogsblog-2img-5-2xwebp

Use It

Do keyword searching inside of open directories to find files (it's cumulative sorted by date):

httpshuntioimagesblogsblog-2img-6-2xwebp

Use It

You can search for the same file across all open directories (by sha256 by clicking the magnifying glass by the sha256)

httpshuntioimagesblogsblog-2img-7-2xwebp

Use It

Ultimately, various strategies can be deployed to identify open directories. Utilizing pattern matching, examining IP addresses, and employing sandboxing tools can aid in identifying potentially harmful open directories. Hunt.io contributes to the proactive detection and analysis of these directories.

Apply for an account to discover more.

How Open Directories Help with Threat Hunting and Incident Response

Popular web servers are configured to list files and directories of the root directory if there is no index file. Such listings are usually called open directories or directory listings. This can lead to unexpected information disclosure when private files are exposed by an accident.

Open directories offer threat hunting professionals a valuable resource for identifying exposed data and potential entry points used by malicious actors during attacks.

An open directory is a listing of files that can be downloaded via HTTP. Sometimes the root path of a web server is a home directory with all the files. Basically, it's a read-only FTP server that's available via HTTP.

For example, Python language has a built server that allows one to start using a server using one command:

httpshuntioimagesblogsblog-2img-1-2xwebp

Unfortunately, such simplicity comes with security problems. People usually don't understand that when you host an open directory on a popular port --- web crawlers and scanners will find it within a day. Not knowing that detail, they accidentally expose a lot of data.

httpshuntioimagesblogsblog-2img-2-2xwebp

Directory listings are popular among malicious actors. They use them to host malicious executables, payloads or download exfiltrated data from web servers to their local machines. And guess what? A lot of them do not follow operational security practices. They also don't understand that their data can be exposed and help with investigations.

Content of open directories

Malicious directories host a variety of files. By analyzing them, you can find the following data:

1 Executables, logs, and configuration files from command and control servers, such as Cobalt Strike, Sliver C2, Brute Ratel C4, Metasploit, and so on.

2 Bash history, where you can see various logs about hacking attempts, data exfiltration, information gathering, reconnaissance, and so on. Such history files can often help to find the victims of attacks and inform them.

3 Logs from RATs (remote administration tools) or informational stealer's that contains a lot of sensitive data from victims.

4 New malware that was not known before.

How to find malicious directories

Finding malicious directories can be challenging because there are many legit ones, and we must filter them out.

Here are some indicators that help us to classify open directories as malicious:

1 Pattern matching. An open directory can contain files known to be related to malware, red-team, or hacking tools.

2 An open directory hosted on the same IP as the command and control server or other malicious software.

3 The IP is blocklisted by third-party vendors.

4 The executables that an open directory hosts are malicious according to sandboxing tools or antiviruses.

Malicious open directories are often short-lived, and it's important to download all the files for further investigation.

Hunt does this automatically.

There are 400 GitHub projects tagged and it will be updated daily.

httpshuntioimagesblogsblog-2img-3-2xwebp

You can click a scan signature to see all open directories that have validated C2s on them

which looks like this:

httpshuntioimagesblogsblog-2img-4-2xwebp

Use It

Click on any malware tag and find all the files that have the same tag:

httpshuntioimagesblogsblog-2img-5-2xwebp

Use It

Do keyword searching inside of open directories to find files (it's cumulative sorted by date):

httpshuntioimagesblogsblog-2img-6-2xwebp

Use It

You can search for the same file across all open directories (by sha256 by clicking the magnifying glass by the sha256)

httpshuntioimagesblogsblog-2img-7-2xwebp

Use It

Ultimately, various strategies can be deployed to identify open directories. Utilizing pattern matching, examining IP addresses, and employing sandboxing tools can aid in identifying potentially harmful open directories. Hunt.io contributes to the proactive detection and analysis of these directories.

Apply for an account to discover more.

Related Posts:

Detecting IOX, FRP, Rakshasa, and Stowaway Proxies Using Hunt.io
May 8, 2025

This post explores open-source proxy tools commonly used in attacker and red team infrastructure, and shows how defenders can detect IOX, FRP, Rakshasa, and Stowaway at scale using Hunt.io.

Detecting IOX, FRP, Rakshasa, and Stowaway Proxies Using Hunt.io
May 8, 2025

This post explores open-source proxy tools commonly used in attacker and red team infrastructure, and shows how defenders can detect IOX, FRP, Rakshasa, and Stowaway at scale using Hunt.io.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

APT34-Like Threat Infrastructure Uncovered Before Activation
Apr 22, 2025

APT34-like infrastructure mimicking an Iraqi academic institute and fake UK tech firms reveals early-stage staging on M247 servers. Learn what to track

APT34-Like Threat Infrastructure Uncovered Before Activation
Apr 22, 2025

APT34-like infrastructure mimicking an Iraqi academic institute and fake UK tech firms reveals early-stage staging on M247 servers. Learn what to track

KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
Apr 17, 2025

Briefly exposed KeyPlug infrastructure revealed Fortinet exploits, encrypted webshells, and recon scripts targeting Shiseido, a major Japanese enterprise. Learn more..

KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
Apr 17, 2025

Briefly exposed KeyPlug infrastructure revealed Fortinet exploits, encrypted webshells, and recon scripts targeting Shiseido, a major Japanese enterprise. Learn more..

Detecting IOX, FRP, Rakshasa, and Stowaway Proxies Using Hunt.io
May 8, 2025

This post explores open-source proxy tools commonly used in attacker and red team infrastructure, and shows how defenders can detect IOX, FRP, Rakshasa, and Stowaway at scale using Hunt.io.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.