internal/pkg/hunt/detect/directory/directories.go

package directory

import (
	"fmt"
	"os"
	"path/filepath"
	"rmm-hunter/internal/pkg/hunt/detect/common"
	"strings"
)

var appData = os.Getenv("APPDATA")

func Detect() []string {
	var suspiciousDirectories []string

	fmt.Printf("[*] Enumerating Suspicious Directories \n")
	// Check for common directories
	for _, dir := range common.CommonDirectories {
		dir = replaceAppData(dir)
		if _, err := os.Stat(dir); err == nil {
			fmt.Printf("   [?] Found %s\n", dir)
			suspiciousDirectories = append(suspiciousDirectories, dir)
		}
	}
	fmt.Printf("[+] Found %d Suspicious Directories\n", len(suspiciousDirectories))

	return suspiciousDirectories
}

func replaceAppData(path string) string {
	if strings.Contains(path, "{{APPDATA}}") {
		p := strings.Replace(path, "{{APPDATA}}", "", -1)
		return filepath.Join(appData, p)
	}
	return path
}
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`package directory`

			`import (`
			`"fmt"`
			`"os"`
			`"path/filepath"`
			`"rmm-hunter/internal/pkg/hunt/detect/common"`
			`"strings"`
			`)`

			`var appData = os.Getenv("APPDATA")`

			`func Detect() []string {`
			`var suspiciousDirectories []string`

			`fmt.Printf("[*] Enumerating Suspicious Directories \n")`
			`// Check for common directories`
			`for _, dir := range common.CommonDirectories {`
			`dir = replaceAppData(dir)`
			`if _, err := os.Stat(dir); err == nil {`
			`fmt.Printf(" [?] Found %s\n", dir)`
			`suspiciousDirectories = append(suspiciousDirectories, dir)`
			`}`
			`}`
			`fmt.Printf("[+] Found %d Suspicious Directories\n", len(suspiciousDirectories))`

			`return suspiciousDirectories`
			`}`

			`func replaceAppData(path string) string {`
			`if strings.Contains(path, "{{APPDATA}}") {`
			`p := strings.Replace(path, "{{APPDATA}}", "", -1)`
			`return filepath.Join(appData, p)`
			`}`
			`return path`
			`}`