File and Directory Discovery

Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions.

On Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of File and Directory Discovery without use of escalated privileges.

ID: T1420
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android, iOS
MTC ID: STA-41
Version: 1.2
Created: 25 October 2017
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S1095 AhRat

AhRat can enumerate files on external storage.[1]

C0033 C0033

During C0033, PROMETHIUM used StrongPity to collect file lists on the victim device.[2]

S0529 CarbonSteal

CarbonSteal has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.[3]

S0505 Desert Scorpion

Desert Scorpion can list files stored on external storage.[4]

S0550 DoubleAgent

DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.[3]

S1092 Escobar

Escobar can access external storage.[5]

S0577 FrozenCell

FrozenCell has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.[6]

S0535 Golden Cup

Golden Cup can collect a directory listing of external storage.[7]

S0551 GoldenEagle

GoldenEagle has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.[3]

S1077 Hornbill

Hornbill has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.[8]

C0016 Operation Dust Storm

During Operation Dust Storm, the threat actors used Android backdoors capable of enumerating specific files on the infected devices.[9]

S0549 SilkBean

SilkBean can get file lists on the SD card.[3]

S0558 Tiktok Pro

Tiktok Pro can list all hidden files in the /DCIM/.dat/ directory.[10]

G0112 Windshift

Windshift has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[11]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.

Detection

ID Data Source Data Component Detects
DS0042 User Interface Permissions Request

On Android, the user is presented with a permissions popup when an application requests access to external device storage.

References