Data from Local System

Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system.

Local system data includes information stored by the operating system. Access to local system data often requires escalated privileges (e.g. root access). Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos.

ID: T1533
Tactic Type: Post-Adversary Device Access
Tactic: Collection
Platform: Android, iOS
Version: 1.0

Procedure Examples

Name Description
Exodus

Exodus Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.[7]

FlexiSpy

FlexiSpy can monitor device photos and can also access browser history and bookmarks.[1]

Gooligan

Gooligan steals authentication tokens that can be used to access data from multiple Google applications.[2]

Gustuff

Gustuff can capture files and photos from the compromised device. [5]

Monokle

Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.[6]

RCSAndroid

RCSAndroid can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.[8]

SpyNote RAT

SpyNote RAT can copy files from the device to the C2 server.[4]

Stealth Mango

Stealth Mango collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.[3]

Tangelo

Tangelo accesses browser history, pictures, and videos.[3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References