File and Directory Discovery

§ Where this technique fits

§ Dossiers chaining this technique

• LoRaWAN replay → spoof environmental sensor

  Capture LoRaWAN uplinks from a target sensor. Devices that reset FCnt on reboot accept replayed frames — feed false readings into the upstream IoT platform.

  step 2 / 5

• User foothold → keychain dump → cloud creds

  Standard user shell on macOS. Brute the login.keychain master via ChainBreaker / a keylogged password; dump all entries — Safari saved creds, AWS keys, Slack tokens, SSO cookies.

  step 2 / 5

• SUID binary → root via GTFOBins

  Find an unusual SUID binary (find / nmap / vim / awk / less), check GTFOBins for the privilege-escalation primitive, spawn a root shell.

  step 2 / 5

• BLE eavesdrop + replay → smart lock open

  Smart lock uses BLE Just-Works pairing + plaintext 'unlock' opcode. Sniff once with a nRF52 in monitor mode, replay later from a $10 device.

  step 3 / 5

• Exported ContentProvider → private data leak

  App exports a ContentProvider for legitimate inter-app integration but forgets to enforce grantUri / signature permissions — a rogue installed app reads private auth tokens.

  step 3 / 6

• Evil maid → sniff TPM unseal → decrypt BitLocker offline

  Brief physical access to a TPM-only BitLocker laptop. Plug a logic analyser onto the LPC / SPI bus; capture the FVEK as the TPM unseals it at boot. Take the disk home, decrypt offline.

  step 4 / 6

§ What commonly comes next

1. 01
   BLE Replay

   IOT-BLE-REPLAY · Lateral Movement
   seen 1×
2. 02
   LoRaWAN Replay / FCnt Reset

   OT-LORAWAN-REPLAY · Impact
   seen 1×
3. 03
   SUID Binary Abuse

   L-SUID-ABUSE · Privilege Escalation
   seen 1×
4. 04
   Unsecured Credentials

   T1552 · Credential Access
   seen 1×
5. 05
   Valid Accounts

   T1078 · Initial Access
   seen 1×
6. 06
   macOS Keychain Dump

   MAC-KEYCHAIN-DUMP · Credential Access
   seen 1×