Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1789: Analytic 1789

Defender observes an app (bundle/process) performing large-scope directory listings or metadata reads via FileProvider/NSFileManager against user-visible containers (Files app locations, iCloud/On-My-iPhone) or external providers, with rapid traversal across many folders while the app is backgrounded or without corresponding UI activity (unifiedlogs:FileProvider, unifiedlogs:FileIO). Optional signals include Photo library or document picker bulk enumeration absent recent user gesture. Correlate on bundle/process/profile and path volume within a bounded window.

MobileAN1789AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on an iOS app rapidly enumerating user-visible storage locations such as Files app containers, iCloud, On-My-iPhone, external providers, Photos, or document picker-accessible content without clear user activity. For leaders, the decision value is whether mobile security monitoring can distinguish normal user-driven file browsing from suspicious bulk discovery of sensitive documents and media on managed iOS devices.

Executive priority

Prioritize this as a mobile data-exposure and incident-readiness question: do managed iOS devices produce enough evidence to show which app accessed broad user file locations, when it happened, and whether it aligned with user interaction? The business value is strongest for environments with sensitive documents on mobile devices, compliance requirements around data access evidence, or incident response needs involving iCloud, Files app storage, or third-party file providers.

Technical view

Validate whether iOS telemetry includes unified log evidence for FileProvider and FileIO activity tied to bundle, process, profile, path, volume, and timing. The analytic describes correlation of large-scope directory listings or metadata reads across many folders in a bounded window, especially while the app is backgrounded or without corresponding UI activity. SOC and detection teams should test whether they can correlate app state, user gesture context, and rapid traversal across user-visible containers; ATT&CK provides no separate detection procedure beyond the analytic description.

Likely telemetry

  • iOS unified logs related to FileProvider activity
  • iOS unified logs related to FileIO activity
  • Bundle identifier and process name for the accessing app
  • Device profile or management context where available
  • File path or container metadata for Files app, iCloud, On-My-iPhone, and external providers

Detection direction

  • Baseline normal file browsing and sync behavior by bundle/process to reduce false positives from legitimate file managers, cloud sync clients, document providers, and backup workflows.
  • Alert on rapid traversal or high-volume metadata reads across many folders within a bounded time window, especially when the app is backgrounded or lacks corresponding UI activity.
  • Correlate FileProvider and FileIO events by bundle/process/profile and path volume rather than relying on a single file-access event.
  • Review optional Photo library or document picker bulk enumeration only when user-gesture context is available enough to distinguish expected activity.
  • Document telemetry gaps: many mobile environments may not retain unified logs at the depth or duration needed for retrospective investigation.

Mitigation priorities

  • Confirm managed iOS logging, retention, and collection capabilities before relying on this analytic for incident response.
  • Limit sensitive document exposure on mobile devices where business workflows allow, especially in broadly accessible Files, iCloud, or third-party provider locations.
  • Review app approval, mobile device management, and data-access policies for apps that can interact with user-visible containers.
  • Use incident response playbooks that preserve device, app, bundle/process, profile, and relevant unified log evidence quickly due to likely retention limits.
  • For compliance readiness, map whether mobile file-access evidence is collectable and reviewable, not merely whether devices are enrolled.
Analyst notes and limits

This object is a mobile ATT&CK detection analytic for iOS, external ID AN1789, associated with MITRE detection strategy DET0682. It has no supplied tactic, technique relationship, or relationship context, so the take is limited to the official analytic description and external reference. The key analytic concept is abnormal breadth and speed of file or metadata enumeration, not isolated access to a single file.

No official detection field, tactic, technique relationship, mitigation mapping, or procedure examples were supplied. The guidance therefore cannot assert detection coverage, active exploitation, attribution, impact, or relevance to non-iOS platforms. Local validation is required to determine whether the necessary iOS unified logs, app state, path metadata, and user-gesture context are actually available.

Official MITRE ATT&CK definition

Analytic 1789

Defender observes an app (bundle/process) performing large-scope directory listings or metadata reads via FileProvider/NSFileManager against user-visible containers (Files app locations, iCloud/On-My-iPhone) or external providers, with rapid traversal across many folders while the app is backgrounded or without corresponding UI activity (unifiedlogs:FileProvider, unifiedlogs:FileIO). Optional signals include Photo library or document picker bulk enumeration absent recent user gesture. Correlate on bundle/process/profile and path volume within a bounded window.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
a8d99ceaa9a15b3a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle a8d99ceaa9a1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1789
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use