T1005: Data from Local System
Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_cred_access: PT-CR-600: Esentutil_Copy_File: The "esentutil" utility is started
mitre_attck_collection: PT-CR-500: Documents_Access_via_Console: A user interacts with Office documents using cmd.exe or PowerShell
vsphere_suspicious_user_activity: PT-CR-515: Downloading_files_of_critical_VM: Files from a security-critical virtual machine are copied
supply_chain: PT-CR-1760: SupplyChain_Sensitive_File_Access: A user accessed a Jfrog Artifactory system file containing sensitive information or changed a TeamCity build configuration
mitre_attck_collection: PT-CR-1932: Copying_Files: Copying files and folders using xcopy and robocopy utilities, copy command, Copy-Item cmdlet
sap_suspicious_user_activity: PT-CR-236: SAPASABAP_Download_bytes: Data download
sap_suspicious_user_activity: PT-CR-237: SAPASABAP_Download_bytes_period: Data download
vulnerabilities: PT-CR-2405: CVE_2024_24919_CheckPoint_Information_Disclosure: Exploitation of the CVE-2024-24919 vulnerability that allows attackers to read any files on Check Point firewall devices without authorization. The vulnerability is in Check Point software with the IPSec VPN, Remote Access VPN, and Mobile Access blades enabled.
unix_mitre_attck_collection: PT-CR-1684: Unix_Suspicious_Home_Read: A user read a file from another user's home directory
unix_mitre_attck_collection: PT-CR-1685: Unix_Sensitive_File_Read: Sensitive Unix files were read
mssql_database: PT-CR-418: MSSQL_pattern_search_usage: An attempt to get information from database service tables using a pattern
mongo_database: PT-CR-528: MongoDB_dump_collection: An attempt to create a collection dump
mongo_database: PT-CR-529: MongoDB_dump_database: An attempt to create a database dump
clickhouse: PT-CR-1562: ClickHouse_pattern_search: An attempt to perform a regular expression search on table and column names is detected
sap_attack_detection: PT-CR-153: SAPASABAP_Download_critical_info: Import of critical information to a file
sap_attack_detection: PT-CR-162: SAPASABAP_View_critical_tables: A critical table is viewed in SAP
profiling: PT-CR-2204: Critical_File_Access: A user accessed a critical file
Detection
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. |
---|
Mitigation
ID | M1057 | Name | Data Loss Prevention | Description | Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted. |
---|