Technique on mitre.org

T1005: Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_collection: PT-CR-1932: Copying_Files: Copying files and folders using xcopy and robocopy utilities, copy command, Copy-Item cmdlet mitre_attck_collection: PT-CR-500: Documents_Access_Via_Console: A user interacts with Office documents using cmd.exe or PowerShell profiling: PT-CR-2204: Critical_File_Access: A user accessed a critical file netflow: PT-CR-2919: Netflow_Large_File_Transfer: A large amount of data was sent from a host. This may indicate data collection. netflow: PT-CR-2920: Netflow_SMB_Anomaly: Suspicious SMB traffic from a host that is not a domain controller, router, or switch. Attackers can use SMB to further penetrate the network and gain access to sensitive data. sap_attack_detection: PT-CR-162: SAPASABAP_View_Critical_Tables: A critical table is viewed in SAP sap_attack_detection: PT-CR-153: SAPASABAP_Download_Critical_Info: Import of critical information to a file sap_suspicious_user_activity: PT-CR-236: SAPASABAP_Download_Bytes: Data download sap_suspicious_user_activity: PT-CR-237: SAPASABAP_Download_Bytes_period: Data download clickhouse: PT-CR-1562: ClickHouse_Pattern_Search: An attempt to perform a regular expression search on table and column names is detected mitre_attck_cred_access: PT-CR-600: Esentutil_Copy_File: The "esentutil" utility is started elasticsearch: PT-CR-2733: Elasticsearch_Upload_Backup: An Elasticsearch database backup was transferred to a remote host mongo_database: PT-CR-529: MongoDB_Dump_Database: An attempt to create a database dump mongo_database: PT-CR-528: MongoDB_Dump_Collection: An attempt to create a collection dump mysql_database: PT-CR-2304: MySQL_File_System_Actions: The interaction of the MySQL database with the file system may indicate reconnaissance or an attempt of an attacker to escalate privileges if this is not the standard integration of the database with external systems supply_chain: PT-CR-1760: SupplyChain_Sensitive_File_Access: A user accessed a Jfrog Artifactory system file containing sensitive information or changed a TeamCity build configuration mssql_database: PT-CR-418: MSSQL_Pattern_Search_Usage: An attempt to get information from database service tables using a pattern vsphere_suspicious_user_activity: PT-CR-515: Downloading_Files_Of_Critical_VM: Files from a security-critical virtual machine are copied capabilities_data_access: PT-CR-2883: CAP_Access_to_Sensitive_Data: Access to a file containing sensitive information in application software. An attacker with access to such data can disrupt its confidentiality, integrity, or availability. capabilities_data_access: PT-CR-2900: CAP_Access_To_Sensitive_Database: Access to sensitive databases. An attacker can extract, modify, or delete sensitive data using stolen credentials, system vulnerabilities, or malicious queries. vulnerabilities: PT-CR-2405: CVE_2024_24919_CheckPoint_Information_Disclosure: Exploitation of the CVE-2024-24919 vulnerability that allows attackers to read any files on Check Point firewall devices without authorization. The vulnerability is in Check Point software with the IPSec VPN, Remote Access VPN, and Mobile Access blades enabled. unix_mitre_attck_collection: PT-CR-1684: Unix_Suspicious_Home_Read: A user read a file from another user's home directory unix_mitre_attck_collection: PT-CR-1685: Unix_Sensitive_File_Read: Sensitive Unix files were read

Detection

ID	DS0012	Data source and component	Script: Script Execution	Description	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

ID	DS0022	Data source and component	File: File Access	Description	Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases.

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

ID	Data source and component	Description
DS0012	Script: Script Execution	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.
DS0022	File: File Access	Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases.
DS0009	Process: OS API Execution	Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
DS0009	Process: Process Creation	Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

Mitigation

ID	M1057	Name	Data Loss Prevention	Description	Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.

ID	Name	Description
M1057	Data Loss Prevention	Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.