Technique on mitre.org

T1005: Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

supply_chain: PT-CR-1760: SupplyChain_Sensitive_File_Access: A user accessed a Jfrog Artifactory system file containing sensitive information or changed a TeamCity build configuration mongo_database: PT-CR-528: MongoDB_Dump_Collection: An attempt to create a collection dump mongo_database: PT-CR-529: MongoDB_Dump_Database: An attempt to create a database dump vsphere_suspicious_user_activity: PT-CR-515: Downloading_Files_Of_Critical_VM: Files from a security-critical virtual machine are copied mssql_database: PT-CR-418: MSSQL_Pattern_Search_Usage: An attempt to get information from database service tables using a pattern unix_mitre_attck_collection: PT-CR-1684: Unix_Suspicious_Home_Read: A user read a file from another user's home directory unix_mitre_attck_collection: PT-CR-1685: Unix_Sensitive_File_Read: Sensitive Unix files were read vulnerabilities: PT-CR-2405: CVE_2024_24919_CheckPoint_Information_Disclosure: Exploitation of the CVE-2024-24919 vulnerability that allows attackers to read any files on Check Point firewall devices without authorization. The vulnerability is in Check Point software with the IPSec VPN, Remote Access VPN, and Mobile Access blades enabled. sap_attack_detection: PT-CR-162: SAPASABAP_View_Critical_Tables: A critical table is viewed in SAP sap_attack_detection: PT-CR-153: SAPASABAP_Download_Critical_Info: Import of critical information to a file mysql_database: PT-CR-2304: MySQL_File_System_Actions: The interaction of the MySQL database with the file system may indicate reconnaissance or an attempt of an attacker to escalate privileges if this is not the standard integration of the database with external systems mitre_attck_collection: PT-CR-500: Documents_Access_Via_Console: A user interacts with Office documents using cmd.exe or PowerShell mitre_attck_collection: PT-CR-1932: Copying_Files: Copying files and folders using xcopy and robocopy utilities, copy command, Copy-Item cmdlet sap_suspicious_user_activity: PT-CR-236: SAPASABAP_Download_Bytes: Data download sap_suspicious_user_activity: PT-CR-237: SAPASABAP_Download_Bytes_period: Data download clickhouse: PT-CR-1562: ClickHouse_Pattern_Search: An attempt to perform a regular expression search on table and column names is detected mitre_attck_cred_access: PT-CR-600: Esentutil_Copy_File: The "esentutil" utility is started profiling: PT-CR-2204: Critical_File_Access: A user accessed a critical file

Detection

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

ID	DS0012	Data source and component	Script: Script Execution	Description	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

ID	DS0022	Data source and component	File: File Access	Description	Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

ID	Data source and component	Description
DS0009	Process: OS API Execution	Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
DS0012	Script: Script Execution	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
DS0022	File: File Access	Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.
DS0009	Process: Process Creation	Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

Mitigation

ID	M1057	Name	Data Loss Prevention	Description	Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.

ID	Name	Description
M1057	Data Loss Prevention	Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.