Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.
Platforms
Mitigations (1)
Data Loss PreventionM1057
Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.
Threat Groups (45)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has collected Office, PDF, and HWP documents from its victims.(Citation: Securelist Kimsuky Sept 2013... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has exfiltrated files stolen from local systems.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) uploaded sensitive files, information, and credentials from a targeted organization for extortion or ... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used various tools to steal files from the compromised host.(Citation: Symantec Chafer February 201... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has collected data and files from a compromised machine.(Citation: Rapid7 HAFNIUM Mar 2021)(Citation:... |
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has collected data from a compromised network.(Citation: Novetta-Axiom) |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used PowerShell to upload files from compromised systems.(Citation: Trend Micro Earth Simnavaz Oct... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has run scripts to collect documents from targeted hosts.(Citation: Kaspersky ToddyCat Check Logs Oc... |
| G0124 | Windigo | [Windigo](https://attack.mitre.org/groups/G0124) has used a script to gather credentials in files left on disk by OpenSSH backdoors.(Citation: ESET Fo... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has searched local system resources to access sensitive documents.(Citation: CISA AA20-259A Iran-B... |
| G0138 | Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has collected large numbers of files from compromised network systems for later extraction.(Citation... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has collected data from the local disk of compromised hosts.(Citation: group-ib_redcurl1)(Citation: g... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) has collected files from a local victim.(Citation: Mandiant APT1) |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) collected data from the victim's local system, including password hashes from the SAM hive in the Reg... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has stolen data from compromised hosts.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has collected data and files from compromised networks.(Citation: Novetta Blockbuster)(Citation... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has collected files from infected systems and uploaded them to a C2 server.(Citation: ESET Ga... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) gathered data from database and other critical servers in victim environments, then used wiping mechan... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has collected and exfiltrated payment card data from compromised systems.(Citation: Trend Micro FIN6 Oct... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) captured local Windows security event log data from victim machines using the <code>wevtutil</c... |
Associated Software (169)
| ID | Name | Type | Context |
|---|---|---|---|
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) gathers information from infected systems such as SSH information from the victim's `.ssh` di... |
| S0238 | Proxysvc | Malware | [Proxysvc](https://attack.mitre.org/software/S0238) searches the local system and gathers data.(Citation: McAfee GhostSecret) |
| S0502 | Drovorub | Malware | [Drovorub](https://attack.mitre.org/software/S0502) can transfer files from the victim machine.(Citation: NSA/FBI Drovorub August 2020) |
| S0498 | Cryptoistic | Malware | [Cryptoistic](https://attack.mitre.org/software/S0498) can retrieve files from the local file system.(Citation: SentinelOne Lazarus macOS July 2020) |
| S0653 | xCaon | Malware | [xCaon](https://attack.mitre.org/software/S0653) has uploaded files from victims' machines.(Citation: Checkpoint IndigoZebra July 2021) |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer... |
| S1043 | ccf32 | Malware | [ccf32](https://attack.mitre.org/software/S1043) can collect files from a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| S0567 | Dtrack | Malware | [Dtrack](https://attack.mitre.org/software/S0567) can collect a variety of information from victim machines.(Citation: CyberBit Dtrack) |
| S0239 | Bankshot | Malware | [Bankshot](https://attack.mitre.org/software/S0239) collects files from the local system.(Citation: McAfee Bankshot) |
| S0128 | BADNEWS | Malware | When it first starts, [BADNEWS](https://attack.mitre.org/software/S0128) crawls the victim's local drives and collects documents with the following ex... |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) can collect data from an infected host.(Citation: HP SVCReady Jun 2022) |
| S0448 | Rising Sun | Malware | [Rising Sun](https://attack.mitre.org/software/S0448) has collected data and files from a compromised host.(Citation: McAfee Sharpshooter December 201... |
| S0197 | PUNCHTRACK | Malware | [PUNCHTRACK](https://attack.mitre.org/software/S0197) scrapes memory for properly formatted payment card data.(Citation: FireEye Fin8 May 2016)(Citati... |
| S0020 | China Chopper | Malware | [China Chopper](https://attack.mitre.org/software/S0020)'s server component can upload local files.(Citation: FireEye Periscope March 2018)(Citation: ... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can use its `Get` command to exfiltrate specified files from the compromised system.(Citation: Joi... |
| S0340 | Octopus | Malware | [Octopus](https://attack.mitre.org/software/S0340) can exfiltrate files from the system using a documents collector tool.(Citation: ESET Nomadic Octop... |
| S0036 | FLASHFLOOD | Malware | [FLASHFLOOD](https://attack.mitre.org/software/S0036) searches for interesting files (either a default or customized set of file extensions) on the lo... |
| S0598 | P.A.S. Webshell | Malware | [P.A.S. Webshell](https://attack.mitre.org/software/S0598) has the ability to copy files on a compromised host.(Citation: ANSSI Sandworm January 2021) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can collect data from a local system.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt... |
| S0632 | GrimAgent | Malware | [GrimAgent](https://attack.mitre.org/software/S0632) can collect data and files from a compromised host.(Citation: Group IB GrimAgent July 2021) |
References
- Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.
- Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Frequently Asked Questions
What is T1005 (Data from Local System)?
T1005 is a MITRE ATT&CK technique named 'Data from Local System'. It belongs to the Collection tactic(s). Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to...
How can T1005 be detected?
Detection of T1005 (Data from Local System) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1005?
There are 1 documented mitigations for T1005. Key mitigations include: Data Loss Prevention.
Which threat groups use T1005?
Known threat groups using T1005 include: Kimsuky, BRONZE BUTLER, LAPSUS$, APT39, HAFNIUM, Axiom, OilRig, ToddyCat.