T1005 Data from Local System

This diagnostic statement protects against Data from Local System through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.

This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.

The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.

This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.

This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.

CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.

This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.

This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands.

CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request.

Attackers can use malicious Human Interface Devices (keyboard, mouse, etc.) to trigger a kernel-level memory leak due to improper initialization and use of uninitialized resources. This leads to the returning of the uninitialized kernel data, which can be collected and exfiltrated.

CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.

CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.

This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. After bypassing authentication with CVE-2025-0108, the attacker can exploit this to gain read access to system files with "nobody" privileges.

Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.

TeleMessage TM SNGL utilizes a JavaServer Pages framework which improperly handles content in heaps and making them functionally the same as a core dump file. Attackers with local access can use this to obtain sensitive information, including credentials.

TeleMessage TM SNGL's Spring Boot Actuator exposes the /heapdump endpoint publicly, allowing an unauthenticated attacker to access it.

CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server.

CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.

CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.

This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens.

Exploiting this buffer overflow vulnerability could lead to an adversary gaining elevated privileges on the machine, leading to the potential for process injection using malicious code, as well as data loss.

CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.

This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft's Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.

CVE-2021-26855, also known as ProxyLogon, allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.

CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” - CISA Advisory

CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows

CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.

CVE-2024-5217 is an input validation vulnerability that could enable an unauthenticated user to remotely execute code within the context of the ServiceNow Platform due to incomplete input validation in a GlideExpression Script. Organizations often use the ServiceNow platform to host sensitive data about their employees, including their personally identifiable information and HR records related to their employment.

CVE-2024-4879 is a Template Injection Vulnerability in ServiceNow UI Macros. When ServiceNow instances are installed public-facing instead of internally, they can be exploited for arbitrary code execution. Adversaries have been observed selling data exfiltrated through this exploit.

A zero-click attack leveraging this vulnerability involves sending a maliciously crafted photo or video in an iCloud link via the Messages app. Reports indicate that the targeted devices are then compromised with Paragon's Graphite spyware.

This vulnerability, present in VMWare ESXi, Workstation, and Fusion, is the result of an out-of-bounds read in the Host Guest File System (HGFS) and can be exploited by attackers with administrative privileges to disclose sensitive information from the VMX process. An attacker could then move into the hypervisor itself.

This vulnerability is facilitated by the insertion of information into log files, which could lead to the disclosure of said sensitive information through an attack. In order to exploit this vulnerability, an attacker needs physical access to the system, such as the ability to mount an external drive.

By crafting a malicious USB audio device, an attacker can trigger an out-of-bounds read error in the kernel, potentially exposing sensitive kernel information.

CVE-2020-8193 is an Authorization Bypass vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP Appliance in various versions allows attacker to bypass authentication mechanisms via crafted requests.

CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point's Quantum Security Gateway products. It's been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates.

This vulnerability is exploited through an unauthenticated information disclosure flaw in the Graph API extension of ownCloud. Attackers first used this vulnerability to gain initial access by targeting the /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php endpoint, which allowed them to leak sensitive information via the PHP function phpinfo. By modifying the requested URI to bypass Apache web server rewrite rules, attackers could access environment variables containing secrets, such as usernames, passwords, and license keys.

This vulnerability allows viewing of restricted resources via a pre-authorization arbitrary file read vulnerability.

CVE-2020-8196 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.

CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.

CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices.

CVE-2018-0296 is a critical vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and access sensitive system information.

CVE-2020-3452 is a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.

This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories

Due to improper input sanitization, a user with administrative credentials can access and read arbitrary files on the MiCollab server.

An unauthenticated attacker can send a request to the NAKIVO Backup & Replication endpoint that contains a path to a sensitive file, leading to arbitrary file read.

This path traversal vulnerability can lead to privilege escalation on MiCollab, which can then lead to other exploits such as CVE-2024-55550.

This path traversal vulnerability in D-Link DIR-859 WiFi routers can lead to information disclosure, such as configuration files. As these devices are end-of-life, the manufacturer has no intention of patching this.

This directory traversal vulnerability, if exploited using a malicious payload in an HTTP GET request, allows an unauthenticated attacker to access and read arbitrary files, leading to potential exfiltration/disclosure.

This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.

This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.