Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1005 | Data from Local System |
Comments
This diagnostic statement protects against Data from Local System through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1005 | Data from Local System |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
References
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1005 | Data from Local System |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
References
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1005 | Data from Local System |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-12 | Information Location | mitigates | T1005 | Data from Local System | |
| SA-08 | Security and Privacy Engineering Principles | mitigates | T1005 | Data from Local System | |
| SC-13 | Cryptographic Protection | mitigates | T1005 | Data from Local System | |
| SC-38 | Operations Security | mitigates | T1005 | Data from Local System | |
| CP-09 | System Backup | mitigates | T1005 | Data from Local System | |
| AC-23 | Data Mining Protection | mitigates | T1005 | Data from Local System | |
| SC-28 | Protection of Information at Rest | mitigates | T1005 | Data from Local System | |
| SI-03 | Malicious Code Protection | mitigates | T1005 | Data from Local System | |
| AC-16 | Security and Privacy Attributes | mitigates | T1005 | Data from Local System | |
| SI-04 | System Monitoring | mitigates | T1005 | Data from Local System | |
| AC-03 | Access Enforcement | mitigates | T1005 | Data from Local System | |
| AC-06 | Least Privilege | mitigates | T1005 | Data from Local System | |
| AC-02 | Account Management | mitigates | T1005 | Data from Local System |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1005 | Data from Local System | |
| attribute.confidentiality.data_disclosure | None | related-to | T1005 | Data from Local System |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | technique_scores | T1005 | Data from Local System |
Comments
This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1005 | Data from Local System |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|