T1005 Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1005 Data from Local System
Comments
This diagnostic statement protects against Data from Local System through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    PR.DS-01.01 Data-at-rest protection Mitigates T1005 Data from Local System
    Comments
    This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
    References
      PR.DS-01.02 Data loss prevention Mitigates T1005 Data from Local System
      Comments
      The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
      References
        PR.DS-10.01 Data-in-use protection Mitigates T1005 Data from Local System
        Comments
        This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
        References

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.malware.variety.Capture stored data Capture data stored on system disk related-to T1005 Data from Local System
          attribute.confidentiality.data_disclosure None related-to T1005 Data from Local System

          Azure Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening technique_scores T1005 Data from Local System
          Comments
          This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.
          References
          defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1005 Data from Local System
          Comments
          This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
          References