Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1005 | Data from Local System |
Comments
This diagnostic statement protects against Data from Local System through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
PR.DS-01.01 | Data-at-rest protection | Mitigates | T1005 | Data from Local System |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
References
|
PR.DS-01.02 | Data loss prevention | Mitigates | T1005 | Data from Local System |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
References
|
PR.DS-10.01 | Data-in-use protection | Mitigates | T1005 | Data from Local System |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CM-12 | Information Location | mitigates | T1005 | Data from Local System | |
SA-08 | Security and Privacy Engineering Principles | mitigates | T1005 | Data from Local System | |
SC-13 | Cryptographic Protection | mitigates | T1005 | Data from Local System | |
SC-38 | Operations Security | mitigates | T1005 | Data from Local System | |
CP-09 | System Backup | mitigates | T1005 | Data from Local System | |
AC-23 | Data Mining Protection | mitigates | T1005 | Data from Local System | |
SC-28 | Protection of Information at Rest | mitigates | T1005 | Data from Local System | |
SI-03 | Malicious Code Protection | mitigates | T1005 | Data from Local System | |
AC-16 | Security and Privacy Attributes | mitigates | T1005 | Data from Local System | |
SI-04 | System Monitoring | mitigates | T1005 | Data from Local System | |
AC-03 | Access Enforcement | mitigates | T1005 | Data from Local System | |
AC-06 | Least Privilege | mitigates | T1005 | Data from Local System | |
AC-02 | Account Management | mitigates | T1005 | Data from Local System |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2024-34102 | Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.
References
|
CVE-2019-13608 | Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
References
|
CVE-2021-29256 | Arm Mali GPU Kernel Driver Use-After-Free Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.
References
|
CVE-2017-11292 | Adobe Flash Player Type Confusion Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.
References
|
CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
CVE-2021-27101 | Accellion FTA SQL Injection Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands.
References
|
CVE-2021-27103 | Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request.
References
|
CVE-2024-50302 | Linux Kernel Use of Uninitialized Resource Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
Attackers can use malicious Human Interface Devices (keyboard, mouse, etc.) to trigger a kernel-level memory leak due to improper initialization and use of uninitialized resources. This leads to the returning of the uninitialized kernel data, which can be collected and exfiltrated.
References
|
CVE-2024-4978 | Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.
References
|
CVE-2024-23692 | Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.
References
|
CVE-2025-0111 | Palo Alto Networks PAN-OS File Read Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. After bypassing authentication with CVE-2025-0108, the attacker can exploit this to gain read access to system files with "nobody" privileges.
References
|
CVE-2024-38475 | Apache HTTP Server Improper Escaping of Output Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.
References
|
CVE-2025-48928 | TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
TeleMessage TM SNGL utilizes a JavaServer Pages framework which improperly handles content in heaps and making them functionally the same as a core dump file. Attackers with local access can use this to obtain sensitive information, including credentials.
References
|
CVE-2025-48927 | TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
TeleMessage TM SNGL's Spring Boot Actuator exposes the /heapdump endpoint publicly, allowing an unauthenticated attacker to access it.
References
|
CVE-2019-5591 | Fortinet FortiOS Default Configuration Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server.
References
|
CVE-2021-27104 | Accellion FTA OS Command Injection Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.
References
|
CVE-2021-27102 | Accellion FTA OS Command Injection Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.
References
|
CVE-2023-4966 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens.
References
|
CVE-2025-21418 | Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
Exploiting this buffer overflow vulnerability could lead to an adversary gaining elevated privileges on the machine, leading to the potential for process injection using malicious code, as well as data loss.
References
|
CVE-2023-38831 | RARLAB WinRAR Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.
References
|
CVE-2023-36884 | Microsoft Windows Search Remote Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key.
The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts.
This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft's Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption.
The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.
References
|
CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-26855, also known as ProxyLogon, allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
References
|
CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” - CISA Advisory
References
|
CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows
References
|
CVE-2017-5638 | Apache Struts Remote Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.
References
|
CVE-2024-5217 | ServiceNow Incomplete List of Disallowed Inputs Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2024-5217 is an input validation vulnerability that could enable an unauthenticated user to remotely execute code within the context of the ServiceNow Platform due to incomplete input validation in a GlideExpression Script. Organizations often use the ServiceNow platform to host sensitive data about their employees, including their personally identifiable information and HR records related to their employment.
References
|
CVE-2024-4879 | ServiceNow Improper Input Validation Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2024-4879 is a Template Injection Vulnerability in ServiceNow UI Macros. When ServiceNow instances are installed public-facing instead of internally, they can be exploited for arbitrary code execution. Adversaries have been observed selling data exfiltrated through this exploit.
References
|
CVE-2025-43200 | Apple Multiple Products Unspecified Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
A zero-click attack leveraging this vulnerability involves sending a maliciously crafted photo or video in an iCloud link via the Messages app. Reports indicate that the targeted devices are then compromised with Paragon's Graphite spyware.
References
|
CVE-2025-22226 | VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This vulnerability, present in VMWare ESXi, Workstation, and Fusion, is the result of an out-of-bounds read in the Host Guest File System (HGFS) and can be exploited by attackers with administrative privileges to disclose sensitive information from the VMX process. An attacker could then move into the hypervisor itself.
References
|
CVE-2025-24991 | Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This vulnerability is facilitated by the insertion of information into log files, which could lead to the disclosure of said sensitive information through an attack. In order to exploit this vulnerability, an attacker needs physical access to the system, such as the ability to mount an external drive.
References
|
CVE-2024-53150 | Linux Kernel Out-of-Bounds Read Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
By crafting a malicious USB audio device, an attacker can trigger an out-of-bounds read error in the kernel, potentially exposing sensitive kernel information.
References
|
CVE-2020-8193 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2020-8193 is an Authorization Bypass vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP Appliance in various versions allows attacker to bypass authentication mechanisms via crafted requests.
References
|
CVE-2024-24919 | Check Point Quantum Security Gateways Information Disclosure Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point's Quantum Security Gateway products. It's been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates.
References
|
CVE-2023-49103 | ownCloud graphapi Information Disclosure Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This vulnerability is exploited through an unauthenticated information disclosure flaw in the Graph API extension of ownCloud. Attackers first used this vulnerability to gain initial access by targeting the /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php endpoint, which allowed them to leak sensitive information via the PHP function phpinfo. By modifying the requested URI to bypass Apache web server rewrite rules, attackers could access environment variables containing secrets, such as usernames, passwords, and license keys.
References
|
CVE-2021-26085 | Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This vulnerability allows viewing of restricted resources via a pre-authorization arbitrary file read vulnerability.
References
|
CVE-2020-8196 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2020-8196
is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
CVE-2020-8195 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
CVE-2019-1653 | Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices.
References
|
CVE-2018-0296 | Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2018-0296 is a critical vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and access sensitive system information.
References
|
CVE-2020-3452 | Cisco ASA and FTD Read-Only Path Traversal Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2020-3452 is a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.
References
|
CVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories
References
|
CVE-2024-55550 | Mitel MiCollab Path Traversal Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
Due to improper input sanitization, a user with administrative credentials can access and read arbitrary files on the MiCollab server.
References
|
CVE-2024-48248 | NAKIVO Backup and Replication Absolute Path Traversal Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
An unauthenticated attacker can send a request to the NAKIVO Backup & Replication endpoint that contains a path to a sensitive file, leading to arbitrary file read.
References
|
CVE-2024-41713 | Mitel MiCollab Path Traversal Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This path traversal vulnerability can lead to privilege escalation on MiCollab, which can then lead to other exploits such as CVE-2024-55550.
References
|
CVE-2024-0769 | D-Link DIR-859 Router Path Traversal Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This path traversal vulnerability in D-Link DIR-859 WiFi routers can lead to information disclosure, such as configuration files. As these devices are end-of-life, the manufacturer has no intention of patching this.
References
|
CVE-2023-38950 | ZKTeco BioTime Path Traversal Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This directory traversal vulnerability, if exploited using a malicious payload in an HTTP GET request, allows an unauthenticated attacker to access and read arbitrary files, leading to potential exfiltration/disclosure.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1005 | Data from Local System | |
attribute.confidentiality.data_disclosure | None | related-to | T1005 | Data from Local System |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | technique_scores | T1005 | Data from Local System |
Comments
This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1005 | Data from Local System |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|