Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-12 | Information Location | mitigates | T1005 | Data from Local System | |
| SA-08 | Security and Privacy Engineering Principles | mitigates | T1005 | Data from Local System | |
| SC-13 | Cryptographic Protection | mitigates | T1005 | Data from Local System | |
| SC-38 | Operations Security | mitigates | T1005 | Data from Local System | |
| CP-09 | System Backup | mitigates | T1005 | Data from Local System | |
| AC-23 | Data Mining Protection | mitigates | T1005 | Data from Local System | |
| SC-28 | Protection of Information at Rest | mitigates | T1005 | Data from Local System | |
| SI-03 | Malicious Code Protection | mitigates | T1005 | Data from Local System | |
| AC-16 | Security and Privacy Attributes | mitigates | T1005 | Data from Local System | |
| SI-04 | System Monitoring | mitigates | T1005 | Data from Local System | |
| AC-03 | Access Enforcement | mitigates | T1005 | Data from Local System | |
| AC-06 | Least Privilege | mitigates | T1005 | Data from Local System | |
| AC-02 | Account Management | mitigates | T1005 | Data from Local System |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1005 | Data from Local System | |
| attribute.confidentiality.data_disclosure | None | related-to | T1005 | Data from Local System |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | technique_scores | T1005 | Data from Local System |
Comments
This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1005 | Data from Local System |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|