Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| UEM-11 | Data Loss Prevention | mitigates | T1005 | Data from Local System |
Comments
Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations.
References
|
| DSP-04 | Data Classification | mitigates | T1005 | Data from Local System |
Comments
Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.
References
|