T1005Techniquecollectionagent-callable
T1005Data from Local System
Platforms: Linux · macOS · Windows · Network
ATT&CK version: 14.1
What it is
Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
ATT&CK tactics· 1
References
- https://attack.mitre.org/techniques/T1005
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733
- https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits
- https://www.us-cert.gov/ncas/alerts/TA18-106A