1. Home
  2. Techniques
  3. ICS
  4. Data from Local System

Data from Local System

Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.

Adversaries may do this using Command-Line Interface or Scripting techniques to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.

ID: T0893
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: None
Version: 1.0
Created: 30 March 2023
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S1000 ACAD/Medre.A

ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from infected systems. [1]
S0038 Duqu

Duqu downloads additional modules for the collection of data from local systems. The modules are named: infostealer 1, infostealer 2 and reconnaissance. [2]
S0143 Flame

Flame has built-in modules to gather information from compromised computers. [3]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0006 Data Historian
A0016 Firewall
A0002 Human-Machine Interface (HMI)
A0012 Jump Host
A0015 Switch
A0001 Workstation

Mitigations

ID Mitigation Description
M0803 Data Loss Prevention

Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.
M0941 Encrypt Sensitive Information

Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. [4] [5]
M0922 Restrict File and Directory Permissions

Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from the local system. [4] [5]
M0917 User Training

Develop and publish policies that define acceptable information to be stored on local systems.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0749 Detection of Data from Local System AN1881

Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.
Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.
Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.
Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13
  2. Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03
  3. Kevin Savage and Branko Spasojevic W32.Flamer Retrieved November 17, 2024.
  1. Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28
  2. National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17