Data from Local System

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

ID: T1005
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Linux, Windows, macOS
System Requirements: Privileges to access certain files and directories
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Version: 1.2
Created: 31 May 2017
Last Modified: 26 May 2020

Procedure Examples

Name Description
APT1

APT1 has collected files from a local victim.[1]

APT28

APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.[2][3]

APT3

APT3 will identify Microsoft Office documents on the victim's computer.[4]

APT37

APT37 has collected data from victims' local systems.[5]

APT39

APT39 has used a tool to steal files from the compromised host.[6]

BADNEWS

When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.[7][8]

BadPatch

BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.[9]

Bankshot

Bankshot collects files from the local system.[10]

BRONZE BUTLER

BRONZE BUTLER has exfiltrated files stolen from local systems.[11]

Calisto

Calisto can collect data from user directories.[12]

China Chopper

China Chopper's server component can upload local files.[13][14][15]

Cobalt Strike

Cobalt Strike can collect data from a local system.[16]

CookieMiner

CookieMiner has retrieved iPhone text messages from iTunes phone backup files.[17]

CosmicDuke

CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.[18]

Cryptoistic

Cryptoistic can retrieve files from the local file system.[19]

Dark Caracal

Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.[20]

Dragonfly 2.0

Dragonfly 2.0 collected data from local victim systems.[21]

Drovorub

Drovorub can transfer files from the victim machine.[22]

Dust Storm

Dust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.[23]

FatDuke

FatDuke can copy files and directories from a compromised host.[24]

FIN6

FIN6 has collected and exfiltrated payment card data from compromised systems.[25][26][27]

FLASHFLOOD

FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.[28]

Forfiles

Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before).[2]

FrameworkPOS

FrameworkPOS can collect elements related to credit card data from process memory.[29]

Frankenstein

Frankenstein has enumerated hosts via Empire, gathering various local system information.[30]

Gamaredon Group

Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.[31]

Goopy

Goopy has the ability to exfiltrate documents from infected systems.[32]

GravityRAT

GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[33]

Honeybee

Honeybee collects data from the local victim system.[34]

Hydraq

Hydraq creates a backdoor through which remote attackers can read data from files.[35][36]

Inception

Inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.[37]

InvisiMole

InvisiMole can collect data from the system, and can monitor changes in specified directories.[38]

Ixeshe

Ixeshe can collect data from a local system.[39]

Kazuar

Kazuar uploads files from a specified directory to the C2 server.[40]

Ke3chang

Ke3chang gathered information and files from local directories for exfiltration.[41]

Kimsuky

Kimsuky has collected Office, PDF, and HWP documents from its victims.[42]

Koadic

Koadic can download files off the target system to send back to the server.[43]

Lazarus Group

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Lazarus Group malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.[44][45][46] Lazarus Group has used wevtutil to export Window security event logs.[47]

LightNeuron

LightNeuron can collect files from a local system.[48]

Linfo

Linfo creates a backdoor through which remote attackers can obtain data from local systems.[49]

Machete

Machete searches the File system for files of interest.[50]

MCMD

MCMD has the ability to upload files from an infected device.[51]

menuPass

menuPass has collected various files from the compromised computers.[52]

MobileOrder

MobileOrder exfiltrates data collected from the victim mobile device.[53]

njRAT

njRAT can collect data from a local system.[54]

Pasam

Pasam creates a backdoor through which remote attackers can retrieve files.[55]

Patchwork

Patchwork collected and exfiltrated files from the infected system.[56]

Pillowmint

Pillowmint has collected credit card data using native API functions.[57]

PinchDuke

PinchDuke collects user files from the compromised host based on predefined file extensions.[58]

PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can steal system information.[59]

PowerSploit

PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.[60][61]

POWERSTATS

POWERSTATS can upload files from compromised hosts.[62]

Proxysvc

Proxysvc searches the local system and gathers data.[63]

PUNCHTRACK

PUNCHTRACK scrapes memory for properly formatted payment card data.[64][65]

Ramsay

Ramsay can collect Microsoft Word documents from the target's filesystem.[66]

RawPOS

RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.[67][68][69]

ROKRAT

ROKRAT can request to upload collected host data and additional files.[70]

Rover

Rover searches for files on local drives based on a predefined list of file extensions.[71]

SDBot

SDBot has the ability to access the file system on a compromised host.[72]

ShimRat

ShimRat has the capability to upload collected files to a C2.[73]

Soft Cell

Soft Cell collected data from the victim's local system, including password hashes from the SAM hive in the Registry.[74]

Stealth Falcon

Stealth Falcon malware gathers data from the local victim system.[75]

Sunburst

Sunburst collected information from a compromised host.[76][77]

TajMahal

TajMahal has the ability to steal documents from the local system including the print spooler queue.[78]

Threat Group-3390

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[79]

TrickBot

TrickBot collects local files and information from the victim’s local machine.[80]

Turla

Turla RPC backdoors can upload files from victim machines.[81]

UNC2452

UNC2452 extracted files from compromised networks.[82]

Ursnif

Ursnif has collected files from victim machines, including certificates and cookies.[83]

USBferry

USBferry can collect information from an air-gapped host machine.[84]

WellMail

WellMail can exfiltrate files from the victim machine.[85]

WellMess

WellMess can send files from the victim machine to C2.[86][87]

yty

yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.[88]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  3. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  4. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  5. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  6. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  7. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  8. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  9. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  10. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  11. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  12. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  13. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  14. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  15. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  16. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  17. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  18. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  19. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  20. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  21. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  22. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  23. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  24. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  25. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  26. Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.
  27. Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.
  28. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  29. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
  30. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  31. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  32. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  33. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  34. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  35. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  36. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  37. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  38. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  39. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  40. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  41. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  42. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  43. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  44. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  3. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  4. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  5. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  6. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  7. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  8. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  9. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  10. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  11. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  12. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  13. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  14. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  15. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  16. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  17. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  18. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  19. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  20. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  21. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  22. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  23. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  24. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  25. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  26. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  27. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  28. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  29. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  30. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  31. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  32. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  33. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  34. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  35. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  36. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  37. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  38. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  39. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  40. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  41. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  42. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  43. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  44. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.