# T1005 Data from Local System

-----------------------------------------------------------------------

## Technique Description

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.


## Technique Detection

Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Linux

  * macOS

  * Windows

  * Network

### System Requirements:

  * Privileges to access certain files and directories

### Data Sources:

  * **Process:** Process Creation

  * **Command:** Command Execution

  * **Script:** Script Execution

  * **File:** File Access

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has collected large numbers of files from compromised network systems for later extraction.(Citation: FSI Andariel Campaign Rifle July 2017)| 
| Windigo | [Windigo](https://attack.mitre.org/groups/G0124) has used a script to gather credentials in files left on disk by OpenSSH backdoors.(Citation: ESET ForSSHe December 2018)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) extracted files from compromised networks.(Citation: Volexity SolarWinds) | 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has searched local system resources to access sensitive documents.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has exfiltrated files and directories of interest from the targeted system.(Citation: FoxIT Wocao December 2019)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts via [Empire](https://attack.mitre.org/software/S0363), gathering various local system information.(Citation: Talos Frankenstein June 2019)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.(Citation: Kaspersky Cloud Atlas August 2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) has uploaded files and data from a compromised host.(Citation: Group IB APT 41 June 2021)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has collected Office, PDF, and HWP documents from its victims.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) collected data from the victim's local system, including password hashes from the SAM hive in the Registry.(Citation: Cybereason Soft Cell June 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used various tools to steal files from the compromised host.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has collected data from a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)| 
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072) collects data from the local victim system.(Citation: McAfee Honeybee)| 
| Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) collected complete contents of the 'Pictures' folder from compromised Windows systems.(Citation: Lookout Dark Caracal Jan 2018)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) has collected data from victims' local systems.(Citation: FireEye APT37 Feb 2018)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has exfiltrated files stolen from local systems.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has collected files from infected systems and uploaded them to a C2 server.(Citation: ESET Gamaredon June 2020)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has collected files and other sensitive information from a compromised network.(Citation: CrowdStrike Carbon Spider August 2021)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has collected various files from the compromised computers.(Citation: DOJ APT10 Dec 2018)(Citation: Symantec Cicada November 2020)
| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) collected and exfiltrated files from the infected system.(Citation: Cymmetria Patchwork)| 
| Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers data from the local victim system.(Citation: Citizen Lab Stealth Falcon May 2016)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has collected and exfiltrated payment card data from compromised systems.(Citation: Trend Micro FIN6 October 2019)(Citation: RiskIQ British Airways September 2018)(Citation: RiskIQ Newegg September 2018)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has collected data from local victim systems.(Citation: US-CERT TA18-074A)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has exfiltrated internal documents, files, and other data from compromised hosts.(Citation: US District Court Indictment GRU Unit 74455 October 2020)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has collected data and files from compromised networks.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)| 
| Dust Storm | [Dust Storm](https://attack.mitre.org/groups/G0031) has used Android backdoors capable of exfiltrating specific files directly from the infected devices.(Citation: Cylance Dust Storm)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) ran a command to compile an archive of file types of interest from the victim user's directories.(Citation: SecureWorks BRONZE UNION June 2017)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) will identify Microsoft Office documents on the victim's computer.(Citation: aptsim)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has extracted files from compromised networks.(Citation: Volexity SolarWinds) | 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors can upload files from victim machines.(Citation: ESET Turla PowerShell May 2019)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has retrieved internal documents from machines inside victim environments, including by using [Forfiles](https://attack.mitre.org/software/S0193) to stage documents before exfiltration.(Citation: Überwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) has collected files from a local victim.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) gathered information and files from local directories for exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)| 
| Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has collected data from a compromised network.(Citation: Novetta-Axiom)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1005)

  * [Mandiant Apt41 Global Intrusion ](https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits), Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.

  * [Us-Cert-Ta18-106A](https://www.us-cert.gov/ncas/alerts/TA18-106A), US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 9 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Zachary Burke, SSgt Kevin Edwards, TSgt Matthew Taylor

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries may collect data from a victim's local machine.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28| 1,2 | |

#### APT28 
- has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before.

#### APT29	
- has extracted files from compromised networks.

#### Turla	
- RPC backdoors can upload files from victim machines. (The RPC plugin collects recent files from the local file system.)

## Detection Blindspots

- Encoded commands may obfuscate collection command parameters.

## Analytical References

  * [MITRE - ForFiles](https://attack.mitre.org/software/S0193/)
  * [Netzpolitik - APT28 German Parliament ForFiles](https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/)
  * [WeLiveSecurity - Turla Powershell Usage](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
  * [Microsoft - ForFIles](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11))
  * [FireEye - Powershell Logging](https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html)
  * [Volexity - DarkHalo SolarWinds](https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/)
  * [Malware.news - APT28 WMIC](https://malware.news/t/lets-learn-progression-of-apt28-sofacy-golang-zebrocy-loader-project2-go-wmic-hex-decode/25786)
  


-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Collection on data from the local system may be wrought from a great number of tools and operators should identify activity that focuses on file extensions or recursive methods. This may look different depending on the tool used (PowerShell, WMIC, cmd, Python, Forfiles, etc.)

### Deep Dive

- #### APT 28
  - Note: APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.
    - ```bash
      # This script identifies all PDF and Office documents dated after May 1st“ (specified in the date format supported by Microsoft Windows in German language) and collects them in a folder, supposedly ready to be exfiltrated.
      for %%G in (.pdf, .xls, .xlsx, .doc, .docx) do (
      forfiles /P F:[REDACTED] /m *%%G /s /d +01.05.2015 /c "cmd /c copy @path
      C:ProgramData[REDACTED]d@file" )
      ```

- #### APT 29
  - Note: APT29 has extracted files from compromised networks. They've used the following:
    - ```powershell
      # Get a list of users on the Exchange server and their current role using Get-ManagementRoleAssignment:
      C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command "Get-ManagementRoleAssignment -GetEffectiveUsers |
      select Name,Role,EffectiveUserName,AssignmentMethod,IsValid | ConvertTo-Csv -NoTypeInformation | % {$_ -replace '`n','_'} | Out-File C:\temp\1.xml"
      ```
    - ```powershell
      # Retrieve information about the configured Virtual Directory using Get-WebServicesVirtualDirectory:
      C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command "Get-WebServicesVirtualDirectory | Format-List
      ```
    - ```bat
      REM The attacker also made use of a file called sqlceip.exe, which upon first glance might appear as the legitimate version of SQL Server Telemetry Client provided by Microsoft. However, Volexity determined this tool was actually a version of AdFind from joeware.net. AdFind is a command-line tool used for querying and extracting data from Active Directory. Volexity discovered the attacker using AdFind with the following command line:
      C:\Windows\system32\cmd.exe /C sqlceip.exe -default -f (name="Organization Management") member -list | sqlceip.exe -f objectcategory=* > .\SettingSync\log2.txt
      ```
    - ```powershell
      # The attacker exfiltrated e-mail data from targeted accounts using the New-MailboxExportRequest command followed by Get-MailboxExport-Request command.
      C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command "New-MailboxExportRequest
      -Mailbox foobar@organization.here -ContentFilter {(Received -ge '03/01/2020')} -FilePath '\\<MAILSERVER>\c$\temp\b.pst'"
      ```
- #### Turla
  - Note: Turla RPC backdoors can upload files from victim machines. The backdoor supports loading plugins. The server creates a thread that searches for files matching the following pattern lPH*.dll. If such a file exists, it is loaded and its export function ModuleStart is called. Among the various plugins we have located so far, one is able to steal *recent files* and files from USB thumb drives.

#### Analytic 1

  * **Information:** APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration. Below is a sample of this technique being used. The code identifies all PDF and Office documents dated after May 1st“ (specified in the date format supported by Microsoft Windows in German language) and collects them in a folder, supposedly ready to be exfiltrated.

  * **Source:** SYSMON

  * **Tool:** Kibana

  * **Notes:** Identify the Forfiles process and note commandline. Forfiles is most commonly used in batch files (.bat)

  * **Query 1:** ```process.name : forfiles OR (image : *.bat and <contents> include *forfiles*)```
  * **Query 2:** ```Event_ID: 1 AND commandline:*forfiles*```

#### Analytic 2

  * **Information:** APT28 has used WMIC for host profiling. Below is an example of a CMD the Zbrocy loader utilizes to identify mounted drive information.
> wmic logicaldisk get caption,description,drivetype,providername,size

  * **Source:** SYSMON

  * **Tool:** Kibana

  * **Notes:** Identify wmic instances and note commands to get information

  * **Query:** ```Event_id : 1 and process.name : wmic.exe and commandLine : */GET*```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- N/A

#### Analytic 1

  * **Information:** Identify large file transfers from inside the network to an external IP, possibly via FTP

  * **Source:** PCAP

  * **Tool:** Moloch

  * **Notes:** Sort by data/bytes

  * **Query:** ```ip.src==<internal> && ip.dst==<external>```

