Data from Local System
Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, Network Device CLI commands may also be used to collect files such as configuration files with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network infrastructure devices, collect AAA logging to monitor `show` commands that view configuration files.
Observed actors
G0082GALLIUM
G0093APT3
G0022Kimsuky
G0094Volt Typhoon
G1017Patchwork
G0040APT41
G0096Dragonfly
G0035menuPass
G0045HAFNIUM
G0125FIN6
G0037Gamaredon Group
G0047FIN7
G0046Sandworm Team
G0034Andariel
G0138CURIUM
G1012APT39
G0087APT37
G0067Windigo
G0124Aquatic Panda
G0143Ke3chang
G0004APT1
G0006Turla
G0010RedCurl
G1039Stealth Falcon
G0038APT29
G0016Dark Caracal
G0070BRONZE BUTLER
G0060Axiom
G0001Ember Bear
G1003ToddyCat
G1022LuminousMoth
G1014Agrius
G1030APT28
G0007Fox Kitten
G0117Lazarus Group
G0032LAPSUS$
G1004Wizard Spider
G0102Inception
G0100Magic Hound
G0059Threat Group-3390
G0027FIN13
G1016
Correlated CTI and IR reports
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionAPT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mentionCTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mentionCorrelation Based Detection Rules in Cybersecurity From Atomic Events to Behavioral Insight
1200km Medium · authored report mentionOperation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention