Skip to content

Latest commit

 

History

History
30 lines (20 loc) · 1.34 KB

T1005.md

File metadata and controls

30 lines (20 loc) · 1.34 KB

T1005 - Data from Local System

Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.

Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a Command-Line Interface, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

Atomic Tests


Atomic Test #1 - Search macOS Safari Cookies

This test uses grep to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.

Supported Platforms: macOS

Inputs

Name Description Type Default Value
search_string String to search Safari cookies to find. string coinbase

Run it with sh!

cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"