T0893 Data from Local System
Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.
Adversaries may do this using Command-Line Interface or Scripting techniques to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.
| Item | Value |
|---|---|
| ID | T0893 |
| Sub-techniques | |
| Tactics | TA0100 |
| Platforms | Control Server, Engineering Workstation, Field Controller/RTU/PLC/IED, Human-Machine Interface, Input/Output Server, Safety Instrumented System/Protection Relay |
| Version | 1.0 |
| Created | 30 March 2023 |
| Last Modified | 05 April 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1000 | ACAD/Medre.A | ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from infected systems. 4 |
| S0038 | Duqu | Duqu downloads additional modules for the collection of data from local systems. The modules are named: infostealer 1, infostealer 2 and reconnaissance. 5 |
| S0143 | Flame | Flame has built-in modules to gather information from compromised computers. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0803 | Data Loss Prevention | Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted. |
| M0941 | Encrypt Sensitive Information | Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. 1 2 |
| M0922 | Restrict File and Directory Permissions | Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from the local system. 1 2 |
| M0917 | User Training | Develop and publish policies that define acceptable information to be stored on local systems. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0009 | Process | OS API Execution |
| DS0012 | Script | Script Execution |
References
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩↩
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩↩
-
Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ↩
-
ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ↩
-
Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ↩