Data from Local System

00:00

hello and welcome to another application of the minor attack framework discussion.

00:06

Today. We're going to be looking at data from local systems.

00:09

So today's objectives are as follows we're going to describe for you what data from local system is within the context of the minor attack framework. We're going to look at a piece of malware that we can use him between the two. We're going to talk mitigation techniques and detection techniques as well.

00:26

Now, per the minor attack framework kind of paraphrasing here is we do

00:31

a threat Actor will attempt to collect data from the file system or database of information, resigning on systems prior to ex filtration. They're actors will use the command line interface to look for sensitive information typically, and they do this with either automated means descript ing or maybe do some manual investigation.

00:49

Now, a tool in this particular category that has some functionality is cosmic Duke. A many Duke, a k a. Some other names. Malware here has been used by a P T 29 from 2010 to 2015. It's got different capabilities, so it's got a persistence mechanism that includes starting via Windows Tass schedule or

01:08

And it has a mechanism that looks for file extensions such as MP three dots

01:14

XLs X. So you've got audio, some word documents, spreadsheets, things of that nature and implements several network connectors to expel trait data like up learning the FTP and http mechanisms. But we've seen that there are some craftier ways that threat actors could do that as well.

01:33

Now, with respect to mitigation techniques and how that is working so again, back to end user awareness training, being a primary method here, trying to prevent infection and keep these things off the network prior to them becoming a problem.

01:49

And then with respect to detection techniques, again, we get into monitoring for the use of command line arguments that could

01:57

be actions that represent data collection activity.

02:00

Now again, some organizations, depending on the size and capability, may use some scripting to do certain data collection activities. So you do need to make sure that these things are either legitimate business activities or could be related to threat actor manipulation of data sets.

02:20

Now let's do a quick check on learning true or false stated collection on local systems is where a threat actor is looking to steal files or database information,

02:30

so if you need additional time, please pause the video. So data collection on local system is where a threat actor is looking to steal files or database information. This is a true statement in this case. Now let's go ahead and pop into our summary for today's discussion. It was pretty quick, but really,

02:51

you know, it's pretty straightforward stuff with respect to data from local systems, which we describe,

02:55

and looking at one of many tools that can be used here. Four data collection. They could do it, you know, threat actors to malware through automated means through scripts through through any type of collection that you could do via command line. They can automate that. Use those

03:13

mitigation techniques, focusing on the end user awareness training and detection techniques, falling into the category of watching command line activity commonly associated with data gathering techniques. Again,

03:25

I wanted to make sure that we differentiate between business appropriate activity versus activity that could be that of a threat actor.