Find sigma rule

Attack: Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.

MITRE

Tactic

collection

technique

T1005

Test : Search files of interest and save them to a single zip file (Windows)

OS

windows

Description:

This test searches for files of certain extensions and saves them to a single zip file prior to extraction.

Executor

powershell

Sigma Rule

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test