Find sigma rule
Attack: Data from Local System
Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.
MITRE
Tactic
- collection
technique
- T1005
Test : Search files of interest and save them to a single zip file (Windows)
OS
- windows
Description:
This test searches for files of certain extensions and saves them to a single zip file prior to extraction.
Executor
powershell