🍎

T1005

Data from Local System

Description from ATT&CK

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.

Tests

Test #1 - Copy Apple Notes database

This command will copy Safari BinaryCookies files using AppleScript as seen in Atomic Stealer.

⚠️ TCC Required

Input Arguments:

ArgumentTypeDefault Value
destination_pathstr/tmp
tell application "Finder"
  set destinationFolderPath to POSIX file "/tmp"
  set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"
  set notesFolder to folder notesFolderPath
  set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder
  repeat with aFile in notesFiles
    duplicate aFile to folder destinationFolderPath with replacing
  end repeat
end tell

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

References

Executing Apple Script

Learn how to execute Apple Script using various methods

T1010

Application Window Discovery

On this page

Description from ATT&CK
Tests
Test #1 - Copy Apple Notes database
References