TH16106
Detected presence of files that collect and exfiltrate user information.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign on their own, some might become important for analysis when observed alongside other capabilities the component exhibits. This issue is reported for files that can enumerate user information and make HTTP requests. While presence of this behavior combination does not imply malicious intent, it is advised that the reported files are reviewed. One example of acceptable use for this type of data collection is the opt-in telemetry for software debugging purposes.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1033 - System Owner/User Discovery.
- Consider limiting the collection of user information to a minimum.
Recommended readingโ
- T1033 - System Owner/User Discovery (External resource - Mitre ATT&CK documentation)
- Data exfiltration (External resource - Wikipedia)