T1005

Data from Local System

Data from Local System (T1005) is a MITRE ATT&CK technique associated with Collection . Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive da…

Technique ID: T1005
Difficulty: Intermediate
Tactics: Collection
Platforms: ESXiLinuxmacOSNetwork DevicesWindows

Executive Summary

Data from Local System (T1005) is a MITRE ATT&CK technique associated with Collection. Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Why Attackers Use It

Attackers use Data from Local System because it provides a reliable way to advance their objective within the Collection tactic, often with a favorable balance of impact versus detectability on ESXi, Linux, macOS, Network Devices, Windows environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.

MITRE Description

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Data from Local System to achieve its tactical objective (Collection).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

No universal command represents Data from Local System. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.

Splunk Queries

Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.

Investigation Workflow

Confirm that the observed behavior is consistent with Data from Local System and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

M1057 -- Data Loss Prevention: Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization.

Related Techniques

T1001.001
T1003
T1003.002
T1003.003
T1016.001
T1021
T1021.005
T1021.006
T1025
T1027.004
T1027.005
T1027.007
T1029
T1036.001
T1037.004
T1039
T1041
T1056
T1056.003
T1057
T1059.003
T1070.009
T1071.001
T1071.004
T1074
T1074.001
T1074.002
T1082
T1083
T1087
T1105
T1110.002
T1114.001
T1119
T1132
T1140
T1195.001
T1205.001
T1213
T1213.003
T1213.006
T1217
T1505.003
T1505.004
T1539
T1546.004
T1546.011
T1546.012
T1547
T1547.006
T1553.001
T1555.001
T1555.004
T1555.005
T1558.003
T1559.001
T1560.001
T1565.002
T1566
T1566.003
T1567
T1567.002
T1568.001
T1568.002
T1572
T1574
T1574.007
T1583.004
T1584.006
T1592.002
T1595.002
T1654
T1657

T1001.001Junk Data T1003OS Credential Dumping T1003.002Security Account Manager T1003.003NTDS T1016.001Internet Connection Discovery T1021Remote Services T1021.005VNC T1021.006Windows Remote Management T1025Data from Removable Media T1027.004Compile After Delivery T1027.005Indicator Removal from Tools T1027.007Dynamic API Resolution T1029Scheduled Transfer T1036.001Invalid Code Signature T1037.004RC Scripts T1039Data from Network Shared Drive T1041Exfiltration Over C2 Channel T1056Input Capture T1056.003Web Portal Capture T1057Process Discovery T1059.003Windows Command Shell T1070.009Clear Persistence T1071.001Web Protocols T1071.004DNS T1074Data Staged T1074.001Local Data Staging T1074.002Remote Data Staging T1082System Information Discovery T1083File and Directory Discovery T1087Account Discovery T1105Ingress Tool Transfer T1110.002Password Cracking T1114.001Local Email Collection T1119Automated Collection T1132Data Encoding T1140Deobfuscate/Decode Files or Information T1195.001Compromise Software Dependencies and Development Tools T1205.001Port Knocking T1213Data from Information Repositories T1213.003Code Repositories T1213.006Databases T1217Browser Information Discovery T1505.003Web Shell T1505.004IIS Components T1539Steal Web Session Cookie T1546.004Unix Shell Configuration Modification T1546.011Application Shimming T1546.012Image File Execution Options Injection T1547Boot or Logon Autostart Execution T1547.006Kernel Modules and Extensions T1553.001Gatekeeper Bypass T1555.001Keychain T1555.004Windows Credential Manager T1555.005Password Managers T1558.003Kerberoasting T1559.001Component Object Model T1560.001Archive via Utility T1565.002Transmitted Data Manipulation T1566Phishing T1566.003Spearphishing via Service T1567Exfiltration Over Web Service T1567.002Exfiltration to Cloud Storage T1568.001Fast Flux DNS T1568.002Domain Generation Algorithms T1572Protocol Tunneling T1574Hijack Execution Flow T1574.007Path Interception by PATH Environment Variable T1583.004Server T1584.006Web Services T1592.002Software T1595.002Vulnerability Scanning T1654Log Enumeration T1657Financial Theft

Loading AttackTrace...

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Data from Local System to achieve its tactical objective (Collection).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

Splunk Queries

Investigation Workflow

Confirm that the observed behavior is consistent with Data from Local System and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

M1057 -- Data Loss Prevention: Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization.

Related Techniques

T1001.001
T1003
T1003.002
T1003.003
T1016.001
T1021
T1021.005
T1021.006
T1025
T1027.004
T1027.005
T1027.007
T1029
T1036.001
T1037.004
T1039
T1041
T1056
T1056.003
T1057
T1059.003
T1070.009
T1071.001
T1071.004
T1074
T1074.001
T1074.002
T1082
T1083
T1087
T1105
T1110.002
T1114.001
T1119
T1132
T1140
T1195.001
T1205.001
T1213
T1213.003
T1213.006
T1217
T1505.003
T1505.004
T1539
T1546.004
T1546.011
T1546.012
T1547
T1547.006
T1553.001
T1555.001
T1555.004
T1555.005
T1558.003
T1559.001
T1560.001
T1565.002
T1566
T1566.003
T1567
T1567.002
T1568.001
T1568.002
T1572
T1574
T1574.007
T1583.004
T1584.006
T1592.002
T1595.002
T1654
T1657

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques