EXPLORE
Sign In
← Back to Explore
T1005

Data from Local System

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interac...

ESXiLinuxmacOSNetwork DevicesWindows
47
Detections
4
Sources
45
Threat Actors

BY SOURCE

28elastic12sigma6splunk_escu1kql

PROCEDURES (34)

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Service2 detections

Auto-extracted: 2 detections for service

Saml2 detections

Auto-extracted: 2 detections for saml

Credential2 detections

Auto-extracted: 2 detections for credential

Credential2 detections

Auto-extracted: 2 detections for credential

Privilege2 detections

Auto-extracted: 2 detections for privilege

C22 detections

Auto-extracted: 2 detections for c2

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Kernel Monitoring2 detections

Auto-extracted: 2 detections for kernel monitoring

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

Container1 detections

Auto-extracted: 1 detections for container

Container1 detections

Auto-extracted: 1 detections for container

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Credential1 detections

Auto-extracted: 1 detections for credential

Dump1 detections

Auto-extracted: 1 detections for dump

Download1 detections

Auto-extracted: 1 detections for download

Powershell1 detections

Auto-extracted: 1 detections for powershell

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Dump1 detections

Auto-extracted: 1 detections for dump

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Http1 detections

Auto-extracted: 1 detections for http

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Download1 detections

Auto-extracted: 1 detections for download

Download1 detections

Auto-extracted: 1 detections for download

Cloud1 detections

Auto-extracted: 1 detections for cloud

Dump1 detections

Auto-extracted: 1 detections for dump

Powershell1 detections

Auto-extracted: 1 detections for powershell

Cloud1 detections

Auto-extracted: 1 detections for cloud

THREAT ACTORS (45)

AgriusAndarielAPT1APT28APT29APT3APT37APT38APT39APT41Aquatic PandaAxiomBRONZE BUTLERCURIUMDark CaracalDragonflyEmber BearFIN13FIN6FIN7Fox KittenGALLIUMGamaredon GroupHAFNIUMInceptionKe3changKimsukyLAPSUS$Lazarus GroupLuminousMothMagic HoundmenuPassMirrorFaceOilRigPatchworkRedCurlSandworm TeamStealth FalconThreat Group-3390ToddyCatTurlaVOID MANTICOREVolt TyphoonWindigoWizard Spider

DETECTIONS (47)

'File From Host Collected via Portal or Live Response
kql
ADFS Database Named Pipe Connection By Uncommon Tool
sigmamedium
AWS Credentials Searched For Inside A Container
elastichigh
AWS EC2 Export Task
elasticmedium
AWS EC2 VM Export Failure
sigmalow
Cisco ASA - Device File Copy Activity
splunk_escu
Cisco ASA - Device File Copy to Remote Location
splunk_escu
Cisco Collect Data
sigmalow
Cisco TFTP Server Configuration for Data Exfiltration
splunk_escu
Crash Dump Created By Operating System
sigmamedium
Credential Access via TruffleHog Execution
elasticmedium
Encrypting Files with WinRar or 7z
elasticmedium
Esentutl Steals Browser Information
sigmamedium
ESXi Sensitive Files Accessed
splunk_escu
ESXi VM Exported via Remote Tool
splunk_escu
Exchange Mailbox Export via PowerShell
elasticmedium
Exporting Exchange Mailbox via PowerShell
elasticmedium
GenAI Process Accessing Sensitive Files
elastichigh
Kernel Seeking Activity
elasticmedium
Kubernetes Service Account Secret Access
elasticmedium
Linux init (PID 1) Secret Dump via GDB
elastichigh
Manual Memory Dumping via Proc Filesystem
elastichigh
OpenCanary - SMB File Open Request
sigmahigh
Potential Data Exfiltration Through Wget
elasticmedium
Potential Linux Credential Dumping via Unshadow
elastichigh
Potential Privacy Control Bypass via Localhost Secure Copy
elastichigh
Potential Suspicious DebugFS Root Device Access
elasticlow
Script Interpreter Spawning Credential Scanner - Linux
sigmahigh
Script Interpreter Spawning Credential Scanner - Windows
sigmahigh
Sensitive File Access followed by Compression
elastichigh
Sensitive File Compression Detected via Defend for Containers
elasticmedium
Sensitive Files Compression
elasticmedium
Sensitive Files Compression Inside A Container
elastichigh
Sensitive Keys Or Passwords Search Detected via Defend for Containers
elasticmedium
Service Account Namespace Read Detected via Defend for Containers
elasticlow
Service Account Token or Certificate Read Detected via Defend for Containers
elasticmedium
SQLite Chromium Profile Data DB Access
sigmahigh
SQLite Firefox Profile Data DB Access
sigmahigh
Sqlite Module In Temp Folder
splunk_escu
Suspicious TCC Access Granted for User Folders
elastichigh
Suspicious Web Browser Sensitive File Access
elastichigh
SystemKey Access via Command Line
elastichigh
TCC Bypass via Mounted APFS Snapshot Access
elastichigh
Unusual Web Config File Access
elastichigh
Veeam Backup Database Suspicious Query
sigmamedium
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
sigmahigh
Web Server Local File Inclusion Activity
elasticlow