T1005

Data from Local System

Adversaries may search local system sources, such as file systems, configuration files, local databases, and process memory to find files of interest and sensitive data prior to Exfiltration. Adversaries commonly target credential stores (Windows DPAPI, browser databases, SSH keys), corporate documents (Office files, PDFs), and system databases (Active Directory NTDS.dit, SAM hive) using command interpreters, native OS utilities like esentutl.exe and robocopy.exe, or custom malware. Observed threat actors include Kimsuky (document theft), HAFNIUM (data collection post-exploitation), LAPSUS$ (credential and file theft for extortion), and malware families such as QakBot (esentutl for browser credential extraction) and BADNEWS (recursive crawl for Office/PDF files).

Microsoft Sentinel / Defender

kusto

let SensitivePathKeywords = dynamic([
    "\\.ssh\\", "id_rsa", "id_ed25519", "id_ecdsa",
    "\\Microsoft\\Credentials\\", "\\Microsoft\\Protect\\",
    "Login Data", "Web Data", "Cookies",
    "ntds.dit", "\\config\\SAM", "\\config\\SYSTEM", "\\config\\SECURITY",
    "FileZilla", "recentservers.xml",
    "KeePass", ".kdbx",
    ".pst", ".ost"
]);
let BulkCollectionPatterns = dynamic([
    "dir /s", "dir /b /s", "tree /f",
    "Get-ChildItem -Recurse", "Get-ChildItem -Path", "gci -recurse", "gci -r ",
    "Get-Content", "Compress-Archive"
]);
let SensitiveExtensions = dynamic([
    ".pdf", ".docx", ".xlsx", ".pptx", ".doc", ".xls", ".csv",
    ".kdbx", ".pfx", ".p12", ".pem", ".key", ".cer", ".der",
    ".pst", ".ost", ".msg", ".wallet", ".rdp"
]);
// Branch 1: Process-based local data collection
let ProcessCollection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // esentutl used for ESE database extraction (browser credential DBs, AD database)
    (FileName =~ "esentutl.exe"
     and ProcessCommandLine has_any ("ntds", "Login Data", "Cookies", "Web Data", "/y", ".dit", "/vss"))
    // Command shells or script hosts accessing known sensitive paths
    or (FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
        and ProcessCommandLine has_any (SensitivePathKeywords))
    // PowerShell recursive file search for sensitive document types
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any (BulkCollectionPatterns)
        and ProcessCommandLine has_any (SensitiveExtensions))
    // Robocopy or xcopy bulk-copying sensitive paths
    or (FileName in~ ("robocopy.exe", "xcopy.exe")
        and ProcessCommandLine has_any (SensitivePathKeywords))
    // where.exe or findstr used to locate specific file types at scale
    or (FileName in~ ("where.exe", "findstr.exe", "find.exe")
        and ProcessCommandLine has_any (SensitiveExtensions))
)
| where not(
    // Exclude well-known backup and security products by parent process
    InitiatingProcessFileName in~ ("MsMpEng.exe", "svchost.exe", "services.exe", "BackupAgent.exe", "OneDriveSetup.exe")
    and AccountName in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
)
| extend DetectionType = "Process-Based Collection"
| extend SignalReason = case(
    FileName =~ "esentutl.exe", "ESE Database Extraction (browser creds or NTDS)",
    ProcessCommandLine has_any ("ntds", "SAM", "SYSTEM", "SECURITY"), "AD/Registry Hive Targeted",
    ProcessCommandLine has_any (".ssh", "id_rsa", "id_ed25519"), "SSH Key Targeted",
    ProcessCommandLine has_any ("Login Data", "Cookies", "Web Data"), "Browser Credential DB Targeted",
    ProcessCommandLine has_any (BulkCollectionPatterns), "Bulk Recursive File Enumeration",
    FileName in~ ("robocopy.exe", "xcopy.exe"), "Bulk Copy Tool on Sensitive Path",
    "Sensitive Path Access via CLI"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType, SignalReason;
// Branch 2: Direct file access to high-value credential and data stores
let FileAccessCollection = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileRead", "FileCreated", "FileCopied", "FileRenamed")
| where (
    (FolderPath has "\\AppData\\Local\\Microsoft\\Credentials")
    or (FolderPath has "\\AppData\\Roaming\\Microsoft\\Credentials")
    or (FolderPath has "\\AppData\\Roaming\\Microsoft\\Protect")
    or (FolderPath has "\\.ssh" and FileName has_any ("id_rsa", "id_ed25519", "id_ecdsa", "config"))
    or (FolderPath has "Google\\Chrome" and FileName =~ "Login Data")
    or (FolderPath has "Microsoft\\Edge" and FileName =~ "Login Data")
    or (FolderPath has "Mozilla\\Firefox\\Profiles" and FileName has_any ("logins.json", "key4.db", "cert9.db"))
    or (FolderPath has "\\Windows\\System32\\config" and FileName in~ ("SAM", "SYSTEM", "SECURITY", "DEFAULT"))
    or (FolderPath has "NTDS" and FileName =~ "ntds.dit")
    or (FileName endswith ".kdbx")
    or (FolderPath has "FileZilla" and FileName in~ ("recentservers.xml", "sitemanager.xml"))
    or (FolderPath has "\\Roaming\\WinSCP" and FileName =~ "WinSCP.ini")
)
| where InitiatingProcessFileName !in~ (
    "svchost.exe", "System", "MsMpEng.exe", "SearchIndexer.exe",
    "OneDrive.exe", "msedge.exe", "chrome.exe", "firefox.exe"
)
| where InitiatingProcessAccountName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| extend DetectionType = "File-Based Collection"
| extend SignalReason = case(
    FolderPath has "Credentials" or FolderPath has "Protect", "Windows DPAPI Credential Store Access",
    FolderPath has ".ssh", "SSH Private Key Access",
    FolderPath has "Login Data" or FolderPath has "logins.json", "Browser Credential DB Access",
    FolderPath has "\\config" and FileName in~ ("SAM", "SYSTEM", "SECURITY"), "Registry Hive File Access",
    FolderPath has "NTDS", "Active Directory Database Access",
    FileName endswith ".kdbx", "KeePass Password Database Access",
    FolderPath has "FileZilla" or FolderPath has "WinSCP", "FTP/SCP Saved Credential Access",
    "Sensitive File Access"
)
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType, SignalReason;
union ProcessCollection, FileAccessCollection
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Access Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Backup software (Veeam, Windows Backup, Acronis) accessing credential stores or NTDS.dit via VSS snapshots during scheduled jobs
Password managers (KeePass, Bitwarden) or browser sync services accessing their own databases during normal operation — exclude by initiating process name
IT administrators using robocopy or esentutl for legitimate data migration or database maintenance with documented change tickets
Antivirus or EDR products performing file scanning across sensitive directories — typically run as SYSTEM from known product binaries
Developers using Get-ChildItem -Recurse on document libraries for legitimate scripting or reporting tasks

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11 OR EventCode=23))
| eval cmdline=lower(CommandLine), img=lower(Image), target=lower(coalesce(TargetFilename, ""))
| eval is_esentutl=if(
    match(img, "esentutl\\.exe") AND match(cmdline, "(ntds|\.dit|login data|cookies|web data|/y|/vss)"),
    1, 0)
| eval is_sensitive_path_cli=if(
    match(img, "(cmd\\.exe|powershell\\.exe|pwsh\\.exe|wscript\\.exe|cscript\\.exe|mshta\\.exe)") AND
    match(cmdline, "(\\.ssh|id_rsa|id_ed25519|\\.kdbx|credentials\\\\|\\\\protect\\\\|login data|ntds\.dit|filezilla|recentservers|winscp\.ini|\.pst|\.ost)"),
    1, 0)
| eval is_bulk_enum=if(
    match(img, "(powershell\\.exe|pwsh\\.exe)") AND
    match(cmdline, "(get-childitem.*-recurse|gci.*-recurse|gci.*-r |dir /s|tree /f|compress-archive)") AND
    match(cmdline, "(\.pdf|\.docx|\.xlsx|\.pptx|\.doc|\.xls|\.csv|\.pfx|\.pem|\.key|\.kdbx|\.pst)"),
    1, 0)
| eval is_bulk_copy=if(
    match(img, "(robocopy\\.exe|xcopy\\.exe)") AND
    match(cmdline, "(\.ssh|credential|protect|sam|ntds|password|secret|appdata|kdbx|filezilla)"),
    1, 0)
| eval is_sensitive_file_created=if(
    EventCode IN (11, 23) AND
    match(target, "(\\.ssh[\\/]id_rsa|\\.ssh[\\/]id_ed25519|microsoft\\\\credentials\\\\\.+|microsoft\\\\protect\\\\.+|google\\\\chrome.+login data|mozilla.+logins\.json|system32\\\\config\\\\(sam|system|security)|ntds\.dit|\.kdbx|filezilla.+recentservers\.xml|winscp\.ini)"),
    1, 0)
| eval SuspicionScore = is_esentutl + is_sensitive_path_cli + is_bulk_enum + is_bulk_copy + is_sensitive_file_created
| where SuspicionScore > 0
| eval SignalReason = case(
    is_esentutl=1, "ESE Database Extraction (esentutl)",
    is_bulk_enum=1, "PowerShell Recursive File Enumeration for Sensitive Extensions",
    is_sensitive_file_created=1, "Sensitive Credential/Data File Access or Staging",
    is_sensitive_path_cli=1, "CLI Access to Sensitive Credential Path",
    is_bulk_copy=1, "Bulk Copy Tool Targeting Sensitive Paths",
    true(), "Unknown"
)
| eval EventType = case(EventCode=1, "ProcessCreate", EventCode=11, "FileCreate", EventCode=23, "FileDelete", "Other")
| table _time, host, User, Image, CommandLine, TargetFilename, ParentImage, ParentCommandLine, EventType, SignalReason, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 23

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup agents (Veeam, Acronis, Windows Server Backup) creating shadow copies that trigger file access on ntds.dit or registry hives during scheduled backup windows
IT provisioning scripts using robocopy to migrate user profile data during workstation replacement — verify against change management records
Password manager applications (KeePass, Bitwarden) writing to their own .kdbx or database files during normal save operations
Security auditing tools (Nessus, Qualys, CrowdStrike) enumerating installed software or configuration via PowerShell
Developer environments using Get-ChildItem or find to enumerate project directories that happen to contain key or certificate files

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "process" and event.type == "start"
    and (
      (
        process.name like~ "esentutl.exe"
        and process.command_line like~ ("*ntds*", "*.dit*", "*login data*", "*cookies*", "*web data*", "*/y *", "*/vss*")
      )
      or (
        process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
        and process.command_line like~ ("*\\.ssh*", "*id_rsa*", "*id_ed25519*", "*microsoft\\credentials*", "*microsoft\\protect*", "*login data*", "*ntds.dit*", "*.kdbx*", "*filezilla*", "*recentservers*", "*winscp.ini*", "*.pst*", "*.ost*")
      )
      or (
        process.name in~ ("powershell.exe", "pwsh.exe")
        and process.command_line like~ ("*get-childitem*-recurse*", "*gci*-recurse*", "*gci*-r *", "*dir /s*", "*tree /f*", "*compress-archive*")
        and process.command_line like~ ("*.pdf*", "*.docx*", "*.xlsx*", "*.pptx*", "*.pfx*", "*.pem*", "*.key*", "*.kdbx*", "*.pst*")
      )
      or (
        process.name in~ ("robocopy.exe", "xcopy.exe")
        and process.command_line like~ ("*\\.ssh*", "*credential*", "*protect*", "*\\sam*", "*ntds*", "*.kdbx*", "*filezilla*")
      )
      or (
        process.name in~ ("where.exe", "findstr.exe", "find.exe")
        and process.command_line like~ ("*.pdf*", "*.docx*", "*.xlsx*", "*.pfx*", "*.pem*", "*.key*", "*.kdbx*", "*.pst*", "*.ost*")
      )
    )
    and not process.parent.name in~ ("MsMpEng.exe", "svchost.exe", "services.exe", "BackupAgent.exe", "OneDriveSetup.exe")
  )
  or
  (
    event.category == "file"
    and event.type in ("creation", "change")
    and (
      file.path like~ "*\\appdata\\local\\microsoft\\credentials*"
      or file.path like~ "*\\appdata\\roaming\\microsoft\\credentials*"
      or file.path like~ "*\\appdata\\roaming\\microsoft\\protect*"
      or (file.path like~ "*\\.ssh*" and file.name in~ ("id_rsa", "id_ed25519", "id_ecdsa", "config"))
      or (file.path like~ "*google\\chrome*" and file.name like~ "login data")
      or (file.path like~ "*microsoft\\edge*" and file.name like~ "login data")
      or (file.path like~ "*mozilla\\firefox\\profiles*" and file.name in~ ("logins.json", "key4.db", "cert9.db"))
      or (file.path like~ "*\\windows\\system32\\config*" and file.name in~ ("sam", "system", "security", "default"))
      or (file.path like~ "*ntds*" and file.name like~ "ntds.dit")
      or file.name like~ "*.kdbx"
      or (file.path like~ "*filezilla*" and file.name in~ ("recentservers.xml", "sitemanager.xml"))
      or (file.path like~ "*winscp*" and file.name like~ "winscp.ini")
    )
    and not process.name in~ ("svchost.exe", "MsMpEng.exe", "SearchIndexer.exe", "OneDrive.exe", "msedge.exe", "chrome.exe", "firefox.exe")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (elastic-agent) Sysmon via Winlogbeat or Elastic Agent Windows Security Event Logs

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Enterprise backup solutions (Veeam, Acronis, Windows Server Backup) legitimately read credential stores, registry hives, and document paths during scheduled backup jobs — correlate with backup service account identity and scheduled task context
Security tools and EDR agents (Windows Defender MsMpEng, CrowdStrike, Carbon Black) perform scheduled scans of sensitive directories; these should match excluded parent process names but custom EDR executables may not be covered
IT administrators running authorized PowerShell migration or remediation scripts (e.g., migrating user profiles, collecting forensic artefacts, rotating SSH keys) produce identical process telemetry — validate against change management tickets and admin account context
Password manager applications (KeePass, Bitwarden local vault) opening .kdbx files on user interaction will generate file access events matching the file branch — filter by known password manager process names and user-initiated sessions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime/1000, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS UserName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "TargetFilename" AS TargetFilename,
  "ParentImage" AS ParentImage,
  "ParentCommandLine" AS ParentCommandLine,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("Image") LIKE '%esentutl.exe%'
      AND (LOWER("CommandLine") LIKE '%ntds%' OR LOWER("CommandLine") LIKE '%.dit%'
           OR LOWER("CommandLine") LIKE '%login data%' OR LOWER("CommandLine") LIKE '%/vss%')
      THEN 'ESE Database Extraction (esentutl)'
    WHEN (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%')
      AND (LOWER("CommandLine") LIKE '%get-childitem%recurse%'
           OR LOWER("CommandLine") LIKE '%gci%recurse%'
           OR LOWER("CommandLine") LIKE '%dir /s%'
           OR LOWER("CommandLine") LIKE '%compress-archive%')
      AND (LOWER("CommandLine") LIKE '%.pdf%' OR LOWER("CommandLine") LIKE '%.docx%'
           OR LOWER("CommandLine") LIKE '%.kdbx%' OR LOWER("CommandLine") LIKE '%.pst%'
           OR LOWER("CommandLine") LIKE '%.pfx%' OR LOWER("CommandLine") LIKE '%.pem%')
      THEN 'PowerShell Recursive Enumeration for Sensitive Extensions'
    WHEN (LOWER("Image") LIKE '%robocopy.exe%' OR LOWER("Image") LIKE '%xcopy.exe%')
      AND (LOWER("CommandLine") LIKE '%.ssh%' OR LOWER("CommandLine") LIKE '%credential%'
           OR LOWER("CommandLine") LIKE '%ntds%' OR LOWER("CommandLine") LIKE '%.kdbx%')
      THEN 'Bulk Copy Tool Targeting Sensitive Paths'
    WHEN (LOWER("TargetFilename") LIKE '%microsoft\credentials%'
          OR LOWER("TargetFilename") LIKE '%microsoft\protect%'
          OR LOWER("TargetFilename") LIKE '%.ssh%id_rsa%'
          OR LOWER("TargetFilename") LIKE '%login data%'
          OR LOWER("TargetFilename") LIKE '%logins.json%'
          OR LOWER("TargetFilename") LIKE '%system32\config\sam%'
          OR LOWER("TargetFilename") LIKE '%ntds.dit%'
          OR LOWER("TargetFilename") LIKE '%.kdbx%'
          OR LOWER("TargetFilename") LIKE '%recentservers.xml%'
          OR LOWER("TargetFilename") LIKE '%winscp.ini%')
      THEN 'Sensitive Credential or Data File Access'
    WHEN (LOWER("Image") LIKE '%cmd.exe%' OR LOWER("Image") LIKE '%powershell.exe%'
          OR LOWER("Image") LIKE '%pwsh.exe%' OR LOWER("Image") LIKE '%wscript.exe%'
          OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%mshta.exe%')
      AND (LOWER("CommandLine") LIKE '%.ssh%' OR LOWER("CommandLine") LIKE '%id_rsa%'
           OR LOWER("CommandLine") LIKE '%credentials%' OR LOWER("CommandLine") LIKE '%ntds.dit%'
           OR LOWER("CommandLine") LIKE '%.kdbx%' OR LOWER("CommandLine") LIKE '%filezilla%'
           OR LOWER("CommandLine") LIKE '%.pst%')
      THEN 'CLI Access to Sensitive Credential Path'
    ELSE 'T1005 Indicator'
  END AS SignalReason
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
  AND (
    (
      QIDNAME(qid) = 'Process Create'
      AND (
        (
          LOWER("Image") LIKE '%esentutl.exe%'
          AND (LOWER("CommandLine") LIKE '%ntds%' OR LOWER("CommandLine") LIKE '%.dit%'
               OR LOWER("CommandLine") LIKE '%login data%' OR LOWER("CommandLine") LIKE '%cookies%'
               OR LOWER("CommandLine") LIKE '%/y %' OR LOWER("CommandLine") LIKE '%/vss%')
        )
        OR (
          (LOWER("Image") LIKE '%cmd.exe%' OR LOWER("Image") LIKE '%powershell.exe%'
           OR LOWER("Image") LIKE '%pwsh.exe%' OR LOWER("Image") LIKE '%wscript.exe%'
           OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%mshta.exe%')
          AND (LOWER("CommandLine") LIKE '%.ssh%' OR LOWER("CommandLine") LIKE '%id_rsa%'
               OR LOWER("CommandLine") LIKE '%id_ed25519%'
               OR LOWER("CommandLine") LIKE '%credentials\%' OR LOWER("CommandLine") LIKE '%\protect\%'
               OR LOWER("CommandLine") LIKE '%login data%' OR LOWER("CommandLine") LIKE '%ntds.dit%'
               OR LOWER("CommandLine") LIKE '%.kdbx%' OR LOWER("CommandLine") LIKE '%filezilla%'
               OR LOWER("CommandLine") LIKE '%winscp.ini%' OR LOWER("CommandLine") LIKE '%.pst%'
               OR LOWER("CommandLine") LIKE '%.ost%')
        )
        OR (
          (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%')
          AND (LOWER("CommandLine") LIKE '%get-childitem%recurse%'
               OR LOWER("CommandLine") LIKE '%gci%recurse%'
               OR LOWER("CommandLine") LIKE '%gci%-r %'
               OR LOWER("CommandLine") LIKE '%dir /s%'
               OR LOWER("CommandLine") LIKE '%tree /f%'
               OR LOWER("CommandLine") LIKE '%compress-archive%')
          AND (LOWER("CommandLine") LIKE '%.pdf%' OR LOWER("CommandLine") LIKE '%.docx%'
               OR LOWER("CommandLine") LIKE '%.xlsx%' OR LOWER("CommandLine") LIKE '%.pptx%'
               OR LOWER("CommandLine") LIKE '%.pfx%' OR LOWER("CommandLine") LIKE '%.pem%'
               OR LOWER("CommandLine") LIKE '%.key%' OR LOWER("CommandLine") LIKE '%.kdbx%'
               OR LOWER("CommandLine") LIKE '%.pst%')
        )
        OR (
          (LOWER("Image") LIKE '%robocopy.exe%' OR LOWER("Image") LIKE '%xcopy.exe%')
          AND (LOWER("CommandLine") LIKE '%.ssh%' OR LOWER("CommandLine") LIKE '%credential%'
               OR LOWER("CommandLine") LIKE '%protect%' OR LOWER("CommandLine") LIKE '%\sam%'
               OR LOWER("CommandLine") LIKE '%ntds%' OR LOWER("CommandLine") LIKE '%.kdbx%'
               OR LOWER("CommandLine") LIKE '%filezilla%')
        )
      )
      AND NOT (
        (LOWER("ParentImage") LIKE '%msmpeng.exe%'
         OR LOWER("ParentImage") LIKE '%svchost.exe%'
         OR LOWER("ParentImage") LIKE '%services.exe%')
        AND (LOWER("User") LIKE '%system%' OR LOWER("User") LIKE '%local service%'
             OR LOWER("User") LIKE '%network service%')
      )
    )
    OR (
      QIDNAME(qid) IN ('File Created', 'File Delete Archived')
      AND (
        LOWER("TargetFilename") LIKE '%\microsoft\credentials\%'
        OR LOWER("TargetFilename") LIKE '%\microsoft\protect\%'
        OR (LOWER("TargetFilename") LIKE '%.ssh%'
            AND (LOWER("TargetFilename") LIKE '%id_rsa%'
                 OR LOWER("TargetFilename") LIKE '%id_ed25519%'
                 OR LOWER("TargetFilename") LIKE '%id_ecdsa%'))
        OR (LOWER("TargetFilename") LIKE '%google\chrome%'
            AND LOWER("TargetFilename") LIKE '%login data%')
        OR (LOWER("TargetFilename") LIKE '%microsoft\edge%'
            AND LOWER("TargetFilename") LIKE '%login data%')
        OR (LOWER("TargetFilename") LIKE '%mozilla\firefox%'
            AND (LOWER("TargetFilename") LIKE '%logins.json%'
                 OR LOWER("TargetFilename") LIKE '%key4.db%'
                 OR LOWER("TargetFilename") LIKE '%cert9.db%'))
        OR (LOWER("TargetFilename") LIKE '%system32\config%'
            AND (LOWER("TargetFilename") LIKE '%\sam%'
                 OR LOWER("TargetFilename") LIKE '%\system%'
                 OR LOWER("TargetFilename") LIKE '%\security%'))
        OR LOWER("TargetFilename") LIKE '%ntds.dit%'
        OR LOWER("TargetFilename") LIKE '%.kdbx%'
        OR LOWER("TargetFilename") LIKE '%filezilla%recentservers.xml%'
        OR LOWER("TargetFilename") LIKE '%winscp.ini%'
      )
      AND NOT (
        LOWER("Image") LIKE '%svchost.exe%'
        OR LOWER("Image") LIKE '%msmpeng.exe%'
        OR LOWER("Image") LIKE '%searchindexer.exe%'
        OR LOWER("Image") LIKE '%onedrive.exe%'
        OR LOWER("Image") LIKE '%msedge.exe%'
        OR LOWER("Image") LIKE '%chrome.exe%'
        OR LOWER("Image") LIKE '%firefox.exe%'
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

IBM QRadar SIEM Sysmon (Microsoft-Windows-Sysmon/Operational) ingested as QRadar log source Windows Event Log via QRadar WinCollect or syslog forwarding

Required Tables

events (QRadar normalized event store) Sysmon log source with custom property extraction for Image, CommandLine, TargetFilename, ParentImage, ParentCommandLine, User fields

False Positives

Enterprise backup agents (Veeam, Commvault, Windows Server Backup) running as SYSTEM or dedicated service accounts legitimately access registry hives, NTDS.dit via VSS snapshots, and credential directories — correlate username with known backup service accounts and scheduled maintenance windows
Password manager auto-save or synchronization processes (KeePass auto-save, Bitwarden desktop) generate .kdbx file creation events on user interaction; filter by known password manager parent process names if custom properties allow
IT helpdesk or domain admin scripts for credential rotation, SSH key deployment, or profile migration produce matching PowerShell cmdlines — validate against change management records and privileged account inventory

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where !(isEmpty(%"event_id") AND isEmpty(EventCode))
| if (!isEmpty(%"event_id"), %"event_id", EventCode) as event_code
| where event_code in ("1", "11", "23")
| parse regex "<Data Name=\"Image\">(?<process_image>[^<]+)" nodrop
| parse regex "<Data Name=\"CommandLine\">(?<cmdline>[^<]+)" nodrop
| parse regex "<Data Name=\"TargetFilename\">(?<target_file>[^<]+)" nodrop
| parse regex "<Data Name=\"User\">(?<event_user>[^<]+)" nodrop
| parse regex "<Data Name=\"ParentImage\">(?<parent_image>[^<]+)" nodrop
| parse regex "<Data Name=\"Computer\">(?<src_host>[^<]+)" nodrop
| if (isEmpty(process_image), %"process.executable", process_image) as process_image
| if (isEmpty(cmdline), %"process.command_line", cmdline) as cmdline
| if (isEmpty(target_file), %"file.path", target_file) as target_file
| toLowercase(process_image) as img_lower
| toLowercase(cmdline) as cmd_lower
| toLowercase(target_file) as tgt_lower
| if (matches(img_lower, "*esentutl.exe*")
    AND (matches(cmd_lower, "*ntds*") OR matches(cmd_lower, "*.dit*")
         OR matches(cmd_lower, "*login data*") OR matches(cmd_lower, "*cookies*")
         OR matches(cmd_lower, "*/y *") OR matches(cmd_lower, "*/vss*")), 1, 0) as is_esentutl
| if ((matches(img_lower, "*cmd.exe*") OR matches(img_lower, "*powershell.exe*")
       OR matches(img_lower, "*pwsh.exe*") OR matches(img_lower, "*wscript.exe*")
       OR matches(img_lower, "*cscript.exe*") OR matches(img_lower, "*mshta.exe*"))
    AND (matches(cmd_lower, "*.ssh*") OR matches(cmd_lower, "*id_rsa*")
         OR matches(cmd_lower, "*id_ed25519*") OR matches(cmd_lower, "*credentials*")
         OR matches(cmd_lower, "*protect*") OR matches(cmd_lower, "*login data*")
         OR matches(cmd_lower, "*ntds.dit*") OR matches(cmd_lower, "*.kdbx*")
         OR matches(cmd_lower, "*filezilla*") OR matches(cmd_lower, "*recentservers*")
         OR matches(cmd_lower, "*winscp.ini*") OR matches(cmd_lower, "*.pst*")
         OR matches(cmd_lower, "*.ost*")), 1, 0) as is_sensitive_path_cli
| if ((matches(img_lower, "*powershell.exe*") OR matches(img_lower, "*pwsh.exe*"))
    AND (matches(cmd_lower, "*get-childitem*recurse*") OR matches(cmd_lower, "*gci*recurse*")
         OR matches(cmd_lower, "*gci*-r *") OR matches(cmd_lower, "*dir /s*")
         OR matches(cmd_lower, "*tree /f*") OR matches(cmd_lower, "*compress-archive*"))
    AND (matches(cmd_lower, "*.pdf*") OR matches(cmd_lower, "*.docx*")
         OR matches(cmd_lower, "*.xlsx*") OR matches(cmd_lower, "*.pptx*")
         OR matches(cmd_lower, "*.pfx*") OR matches(cmd_lower, "*.pem*")
         OR matches(cmd_lower, "*.key*") OR matches(cmd_lower, "*.kdbx*")
         OR matches(cmd_lower, "*.pst*")), 1, 0) as is_bulk_enum
| if ((matches(img_lower, "*robocopy.exe*") OR matches(img_lower, "*xcopy.exe*"))
    AND (matches(cmd_lower, "*.ssh*") OR matches(cmd_lower, "*credential*")
         OR matches(cmd_lower, "*protect*") OR matches(cmd_lower, "*\sam*")
         OR matches(cmd_lower, "*ntds*") OR matches(cmd_lower, "*.kdbx*")
         OR matches(cmd_lower, "*filezilla*")), 1, 0) as is_bulk_copy
| if ((event_code in ("11","23"))
    AND (matches(tgt_lower, "*microsoft\credentials*")
         OR matches(tgt_lower, "*microsoft\protect*")
         OR (matches(tgt_lower, "*.ssh*")
             AND (matches(tgt_lower, "*id_rsa*") OR matches(tgt_lower, "*id_ed25519*") OR matches(tgt_lower, "*id_ecdsa*")))
         OR matches(tgt_lower, "*google\chrome*login data*")
         OR matches(tgt_lower, "*microsoft\edge*login data*")
         OR matches(tgt_lower, "*firefox*logins.json*")
         OR matches(tgt_lower, "*firefox*key4.db*")
         OR matches(tgt_lower, "*system32\config\sam*")
         OR matches(tgt_lower, "*system32\config\system*")
         OR matches(tgt_lower, "*system32\config\security*")
         OR matches(tgt_lower, "*ntds.dit*")
         OR matches(tgt_lower, "*.kdbx*")
         OR matches(tgt_lower, "*filezilla*recentservers.xml*")
         OR matches(tgt_lower, "*winscp.ini*")), 1, 0) as is_sensitive_file
| (is_esentutl + is_sensitive_path_cli + is_bulk_enum + is_bulk_copy + is_sensitive_file) as suspicion_score
| where suspicion_score > 0
| if (is_esentutl = 1, "ESE Database Extraction (esentutl)",
    if (is_bulk_enum = 1, "PowerShell Recursive Bulk Enumeration",
    if (is_sensitive_file = 1, "Sensitive Credential/Data File Access or Staging",
    if (is_sensitive_path_cli = 1, "CLI Access to Sensitive Credential Path",
    if (is_bulk_copy = 1, "Bulk Copy Tool Targeting Sensitive Paths", "Unknown"))))) as signal_reason
| if (event_code = "1", "ProcessCreate",
    if (event_code = "11", "FileCreate",
    if (event_code = "23", "FileDeleteArchived", "Other"))) as event_type
| fields _messagetime, src_host, event_user, process_image, cmdline, target_file, parent_image, event_type, signal_reason, suspicion_score
| sort by _messagetime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon channel: Microsoft-Windows-Sysmon/Operational) Sumo Logic Cloud SIEM with Windows Sysmon normalization Winlogbeat forwarding Sysmon events to Sumo Logic HTTP source

Required Tables

_sourceCategory matching *windows*sysmon*, *sysmon*, or *winlogbeat* Sysmon EventCode/event_id fields 1, 11, 23 present in source

False Positives

Scheduled backup jobs from enterprise backup agents (Veeam, Acronis, Windows Server Backup) running under SYSTEM or dedicated backup service accounts legitimately read NTDS.dit via VSS, registry hives, and user credential directories — baseline suspicion_score events against backup maintenance windows
Developer workstations with SSH key generation tooling or Git clients performing authorized key operations produce .ssh path and id_rsa filename matches — correlate with developer machine asset group and expected Git activity
Security operations scripts for credential auditing (e.g., AD password health checks, automated CyberArk onboarding) often use PowerShell recursion combined with sensitive path keywords — validate against authorized pentest or SOC tooling inventory

Google Chronicle / SecOps

yaral

rule t1005_data_local_system_process_collection {
  meta:
    author = "Detection Engineering"
    description = "Detects T1005 - Data from Local System: process-based collection via esentutl, shell/script interpreter sensitive path access, PowerShell recursive enumeration, and bulk copy tools"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1005"
    mitre_attack_technique_id = "T1005"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.1"
    platform = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)esentutl\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(ntds|\.dit|login[ _]?data|cookies|web[ _]?data|/y\s|/vss)`)
      )
      or (
        re.regex($e.target.process.file.full_path,
          `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(\.ssh[/\\]|id_rsa|id_ed25519|id_ecdsa|microsoft.credentials|microsoft.protect|login[ _]?data|ntds\.dit|\.kdbx|filezilla|recentservers|winscp\.ini|\.pst|\.ost)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(get-childitem.*-recurse|gci.*-recurse|gci.*-r\s|dir\s/s|tree\s/f|compress-archive)`)
        and re.regex($e.target.process.command_line,
          `(?i)(\.pdf|\.docx|\.xlsx|\.pptx|\.doc|\.xls|\.csv|\.pfx|\.p12|\.pem|\.key|\.kdbx|\.pst|\.ost|\.wallet)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(robocopy|xcopy)\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(\.ssh|credential|protect|\\\\sam|ntds|\.kdbx|filezilla|appdata)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(where|findstr|find)\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(\.pdf|\.docx|\.xlsx|\.pfx|\.pem|\.key|\.kdbx|\.pst|\.ost|\.rdp|\.wallet)`)
      )
    )
    not re.regex($e.principal.process.file.full_path,
      `(?i)(MsMpEng|svchost|services|BackupAgent|OneDriveSetup)\.exe$`)

  condition:
    $e
}

rule t1005_data_local_system_file_access {
  meta:
    author = "Detection Engineering"
    description = "Detects T1005 - Data from Local System: direct file access to high-value credential stores, SSH keys, browser DBs, registry hives, NTDS.dit, KeePass vaults, and FTP credentials"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1005"
    mitre_attack_technique_id = "T1005"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.1"
    platform = "Windows"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.principal.hostname = $hostname
    (
      re.regex($e.target.file.full_path,
        `(?i)(\\AppData\\(Local|Roaming)\\Microsoft\\(Credentials|Protect)\\)`)
      or (
        re.regex($e.target.file.full_path, `(?i)\.ssh[/\\]`)
        and re.regex($e.target.file.full_path, `(?i)(id_rsa|id_ed25519|id_ecdsa)$`)
      )
      or (
        re.regex($e.target.file.full_path, `(?i)(Google\\Chrome|Microsoft\\Edge)`)
        and re.regex($e.target.file.full_path, `(?i)Login Data$`)
      )
      or (
        re.regex($e.target.file.full_path, `(?i)Mozilla\\Firefox\\Profiles`)
        and re.regex($e.target.file.full_path, `(?i)(logins\.json|key4\.db|cert9\.db)$`)
      )
      or (
        re.regex($e.target.file.full_path, `(?i)\\Windows\\System32\\config\\`)
        and re.regex($e.target.file.full_path, `(?i)(SAM|SYSTEM|SECURITY|DEFAULT)$`)
      )
      or re.regex($e.target.file.full_path, `(?i)NTDS\\ntds\.dit$`)
      or re.regex($e.target.file.full_path, `(?i)\.kdbx$`)
      or (
        re.regex($e.target.file.full_path, `(?i)FileZilla`)
        and re.regex($e.target.file.full_path, `(?i)(recentservers\.xml|sitemanager\.xml)$`)
      )
      or re.regex($e.target.file.full_path, `(?i)WinSCP\.ini$`)
    )
    not re.regex($e.principal.process.file.full_path,
      `(?i)(svchost|MsMpEng|SearchIndexer|OneDrive|msedge|chrome|firefox)\.exe$`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM with UDM normalization Windows endpoint telemetry ingested via Chronicle forwarder or third-party EDR UDM mappings Sysmon or Microsoft Defender for Endpoint data normalized to UDM PROCESS_LAUNCH and FILE_CREATION event types

Required Tables

UDM PROCESS_LAUNCH events with target.process.file.full_path and target.process.command_line populated UDM FILE_CREATION events with target.file.full_path populated principal.process.file.full_path available for parent process exclusion filtering

False Positives

Enterprise backup solutions using VSS snapshots to access NTDS.dit and registry hives will trigger the file access rule; these typically run as SYSTEM from backup agent executables not covered by the exclusion list — add backup agent process names to the not() clause
Developers generating or rotating SSH keys via ssh-keygen on developer workstations produce FILE_CREATION events for id_rsa/id_ed25519 paths — can be scoped by asset group tags if Chronicle has asset context enrichment configured
Security team red team exercises and authorized penetration testing engagements using esentutl for credential database extraction will produce high-fidelity matches — maintain a pentest engagement exclusion list keyed on source IP or host asset tag

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(esentutl|cmd|powershell|pwsh|wscript|cscript|mshta|robocopy|xcopy|where|findstr|find)\.exe$/
| CommandLine = /(?i)(ntds|\.dit|login[\s_]?data|cookies|web[\s_]?data|id_rsa|id_ed25519|id_ecdsa|\.ssh[\/\\]|microsoft.credentials|microsoft.protect|\.kdbx|filezilla|recentservers|winscp\.ini|\.pst|\.ost|dir\s\/s|get-childitem.*recurse|gci.*recurse|compress-archive|\.pdf|\.docx|\.xlsx|\.pptx|\.pfx|\.pem|\.key)/
| NOT ParentBaseFileName = /(?i)(MsMpEng|svchost|services|BackupAgent|OneDriveSetup)\.exe$/
| case {
    ImageFileName = /(?i)esentutl\.exe$/ AND CommandLine = /(?i)(ntds|\.dit|login.data|cookies|\/vss)/ |
      SignalReason := "ESE Database Extraction (esentutl)" ;
    ImageFileName = /(?i)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(get-childitem.*recurse|gci.*recurse|gci.*-r\s|dir\s\/s|tree\s\/f|compress-archive)/ AND CommandLine = /(?i)(\.pdf|\.docx|\.xlsx|\.pptx|\.pfx|\.pem|\.key|\.kdbx|\.pst)/ |
      SignalReason := "PowerShell Recursive File Enumeration for Sensitive Extensions" ;
    ImageFileName = /(?i)(robocopy|xcopy)\.exe$/ AND CommandLine = /(?i)(\.ssh|credential|protect|ntds|\.kdbx|filezilla)/ |
      SignalReason := "Bulk Copy Tool Targeting Sensitive Paths" ;
    ImageFileName = /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/ AND CommandLine = /(?i)(\.ssh|id_rsa|credentials|protect|login.data|ntds\.dit|\.kdbx|filezilla|\.pst|\.ost)/ |
      SignalReason := "CLI Access to Sensitive Credential Path" ;
    ImageFileName = /(?i)(where|findstr|find)\.exe$/ |
      SignalReason := "Search Utility Locating Sensitive File Extensions" ;
    * | SignalReason := "T1005 Process Indicator"
  }
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, SignalReason], limit=2000)
| sort(field=@timestamp, order=desc)

// Supplemental query: File access via Falcon WriteFile/ReadFile events
// Run separately to detect direct credential store file access
#event_simpleName = /^(WriteFile|PeFileWritten|SuspiciousFileWritten)$/
| TargetFileName = /(?i)(\\Microsoft\\Credentials\\|\\Microsoft\\Protect\\|\.ssh[\/\\](id_rsa|id_ed25519|id_ecdsa)|Google\\Chrome.*Login Data|Microsoft\\Edge.*Login Data|Mozilla\\Firefox.*logins\.json|Mozilla\\Firefox.*key4\.db|System32\\config\\(SAM|SYSTEM|SECURITY)|NTDS\\ntds\.dit|\.kdbx$|FileZilla.*recentservers\.xml|WinSCP\.ini)/
| NOT ImageFileName = /(?i)(svchost|MsMpEng|SearchIndexer|OneDrive|msedge|chrome|firefox)\.exe$/
| case {
    TargetFileName = /(?i)(\\Credentials\\|\\Protect\\)/ |
      SignalReason := "Windows DPAPI Credential Store File Access" ;
    TargetFileName = /(?i)\.ssh[\/\\](id_rsa|id_ed25519|id_ecdsa)/ |
      SignalReason := "SSH Private Key File Access" ;
    TargetFileName = /(?i)(Chrome|Edge).*Login Data/ |
      SignalReason := "Browser Credential Database Access" ;
    TargetFileName = /(?i)Firefox.*(logins\.json|key4\.db)/ |
      SignalReason := "Firefox Credential Store Access" ;
    TargetFileName = /(?i)System32\\config\\(SAM|SYSTEM|SECURITY)/ |
      SignalReason := "Windows Registry Hive File Access" ;
    TargetFileName = /(?i)(NTDS\\ntds\.dit|\.kdbx$)/ |
      SignalReason := "AD Database or KeePass Vault Access" ;
    * | SignalReason := "Sensitive Credential File Access"
  }
| table([ComputerName, UserName, ImageFileName, TargetFileName, SignalReason], limit=2000)
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (sensor version 6.x+) CrowdStrike LogScale (formerly Humio) with Falcon event data Falcon ProcessRollup2, WriteFile, PeFileWritten, SuspiciousFileWritten event streams

Required Tables

ProcessRollup2 events (ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, UserName, ComputerName) WriteFile / PeFileWritten / SuspiciousFileWritten events (TargetFileName, ImageFileName, UserName, ComputerName)

False Positives

CrowdStrike Falcon sensor itself (CSFalconService, CSFalconContainer) may access credential and registry paths during telemetry collection — the sensor process is typically excluded by EDR policy but may surface if exclusion lists are not maintained
Enterprise software deployment tools (SCCM, Intune Management Extension, Chef/Puppet agents) executing PowerShell scripts for software inventory or compliance checks may match the bulk enumeration pattern — correlate with software deployment schedules and management agent parent process names
Developer CI/CD pipeline agents running on Windows build servers executing PowerShell scripts that traverse source trees containing key material (e.g., embedded test certificates, .pem fixtures) will match the recursive enumeration with sensitive extension branch — filter by build server hostname asset tag or pipeline service account

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data from Local System

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections