T1005 Google Chronicle · YARA-L

Detect Data from Local System in Google Chronicle

Adversaries may search local system sources, such as file systems, configuration files, local databases, and process memory to find files of interest and sensitive data prior to Exfiltration. Adversaries commonly target credential stores (Windows DPAPI, browser databases, SSH keys), corporate documents (Office files, PDFs), and system databases (Active Directory NTDS.dit, SAM hive) using command interpreters, native OS utilities like esentutl.exe and robocopy.exe, or custom malware. Observed threat actors include Kimsuky (document theft), HAFNIUM (data collection post-exploitation), LAPSUS$ (credential and file theft for extortion), and malware families such as QakBot (esentutl for browser credential extraction) and BADNEWS (recursive crawl for Office/PDF files).

MITRE ATT&CK

Tactic
Collection
Technique
T1005 Data from Local System
Canonical reference
https://attack.mitre.org/techniques/T1005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1005_data_local_system_process_collection {
  meta:
    author = "Detection Engineering"
    description = "Detects T1005 - Data from Local System: process-based collection via esentutl, shell/script interpreter sensitive path access, PowerShell recursive enumeration, and bulk copy tools"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1005"
    mitre_attack_technique_id = "T1005"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.1"
    platform = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)esentutl\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(ntds|\.dit|login[ _]?data|cookies|web[ _]?data|/y\s|/vss)`)
      )
      or (
        re.regex($e.target.process.file.full_path,
          `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(\.ssh[/\\]|id_rsa|id_ed25519|id_ecdsa|microsoft.credentials|microsoft.protect|login[ _]?data|ntds\.dit|\.kdbx|filezilla|recentservers|winscp\.ini|\.pst|\.ost)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(get-childitem.*-recurse|gci.*-recurse|gci.*-r\s|dir\s/s|tree\s/f|compress-archive)`)
        and re.regex($e.target.process.command_line,
          `(?i)(\.pdf|\.docx|\.xlsx|\.pptx|\.doc|\.xls|\.csv|\.pfx|\.p12|\.pem|\.key|\.kdbx|\.pst|\.ost|\.wallet)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(robocopy|xcopy)\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(\.ssh|credential|protect|\\\\sam|ntds|\.kdbx|filezilla|appdata)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(where|findstr|find)\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(\.pdf|\.docx|\.xlsx|\.pfx|\.pem|\.key|\.kdbx|\.pst|\.ost|\.rdp|\.wallet)`)
      )
    )
    not re.regex($e.principal.process.file.full_path,
      `(?i)(MsMpEng|svchost|services|BackupAgent|OneDriveSetup)\.exe$`)

  condition:
    $e
}

rule t1005_data_local_system_file_access {
  meta:
    author = "Detection Engineering"
    description = "Detects T1005 - Data from Local System: direct file access to high-value credential stores, SSH keys, browser DBs, registry hives, NTDS.dit, KeePass vaults, and FTP credentials"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1005"
    mitre_attack_technique_id = "T1005"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.1"
    platform = "Windows"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.principal.hostname = $hostname
    (
      re.regex($e.target.file.full_path,
        `(?i)(\\AppData\\(Local|Roaming)\\Microsoft\\(Credentials|Protect)\\)`)
      or (
        re.regex($e.target.file.full_path, `(?i)\.ssh[/\\]`)
        and re.regex($e.target.file.full_path, `(?i)(id_rsa|id_ed25519|id_ecdsa)$`)
      )
      or (
        re.regex($e.target.file.full_path, `(?i)(Google\\Chrome|Microsoft\\Edge)`)
        and re.regex($e.target.file.full_path, `(?i)Login Data$`)
      )
      or (
        re.regex($e.target.file.full_path, `(?i)Mozilla\\Firefox\\Profiles`)
        and re.regex($e.target.file.full_path, `(?i)(logins\.json|key4\.db|cert9\.db)$`)
      )
      or (
        re.regex($e.target.file.full_path, `(?i)\\Windows\\System32\\config\\`)
        and re.regex($e.target.file.full_path, `(?i)(SAM|SYSTEM|SECURITY|DEFAULT)$`)
      )
      or re.regex($e.target.file.full_path, `(?i)NTDS\\ntds\.dit$`)
      or re.regex($e.target.file.full_path, `(?i)\.kdbx$`)
      or (
        re.regex($e.target.file.full_path, `(?i)FileZilla`)
        and re.regex($e.target.file.full_path, `(?i)(recentservers\.xml|sitemanager\.xml)$`)
      )
      or re.regex($e.target.file.full_path, `(?i)WinSCP\.ini$`)
    )
    not re.regex($e.principal.process.file.full_path,
      `(?i)(svchost|MsMpEng|SearchIndexer|OneDrive|msedge|chrome|firefox)\.exe$`)

  condition:
    $e
}
high severity high confidence

Two Chronicle YARA-L 2.0 rules targeting UDM-normalized events. Rule 1 (process collection) matches PROCESS_LAUNCH events for esentutl ESE database extraction, shell/script interpreter access to credential paths, PowerShell recursive document enumeration, robocopy/xcopy bulk-copy against sensitive directories, and search utility misuse. Rule 2 (file access) matches FILE_CREATION events for direct writes or reads to Windows DPAPI credential stores, SSH private keys, browser credential databases (Chrome/Edge/Firefox), Windows registry hive files, Active Directory NTDS.dit, KeePass .kdbx vaults, FileZilla saved credentials, and WinSCP configuration. Both rules exclude known-good system and browser processes from the principal process context.

Data Sources

Google Chronicle SIEM with UDM normalizationWindows endpoint telemetry ingested via Chronicle forwarder or third-party EDR UDM mappingsSysmon or Microsoft Defender for Endpoint data normalized to UDM PROCESS_LAUNCH and FILE_CREATION event types

Required Tables

UDM PROCESS_LAUNCH events with target.process.file.full_path and target.process.command_line populatedUDM FILE_CREATION events with target.file.full_path populatedprincipal.process.file.full_path available for parent process exclusion filtering

False Positives & Tuning

  • Enterprise backup solutions using VSS snapshots to access NTDS.dit and registry hives will trigger the file access rule; these typically run as SYSTEM from backup agent executables not covered by the exclusion list — add backup agent process names to the not() clause
  • Developers generating or rotating SSH keys via ssh-keygen on developer workstations produce FILE_CREATION events for id_rsa/id_ed25519 paths — can be scoped by asset group tags if Chronicle has asset context enrichment configured
  • Security team red team exercises and authorized penetration testing engagements using esentutl for credential database extraction will produce high-fidelity matches — maintain a pentest engagement exclusion list keyed on source IP or host asset tag
Download portable Sigma rule (.yml)

Other platforms for T1005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Recursive Document Collection via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', and file extension patterns. Sysmon Event ID 11: FileCreate for df00tech-filelist.csv in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 showing the full collection script. File access events (if SACL auditing enabled, Security Event ID 4663) for each document accessed during enumeration.

  2. Test 2Browser Credential Database Extraction via esentutl

    Expected signal: Sysmon Event ID 1: Process Create for esentutl.exe with CommandLine containing '/y', 'Login Data', '/d', and '/o' flags. Sysmon Event ID 11: FileCreate for df00tech-logindata.db in %TEMP%. Security Event ID 4688 (if command line auditing enabled) capturing the full esentutl command. File access event on the Chrome Login Data file path.

  3. Test 3SSH Private Key Collection

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '.ssh' and 'copy' and 'id_rsa'. Sysmon Event ID 11: FileCreate for both the test key file in .ssh and the copied file in %TEMP%. DeviceFileEvents (MDE): FileCreated action on .ssh directory path with id_rsa in filename, initiating process cmd.exe. Security Event ID 4663 on the .ssh directory if SACL auditing is enabled.

  4. Test 4Windows DPAPI Credential Store Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'dir /s /b' and 'Microsoft\Credentials'. Security Event ID 4688 (if command line auditing enabled). If SACL auditing is configured on the Credentials directory, Security Event ID 4663 for directory access. DeviceProcessEvents (MDE) will capture the command with full path context.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1119Automated CollectionT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1003.001LSASS MemoryT1003.003NTDST1552.001Credentials In FilesT1059.001PowerShellT1059.003Windows Command ShellT1006Direct Volume Access

Same Tactic: Collection

Popular Detections