Detect Data from Local System in Elastic Security
Adversaries may search local system sources, such as file systems, configuration files, local databases, and process memory to find files of interest and sensitive data prior to Exfiltration. Adversaries commonly target credential stores (Windows DPAPI, browser databases, SSH keys), corporate documents (Office files, PDFs), and system databases (Active Directory NTDS.dit, SAM hive) using command interpreters, native OS utilities like esentutl.exe and robocopy.exe, or custom malware. Observed threat actors include Kimsuky (document theft), HAFNIUM (data collection post-exploitation), LAPSUS$ (credential and file theft for extortion), and malware families such as QakBot (esentutl for browser credential extraction) and BADNEWS (recursive crawl for Office/PDF files).
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1005 Data from Local System
- Canonical reference
- https://attack.mitre.org/techniques/T1005/
Elastic Detection Query
any where
(
(
event.category == "process" and event.type == "start"
and (
(
process.name like~ "esentutl.exe"
and process.command_line like~ ("*ntds*", "*.dit*", "*login data*", "*cookies*", "*web data*", "*/y *", "*/vss*")
)
or (
process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
and process.command_line like~ ("*\\.ssh*", "*id_rsa*", "*id_ed25519*", "*microsoft\\credentials*", "*microsoft\\protect*", "*login data*", "*ntds.dit*", "*.kdbx*", "*filezilla*", "*recentservers*", "*winscp.ini*", "*.pst*", "*.ost*")
)
or (
process.name in~ ("powershell.exe", "pwsh.exe")
and process.command_line like~ ("*get-childitem*-recurse*", "*gci*-recurse*", "*gci*-r *", "*dir /s*", "*tree /f*", "*compress-archive*")
and process.command_line like~ ("*.pdf*", "*.docx*", "*.xlsx*", "*.pptx*", "*.pfx*", "*.pem*", "*.key*", "*.kdbx*", "*.pst*")
)
or (
process.name in~ ("robocopy.exe", "xcopy.exe")
and process.command_line like~ ("*\\.ssh*", "*credential*", "*protect*", "*\\sam*", "*ntds*", "*.kdbx*", "*filezilla*")
)
or (
process.name in~ ("where.exe", "findstr.exe", "find.exe")
and process.command_line like~ ("*.pdf*", "*.docx*", "*.xlsx*", "*.pfx*", "*.pem*", "*.key*", "*.kdbx*", "*.pst*", "*.ost*")
)
)
and not process.parent.name in~ ("MsMpEng.exe", "svchost.exe", "services.exe", "BackupAgent.exe", "OneDriveSetup.exe")
)
or
(
event.category == "file"
and event.type in ("creation", "change")
and (
file.path like~ "*\\appdata\\local\\microsoft\\credentials*"
or file.path like~ "*\\appdata\\roaming\\microsoft\\credentials*"
or file.path like~ "*\\appdata\\roaming\\microsoft\\protect*"
or (file.path like~ "*\\.ssh*" and file.name in~ ("id_rsa", "id_ed25519", "id_ecdsa", "config"))
or (file.path like~ "*google\\chrome*" and file.name like~ "login data")
or (file.path like~ "*microsoft\\edge*" and file.name like~ "login data")
or (file.path like~ "*mozilla\\firefox\\profiles*" and file.name in~ ("logins.json", "key4.db", "cert9.db"))
or (file.path like~ "*\\windows\\system32\\config*" and file.name in~ ("sam", "system", "security", "default"))
or (file.path like~ "*ntds*" and file.name like~ "ntds.dit")
or file.name like~ "*.kdbx"
or (file.path like~ "*filezilla*" and file.name in~ ("recentservers.xml", "sitemanager.xml"))
or (file.path like~ "*winscp*" and file.name like~ "winscp.ini")
)
and not process.name in~ ("svchost.exe", "MsMpEng.exe", "SearchIndexer.exe", "OneDrive.exe", "msedge.exe", "chrome.exe", "firefox.exe")
)
)Detects T1005 Data from Local System using two correlated branches: (1) process-based collection via esentutl ESE database extraction, shell/script interpreter access to sensitive credential paths, PowerShell recursive file enumeration targeting sensitive extensions, bulk copy tools (robocopy/xcopy) against credential directories, and search utilities locating document types at scale; (2) file-based direct access to Windows DPAPI credential stores, SSH private keys, browser credential databases (Chrome/Edge Login Data, Firefox logins.json), Windows registry hives (SAM/SYSTEM/SECURITY), Active Directory NTDS.dit, KeePass databases, and FTP/SCP saved credential files. Excludes known-good system processes and AV engines.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise backup solutions (Veeam, Acronis, Windows Server Backup) legitimately read credential stores, registry hives, and document paths during scheduled backup jobs — correlate with backup service account identity and scheduled task context
- Security tools and EDR agents (Windows Defender MsMpEng, CrowdStrike, Carbon Black) perform scheduled scans of sensitive directories; these should match excluded parent process names but custom EDR executables may not be covered
- IT administrators running authorized PowerShell migration or remediation scripts (e.g., migrating user profiles, collecting forensic artefacts, rotating SSH keys) produce identical process telemetry — validate against change management tickets and admin account context
- Password manager applications (KeePass, Bitwarden local vault) opening .kdbx files on user interaction will generate file access events matching the file branch — filter by known password manager process names and user-initiated sessions
Other platforms for T1005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Recursive Document Collection via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', and file extension patterns. Sysmon Event ID 11: FileCreate for df00tech-filelist.csv in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 showing the full collection script. File access events (if SACL auditing enabled, Security Event ID 4663) for each document accessed during enumeration.
- Test 2Browser Credential Database Extraction via esentutl
Expected signal: Sysmon Event ID 1: Process Create for esentutl.exe with CommandLine containing '/y', 'Login Data', '/d', and '/o' flags. Sysmon Event ID 11: FileCreate for df00tech-logindata.db in %TEMP%. Security Event ID 4688 (if command line auditing enabled) capturing the full esentutl command. File access event on the Chrome Login Data file path.
- Test 3SSH Private Key Collection
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '.ssh' and 'copy' and 'id_rsa'. Sysmon Event ID 11: FileCreate for both the test key file in .ssh and the copied file in %TEMP%. DeviceFileEvents (MDE): FileCreated action on .ssh directory path with id_rsa in filename, initiating process cmd.exe. Security Event ID 4663 on the .ssh directory if SACL auditing is enabled.
- Test 4Windows DPAPI Credential Store Enumeration
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'dir /s /b' and 'Microsoft\Credentials'. Security Event ID 4688 (if command line auditing enabled). If SACL auditing is configured on the Credentials directory, Security Event ID 4663 for directory access. DeviceProcessEvents (MDE) will capture the command with full path context.
References (10)
- https://attack.mitre.org/techniques/T1005/
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://symantec-enterprise-blogs.security.com/threat-intelligence/troll-stealer-lazarus-macos
- https://redcanary.com/threat-detection-report/techniques/t1005/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.kaspersky.com/blog/qakbot-malware-analysis/43132/
Unlock Pro Content
Get the full detection package for T1005 including response playbook, investigation guide, and atomic red team tests.