T1005 CrowdStrike LogScale · LogScale

Detect Data from Local System in CrowdStrike LogScale

Adversaries may search local system sources, such as file systems, configuration files, local databases, and process memory to find files of interest and sensitive data prior to Exfiltration. Adversaries commonly target credential stores (Windows DPAPI, browser databases, SSH keys), corporate documents (Office files, PDFs), and system databases (Active Directory NTDS.dit, SAM hive) using command interpreters, native OS utilities like esentutl.exe and robocopy.exe, or custom malware. Observed threat actors include Kimsuky (document theft), HAFNIUM (data collection post-exploitation), LAPSUS$ (credential and file theft for extortion), and malware families such as QakBot (esentutl for browser credential extraction) and BADNEWS (recursive crawl for Office/PDF files).

MITRE ATT&CK

Tactic
Collection
Technique
T1005 Data from Local System
Canonical reference
https://attack.mitre.org/techniques/T1005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(esentutl|cmd|powershell|pwsh|wscript|cscript|mshta|robocopy|xcopy|where|findstr|find)\.exe$/
| CommandLine = /(?i)(ntds|\.dit|login[\s_]?data|cookies|web[\s_]?data|id_rsa|id_ed25519|id_ecdsa|\.ssh[\/\\]|microsoft.credentials|microsoft.protect|\.kdbx|filezilla|recentservers|winscp\.ini|\.pst|\.ost|dir\s\/s|get-childitem.*recurse|gci.*recurse|compress-archive|\.pdf|\.docx|\.xlsx|\.pptx|\.pfx|\.pem|\.key)/
| NOT ParentBaseFileName = /(?i)(MsMpEng|svchost|services|BackupAgent|OneDriveSetup)\.exe$/
| case {
    ImageFileName = /(?i)esentutl\.exe$/ AND CommandLine = /(?i)(ntds|\.dit|login.data|cookies|\/vss)/ |
      SignalReason := "ESE Database Extraction (esentutl)" ;
    ImageFileName = /(?i)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(get-childitem.*recurse|gci.*recurse|gci.*-r\s|dir\s\/s|tree\s\/f|compress-archive)/ AND CommandLine = /(?i)(\.pdf|\.docx|\.xlsx|\.pptx|\.pfx|\.pem|\.key|\.kdbx|\.pst)/ |
      SignalReason := "PowerShell Recursive File Enumeration for Sensitive Extensions" ;
    ImageFileName = /(?i)(robocopy|xcopy)\.exe$/ AND CommandLine = /(?i)(\.ssh|credential|protect|ntds|\.kdbx|filezilla)/ |
      SignalReason := "Bulk Copy Tool Targeting Sensitive Paths" ;
    ImageFileName = /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/ AND CommandLine = /(?i)(\.ssh|id_rsa|credentials|protect|login.data|ntds\.dit|\.kdbx|filezilla|\.pst|\.ost)/ |
      SignalReason := "CLI Access to Sensitive Credential Path" ;
    ImageFileName = /(?i)(where|findstr|find)\.exe$/ |
      SignalReason := "Search Utility Locating Sensitive File Extensions" ;
    * | SignalReason := "T1005 Process Indicator"
  }
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, SignalReason], limit=2000)
| sort(field=@timestamp, order=desc)

// Supplemental query: File access via Falcon WriteFile/ReadFile events
// Run separately to detect direct credential store file access
#event_simpleName = /^(WriteFile|PeFileWritten|SuspiciousFileWritten)$/
| TargetFileName = /(?i)(\\Microsoft\\Credentials\\|\\Microsoft\\Protect\\|\.ssh[\/\\](id_rsa|id_ed25519|id_ecdsa)|Google\\Chrome.*Login Data|Microsoft\\Edge.*Login Data|Mozilla\\Firefox.*logins\.json|Mozilla\\Firefox.*key4\.db|System32\\config\\(SAM|SYSTEM|SECURITY)|NTDS\\ntds\.dit|\.kdbx$|FileZilla.*recentservers\.xml|WinSCP\.ini)/
| NOT ImageFileName = /(?i)(svchost|MsMpEng|SearchIndexer|OneDrive|msedge|chrome|firefox)\.exe$/
| case {
    TargetFileName = /(?i)(\\Credentials\\|\\Protect\\)/ |
      SignalReason := "Windows DPAPI Credential Store File Access" ;
    TargetFileName = /(?i)\.ssh[\/\\](id_rsa|id_ed25519|id_ecdsa)/ |
      SignalReason := "SSH Private Key File Access" ;
    TargetFileName = /(?i)(Chrome|Edge).*Login Data/ |
      SignalReason := "Browser Credential Database Access" ;
    TargetFileName = /(?i)Firefox.*(logins\.json|key4\.db)/ |
      SignalReason := "Firefox Credential Store Access" ;
    TargetFileName = /(?i)System32\\config\\(SAM|SYSTEM|SECURITY)/ |
      SignalReason := "Windows Registry Hive File Access" ;
    TargetFileName = /(?i)(NTDS\\ntds\.dit|\.kdbx$)/ |
      SignalReason := "AD Database or KeePass Vault Access" ;
    * | SignalReason := "Sensitive Credential File Access"
  }
| table([ComputerName, UserName, ImageFileName, TargetFileName, SignalReason], limit=2000)
| sort(field=@timestamp, order=desc)
high severity high confidence

Two complementary CrowdStrike LogScale (Falcon) queries. Query 1 targets ProcessRollup2 events: filters for process names associated with T1005 collection (esentutl, shell/script interpreters, robocopy/xcopy, where/findstr), then requires command line content matching sensitive credential paths, document extensions, or enumeration patterns. Uses case expression to classify each hit into a signal reason. Query 2 targets Falcon WriteFile/PeFileWritten/SuspiciousFileWritten events to detect direct file access to DPAPI credential stores, SSH keys, browser DBs, Windows registry hives, NTDS.dit, KeePass vaults, and FTP credential files. Both queries exclude known-good browser and system processes and sort descending by timestamp. Run each query independently in the Falcon LogScale investigation console or as separate saved searches.

Data Sources

CrowdStrike Falcon Endpoint Protection (sensor version 6.x+)CrowdStrike LogScale (formerly Humio) with Falcon event dataFalcon ProcessRollup2, WriteFile, PeFileWritten, SuspiciousFileWritten event streams

Required Tables

ProcessRollup2 events (ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, UserName, ComputerName)WriteFile / PeFileWritten / SuspiciousFileWritten events (TargetFileName, ImageFileName, UserName, ComputerName)

False Positives & Tuning

  • CrowdStrike Falcon sensor itself (CSFalconService, CSFalconContainer) may access credential and registry paths during telemetry collection — the sensor process is typically excluded by EDR policy but may surface if exclusion lists are not maintained
  • Enterprise software deployment tools (SCCM, Intune Management Extension, Chef/Puppet agents) executing PowerShell scripts for software inventory or compliance checks may match the bulk enumeration pattern — correlate with software deployment schedules and management agent parent process names
  • Developer CI/CD pipeline agents running on Windows build servers executing PowerShell scripts that traverse source trees containing key material (e.g., embedded test certificates, .pem fixtures) will match the recursive enumeration with sensitive extension branch — filter by build server hostname asset tag or pipeline service account
Download portable Sigma rule (.yml)

Other platforms for T1005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Recursive Document Collection via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', and file extension patterns. Sysmon Event ID 11: FileCreate for df00tech-filelist.csv in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 showing the full collection script. File access events (if SACL auditing enabled, Security Event ID 4663) for each document accessed during enumeration.

  2. Test 2Browser Credential Database Extraction via esentutl

    Expected signal: Sysmon Event ID 1: Process Create for esentutl.exe with CommandLine containing '/y', 'Login Data', '/d', and '/o' flags. Sysmon Event ID 11: FileCreate for df00tech-logindata.db in %TEMP%. Security Event ID 4688 (if command line auditing enabled) capturing the full esentutl command. File access event on the Chrome Login Data file path.

  3. Test 3SSH Private Key Collection

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '.ssh' and 'copy' and 'id_rsa'. Sysmon Event ID 11: FileCreate for both the test key file in .ssh and the copied file in %TEMP%. DeviceFileEvents (MDE): FileCreated action on .ssh directory path with id_rsa in filename, initiating process cmd.exe. Security Event ID 4663 on the .ssh directory if SACL auditing is enabled.

  4. Test 4Windows DPAPI Credential Store Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'dir /s /b' and 'Microsoft\Credentials'. Security Event ID 4688 (if command line auditing enabled). If SACL auditing is configured on the Credentials directory, Security Event ID 4663 for directory access. DeviceProcessEvents (MDE) will capture the command with full path context.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1119Automated CollectionT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1003.001LSASS MemoryT1003.003NTDST1552.001Credentials In FilesT1059.001PowerShellT1059.003Windows Command ShellT1006Direct Volume Access

Same Tactic: Collection

Popular Detections