T1005 IBM QRadar · QRadar

Detect Data from Local System in IBM QRadar

Adversaries may search local system sources, such as file systems, configuration files, local databases, and process memory to find files of interest and sensitive data prior to Exfiltration. Adversaries commonly target credential stores (Windows DPAPI, browser databases, SSH keys), corporate documents (Office files, PDFs), and system databases (Active Directory NTDS.dit, SAM hive) using command interpreters, native OS utilities like esentutl.exe and robocopy.exe, or custom malware. Observed threat actors include Kimsuky (document theft), HAFNIUM (data collection post-exploitation), LAPSUS$ (credential and file theft for extortion), and malware families such as QakBot (esentutl for browser credential extraction) and BADNEWS (recursive crawl for Office/PDF files).

MITRE ATT&CK

Tactic
Collection
Technique
T1005 Data from Local System
Canonical reference
https://attack.mitre.org/techniques/T1005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime/1000, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS UserName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "TargetFilename" AS TargetFilename,
  "ParentImage" AS ParentImage,
  "ParentCommandLine" AS ParentCommandLine,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("Image") LIKE '%esentutl.exe%'
      AND (LOWER("CommandLine") LIKE '%ntds%' OR LOWER("CommandLine") LIKE '%.dit%'
           OR LOWER("CommandLine") LIKE '%login data%' OR LOWER("CommandLine") LIKE '%/vss%')
      THEN 'ESE Database Extraction (esentutl)'
    WHEN (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%')
      AND (LOWER("CommandLine") LIKE '%get-childitem%recurse%'
           OR LOWER("CommandLine") LIKE '%gci%recurse%'
           OR LOWER("CommandLine") LIKE '%dir /s%'
           OR LOWER("CommandLine") LIKE '%compress-archive%')
      AND (LOWER("CommandLine") LIKE '%.pdf%' OR LOWER("CommandLine") LIKE '%.docx%'
           OR LOWER("CommandLine") LIKE '%.kdbx%' OR LOWER("CommandLine") LIKE '%.pst%'
           OR LOWER("CommandLine") LIKE '%.pfx%' OR LOWER("CommandLine") LIKE '%.pem%')
      THEN 'PowerShell Recursive Enumeration for Sensitive Extensions'
    WHEN (LOWER("Image") LIKE '%robocopy.exe%' OR LOWER("Image") LIKE '%xcopy.exe%')
      AND (LOWER("CommandLine") LIKE '%.ssh%' OR LOWER("CommandLine") LIKE '%credential%'
           OR LOWER("CommandLine") LIKE '%ntds%' OR LOWER("CommandLine") LIKE '%.kdbx%')
      THEN 'Bulk Copy Tool Targeting Sensitive Paths'
    WHEN (LOWER("TargetFilename") LIKE '%microsoft\credentials%'
          OR LOWER("TargetFilename") LIKE '%microsoft\protect%'
          OR LOWER("TargetFilename") LIKE '%.ssh%id_rsa%'
          OR LOWER("TargetFilename") LIKE '%login data%'
          OR LOWER("TargetFilename") LIKE '%logins.json%'
          OR LOWER("TargetFilename") LIKE '%system32\config\sam%'
          OR LOWER("TargetFilename") LIKE '%ntds.dit%'
          OR LOWER("TargetFilename") LIKE '%.kdbx%'
          OR LOWER("TargetFilename") LIKE '%recentservers.xml%'
          OR LOWER("TargetFilename") LIKE '%winscp.ini%')
      THEN 'Sensitive Credential or Data File Access'
    WHEN (LOWER("Image") LIKE '%cmd.exe%' OR LOWER("Image") LIKE '%powershell.exe%'
          OR LOWER("Image") LIKE '%pwsh.exe%' OR LOWER("Image") LIKE '%wscript.exe%'
          OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%mshta.exe%')
      AND (LOWER("CommandLine") LIKE '%.ssh%' OR LOWER("CommandLine") LIKE '%id_rsa%'
           OR LOWER("CommandLine") LIKE '%credentials%' OR LOWER("CommandLine") LIKE '%ntds.dit%'
           OR LOWER("CommandLine") LIKE '%.kdbx%' OR LOWER("CommandLine") LIKE '%filezilla%'
           OR LOWER("CommandLine") LIKE '%.pst%')
      THEN 'CLI Access to Sensitive Credential Path'
    ELSE 'T1005 Indicator'
  END AS SignalReason
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
  AND (
    (
      QIDNAME(qid) = 'Process Create'
      AND (
        (
          LOWER("Image") LIKE '%esentutl.exe%'
          AND (LOWER("CommandLine") LIKE '%ntds%' OR LOWER("CommandLine") LIKE '%.dit%'
               OR LOWER("CommandLine") LIKE '%login data%' OR LOWER("CommandLine") LIKE '%cookies%'
               OR LOWER("CommandLine") LIKE '%/y %' OR LOWER("CommandLine") LIKE '%/vss%')
        )
        OR (
          (LOWER("Image") LIKE '%cmd.exe%' OR LOWER("Image") LIKE '%powershell.exe%'
           OR LOWER("Image") LIKE '%pwsh.exe%' OR LOWER("Image") LIKE '%wscript.exe%'
           OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%mshta.exe%')
          AND (LOWER("CommandLine") LIKE '%.ssh%' OR LOWER("CommandLine") LIKE '%id_rsa%'
               OR LOWER("CommandLine") LIKE '%id_ed25519%'
               OR LOWER("CommandLine") LIKE '%credentials\%' OR LOWER("CommandLine") LIKE '%\protect\%'
               OR LOWER("CommandLine") LIKE '%login data%' OR LOWER("CommandLine") LIKE '%ntds.dit%'
               OR LOWER("CommandLine") LIKE '%.kdbx%' OR LOWER("CommandLine") LIKE '%filezilla%'
               OR LOWER("CommandLine") LIKE '%winscp.ini%' OR LOWER("CommandLine") LIKE '%.pst%'
               OR LOWER("CommandLine") LIKE '%.ost%')
        )
        OR (
          (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%')
          AND (LOWER("CommandLine") LIKE '%get-childitem%recurse%'
               OR LOWER("CommandLine") LIKE '%gci%recurse%'
               OR LOWER("CommandLine") LIKE '%gci%-r %'
               OR LOWER("CommandLine") LIKE '%dir /s%'
               OR LOWER("CommandLine") LIKE '%tree /f%'
               OR LOWER("CommandLine") LIKE '%compress-archive%')
          AND (LOWER("CommandLine") LIKE '%.pdf%' OR LOWER("CommandLine") LIKE '%.docx%'
               OR LOWER("CommandLine") LIKE '%.xlsx%' OR LOWER("CommandLine") LIKE '%.pptx%'
               OR LOWER("CommandLine") LIKE '%.pfx%' OR LOWER("CommandLine") LIKE '%.pem%'
               OR LOWER("CommandLine") LIKE '%.key%' OR LOWER("CommandLine") LIKE '%.kdbx%'
               OR LOWER("CommandLine") LIKE '%.pst%')
        )
        OR (
          (LOWER("Image") LIKE '%robocopy.exe%' OR LOWER("Image") LIKE '%xcopy.exe%')
          AND (LOWER("CommandLine") LIKE '%.ssh%' OR LOWER("CommandLine") LIKE '%credential%'
               OR LOWER("CommandLine") LIKE '%protect%' OR LOWER("CommandLine") LIKE '%\sam%'
               OR LOWER("CommandLine") LIKE '%ntds%' OR LOWER("CommandLine") LIKE '%.kdbx%'
               OR LOWER("CommandLine") LIKE '%filezilla%')
        )
      )
      AND NOT (
        (LOWER("ParentImage") LIKE '%msmpeng.exe%'
         OR LOWER("ParentImage") LIKE '%svchost.exe%'
         OR LOWER("ParentImage") LIKE '%services.exe%')
        AND (LOWER("User") LIKE '%system%' OR LOWER("User") LIKE '%local service%'
             OR LOWER("User") LIKE '%network service%')
      )
    )
    OR (
      QIDNAME(qid) IN ('File Created', 'File Delete Archived')
      AND (
        LOWER("TargetFilename") LIKE '%\microsoft\credentials\%'
        OR LOWER("TargetFilename") LIKE '%\microsoft\protect\%'
        OR (LOWER("TargetFilename") LIKE '%.ssh%'
            AND (LOWER("TargetFilename") LIKE '%id_rsa%'
                 OR LOWER("TargetFilename") LIKE '%id_ed25519%'
                 OR LOWER("TargetFilename") LIKE '%id_ecdsa%'))
        OR (LOWER("TargetFilename") LIKE '%google\chrome%'
            AND LOWER("TargetFilename") LIKE '%login data%')
        OR (LOWER("TargetFilename") LIKE '%microsoft\edge%'
            AND LOWER("TargetFilename") LIKE '%login data%')
        OR (LOWER("TargetFilename") LIKE '%mozilla\firefox%'
            AND (LOWER("TargetFilename") LIKE '%logins.json%'
                 OR LOWER("TargetFilename") LIKE '%key4.db%'
                 OR LOWER("TargetFilename") LIKE '%cert9.db%'))
        OR (LOWER("TargetFilename") LIKE '%system32\config%'
            AND (LOWER("TargetFilename") LIKE '%\sam%'
                 OR LOWER("TargetFilename") LIKE '%\system%'
                 OR LOWER("TargetFilename") LIKE '%\security%'))
        OR LOWER("TargetFilename") LIKE '%ntds.dit%'
        OR LOWER("TargetFilename") LIKE '%.kdbx%'
        OR LOWER("TargetFilename") LIKE '%filezilla%recentservers.xml%'
        OR LOWER("TargetFilename") LIKE '%winscp.ini%'
      )
      AND NOT (
        LOWER("Image") LIKE '%svchost.exe%'
        OR LOWER("Image") LIKE '%msmpeng.exe%'
        OR LOWER("Image") LIKE '%searchindexer.exe%'
        OR LOWER("Image") LIKE '%onedrive.exe%'
        OR LOWER("Image") LIKE '%msedge.exe%'
        OR LOWER("Image") LIKE '%chrome.exe%'
        OR LOWER("Image") LIKE '%firefox.exe%'
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS
high severity high confidence

AQL query targeting QRadar with Sysmon log source. Detects T1005 across two branches: (1) Sysmon EventCode 1 (Process Create) for esentutl ESE extraction, shell/script interpreter access to sensitive credential paths, PowerShell recursive bulk enumeration, and robocopy/xcopy bulk-copying sensitive directories; (2) Sysmon EventCode 11/23 (File Created/Delete-Archived) for direct file access to DPAPI credential stores, SSH keys, browser credential databases, Windows registry hives, NTDS.dit, KeePass vaults, and FTP credential files. Uses QRadar custom Sysmon property extraction fields (Image, CommandLine, TargetFilename, ParentImage) and a CASE expression to classify signal reason.

Data Sources

IBM QRadar SIEMSysmon (Microsoft-Windows-Sysmon/Operational) ingested as QRadar log sourceWindows Event Log via QRadar WinCollect or syslog forwarding

Required Tables

events (QRadar normalized event store)Sysmon log source with custom property extraction for Image, CommandLine, TargetFilename, ParentImage, ParentCommandLine, User fields

False Positives & Tuning

  • Enterprise backup agents (Veeam, Commvault, Windows Server Backup) running as SYSTEM or dedicated service accounts legitimately access registry hives, NTDS.dit via VSS snapshots, and credential directories — correlate username with known backup service accounts and scheduled maintenance windows
  • Password manager auto-save or synchronization processes (KeePass auto-save, Bitwarden desktop) generate .kdbx file creation events on user interaction; filter by known password manager parent process names if custom properties allow
  • IT helpdesk or domain admin scripts for credential rotation, SSH key deployment, or profile migration produce matching PowerShell cmdlines — validate against change management records and privileged account inventory
Download portable Sigma rule (.yml)

Other platforms for T1005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Recursive Document Collection via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', and file extension patterns. Sysmon Event ID 11: FileCreate for df00tech-filelist.csv in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 showing the full collection script. File access events (if SACL auditing enabled, Security Event ID 4663) for each document accessed during enumeration.

  2. Test 2Browser Credential Database Extraction via esentutl

    Expected signal: Sysmon Event ID 1: Process Create for esentutl.exe with CommandLine containing '/y', 'Login Data', '/d', and '/o' flags. Sysmon Event ID 11: FileCreate for df00tech-logindata.db in %TEMP%. Security Event ID 4688 (if command line auditing enabled) capturing the full esentutl command. File access event on the Chrome Login Data file path.

  3. Test 3SSH Private Key Collection

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '.ssh' and 'copy' and 'id_rsa'. Sysmon Event ID 11: FileCreate for both the test key file in .ssh and the copied file in %TEMP%. DeviceFileEvents (MDE): FileCreated action on .ssh directory path with id_rsa in filename, initiating process cmd.exe. Security Event ID 4663 on the .ssh directory if SACL auditing is enabled.

  4. Test 4Windows DPAPI Credential Store Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'dir /s /b' and 'Microsoft\Credentials'. Security Event ID 4688 (if command line auditing enabled). If SACL auditing is configured on the Credentials directory, Security Event ID 4663 for directory access. DeviceProcessEvents (MDE) will capture the command with full path context.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1119Automated CollectionT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1003.001LSASS MemoryT1003.003NTDST1552.001Credentials In FilesT1059.001PowerShellT1059.003Windows Command ShellT1006Direct Volume Access

Same Tactic: Collection

Popular Detections