T1005 Microsoft Sentinel · KQL

Detect Data from Local System in Microsoft Sentinel

Adversaries may search local system sources, such as file systems, configuration files, local databases, and process memory to find files of interest and sensitive data prior to Exfiltration. Adversaries commonly target credential stores (Windows DPAPI, browser databases, SSH keys), corporate documents (Office files, PDFs), and system databases (Active Directory NTDS.dit, SAM hive) using command interpreters, native OS utilities like esentutl.exe and robocopy.exe, or custom malware. Observed threat actors include Kimsuky (document theft), HAFNIUM (data collection post-exploitation), LAPSUS$ (credential and file theft for extortion), and malware families such as QakBot (esentutl for browser credential extraction) and BADNEWS (recursive crawl for Office/PDF files).

MITRE ATT&CK

Tactic
Collection
Technique
T1005 Data from Local System
Canonical reference
https://attack.mitre.org/techniques/T1005/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SensitivePathKeywords = dynamic([
    "\\.ssh\\", "id_rsa", "id_ed25519", "id_ecdsa",
    "\\Microsoft\\Credentials\\", "\\Microsoft\\Protect\\",
    "Login Data", "Web Data", "Cookies",
    "ntds.dit", "\\config\\SAM", "\\config\\SYSTEM", "\\config\\SECURITY",
    "FileZilla", "recentservers.xml",
    "KeePass", ".kdbx",
    ".pst", ".ost"
]);
let BulkCollectionPatterns = dynamic([
    "dir /s", "dir /b /s", "tree /f",
    "Get-ChildItem -Recurse", "Get-ChildItem -Path", "gci -recurse", "gci -r ",
    "Get-Content", "Compress-Archive"
]);
let SensitiveExtensions = dynamic([
    ".pdf", ".docx", ".xlsx", ".pptx", ".doc", ".xls", ".csv",
    ".kdbx", ".pfx", ".p12", ".pem", ".key", ".cer", ".der",
    ".pst", ".ost", ".msg", ".wallet", ".rdp"
]);
// Branch 1: Process-based local data collection
let ProcessCollection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // esentutl used for ESE database extraction (browser credential DBs, AD database)
    (FileName =~ "esentutl.exe"
     and ProcessCommandLine has_any ("ntds", "Login Data", "Cookies", "Web Data", "/y", ".dit", "/vss"))
    // Command shells or script hosts accessing known sensitive paths
    or (FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
        and ProcessCommandLine has_any (SensitivePathKeywords))
    // PowerShell recursive file search for sensitive document types
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any (BulkCollectionPatterns)
        and ProcessCommandLine has_any (SensitiveExtensions))
    // Robocopy or xcopy bulk-copying sensitive paths
    or (FileName in~ ("robocopy.exe", "xcopy.exe")
        and ProcessCommandLine has_any (SensitivePathKeywords))
    // where.exe or findstr used to locate specific file types at scale
    or (FileName in~ ("where.exe", "findstr.exe", "find.exe")
        and ProcessCommandLine has_any (SensitiveExtensions))
)
| where not(
    // Exclude well-known backup and security products by parent process
    InitiatingProcessFileName in~ ("MsMpEng.exe", "svchost.exe", "services.exe", "BackupAgent.exe", "OneDriveSetup.exe")
    and AccountName in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
)
| extend DetectionType = "Process-Based Collection"
| extend SignalReason = case(
    FileName =~ "esentutl.exe", "ESE Database Extraction (browser creds or NTDS)",
    ProcessCommandLine has_any ("ntds", "SAM", "SYSTEM", "SECURITY"), "AD/Registry Hive Targeted",
    ProcessCommandLine has_any (".ssh", "id_rsa", "id_ed25519"), "SSH Key Targeted",
    ProcessCommandLine has_any ("Login Data", "Cookies", "Web Data"), "Browser Credential DB Targeted",
    ProcessCommandLine has_any (BulkCollectionPatterns), "Bulk Recursive File Enumeration",
    FileName in~ ("robocopy.exe", "xcopy.exe"), "Bulk Copy Tool on Sensitive Path",
    "Sensitive Path Access via CLI"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType, SignalReason;
// Branch 2: Direct file access to high-value credential and data stores
let FileAccessCollection = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileRead", "FileCreated", "FileCopied", "FileRenamed")
| where (
    (FolderPath has "\\AppData\\Local\\Microsoft\\Credentials")
    or (FolderPath has "\\AppData\\Roaming\\Microsoft\\Credentials")
    or (FolderPath has "\\AppData\\Roaming\\Microsoft\\Protect")
    or (FolderPath has "\\.ssh" and FileName has_any ("id_rsa", "id_ed25519", "id_ecdsa", "config"))
    or (FolderPath has "Google\\Chrome" and FileName =~ "Login Data")
    or (FolderPath has "Microsoft\\Edge" and FileName =~ "Login Data")
    or (FolderPath has "Mozilla\\Firefox\\Profiles" and FileName has_any ("logins.json", "key4.db", "cert9.db"))
    or (FolderPath has "\\Windows\\System32\\config" and FileName in~ ("SAM", "SYSTEM", "SECURITY", "DEFAULT"))
    or (FolderPath has "NTDS" and FileName =~ "ntds.dit")
    or (FileName endswith ".kdbx")
    or (FolderPath has "FileZilla" and FileName in~ ("recentservers.xml", "sitemanager.xml"))
    or (FolderPath has "\\Roaming\\WinSCP" and FileName =~ "WinSCP.ini")
)
| where InitiatingProcessFileName !in~ (
    "svchost.exe", "System", "MsMpEng.exe", "SearchIndexer.exe",
    "OneDrive.exe", "msedge.exe", "chrome.exe", "firefox.exe"
)
| where InitiatingProcessAccountName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| extend DetectionType = "File-Based Collection"
| extend SignalReason = case(
    FolderPath has "Credentials" or FolderPath has "Protect", "Windows DPAPI Credential Store Access",
    FolderPath has ".ssh", "SSH Private Key Access",
    FolderPath has "Login Data" or FolderPath has "logins.json", "Browser Credential DB Access",
    FolderPath has "\\config" and FileName in~ ("SAM", "SYSTEM", "SECURITY"), "Registry Hive File Access",
    FolderPath has "NTDS", "Active Directory Database Access",
    FileName endswith ".kdbx", "KeePass Password Database Access",
    FolderPath has "FileZilla" or FolderPath has "WinSCP", "FTP/SCP Saved Credential Access",
    "Sensitive File Access"
)
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType, SignalReason;
union ProcessCollection, FileAccessCollection
| sort by Timestamp desc
high severity medium confidence

Detects local data collection activity using two parallel approaches: (1) process-based detection targeting esentutl.exe database extraction, PowerShell recursive file enumeration for sensitive extensions, command shell access to credential paths (.ssh, DPAPI Credentials, browser Login Data, NTDS.dit), and bulk copy tool misuse; (2) file-event detection on direct access to high-value paths including Windows DPAPI credential stores, SSH private keys, browser credential databases, registry hive files (SAM/SYSTEM/SECURITY), and password manager databases. The union of both branches provides broad coverage across T1005 tradecraft. Results are annotated with SignalReason to aid analyst triage.

Data Sources

Process: Process CreationFile: File AccessCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Backup software (Veeam, Windows Backup, Acronis) accessing credential stores or NTDS.dit via VSS snapshots during scheduled jobs
  • Password managers (KeePass, Bitwarden) or browser sync services accessing their own databases during normal operation — exclude by initiating process name
  • IT administrators using robocopy or esentutl for legitimate data migration or database maintenance with documented change tickets
  • Antivirus or EDR products performing file scanning across sensitive directories — typically run as SYSTEM from known product binaries
  • Developers using Get-ChildItem -Recurse on document libraries for legitimate scripting or reporting tasks
Download portable Sigma rule (.yml)

Other platforms for T1005

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Recursive Document Collection via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', and file extension patterns. Sysmon Event ID 11: FileCreate for df00tech-filelist.csv in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 showing the full collection script. File access events (if SACL auditing enabled, Security Event ID 4663) for each document accessed during enumeration.

  2. Test 2Browser Credential Database Extraction via esentutl

    Expected signal: Sysmon Event ID 1: Process Create for esentutl.exe with CommandLine containing '/y', 'Login Data', '/d', and '/o' flags. Sysmon Event ID 11: FileCreate for df00tech-logindata.db in %TEMP%. Security Event ID 4688 (if command line auditing enabled) capturing the full esentutl command. File access event on the Chrome Login Data file path.

  3. Test 3SSH Private Key Collection

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '.ssh' and 'copy' and 'id_rsa'. Sysmon Event ID 11: FileCreate for both the test key file in .ssh and the copied file in %TEMP%. DeviceFileEvents (MDE): FileCreated action on .ssh directory path with id_rsa in filename, initiating process cmd.exe. Security Event ID 4663 on the .ssh directory if SACL auditing is enabled.

  4. Test 4Windows DPAPI Credential Store Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'dir /s /b' and 'Microsoft\Credentials'. Security Event ID 4688 (if command line auditing enabled). If SACL auditing is configured on the Credentials directory, Security Event ID 4663 for directory access. DeviceProcessEvents (MDE) will capture the command with full path context.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1119Automated CollectionT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1003.001LSASS MemoryT1003.003NTDST1552.001Credentials In FilesT1059.001PowerShellT1059.003Windows Command ShellT1006Direct Volume Access

Same Tactic: Collection

Popular Detections