T1005 Splunk · SPL

Detect Data from Local System in Splunk

Adversaries may search local system sources, such as file systems, configuration files, local databases, and process memory to find files of interest and sensitive data prior to Exfiltration. Adversaries commonly target credential stores (Windows DPAPI, browser databases, SSH keys), corporate documents (Office files, PDFs), and system databases (Active Directory NTDS.dit, SAM hive) using command interpreters, native OS utilities like esentutl.exe and robocopy.exe, or custom malware. Observed threat actors include Kimsuky (document theft), HAFNIUM (data collection post-exploitation), LAPSUS$ (credential and file theft for extortion), and malware families such as QakBot (esentutl for browser credential extraction) and BADNEWS (recursive crawl for Office/PDF files).

MITRE ATT&CK

Tactic
Collection
Technique
T1005 Data from Local System
Canonical reference
https://attack.mitre.org/techniques/T1005/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11 OR EventCode=23))
| eval cmdline=lower(CommandLine), img=lower(Image), target=lower(coalesce(TargetFilename, ""))
| eval is_esentutl=if(
    match(img, "esentutl\\.exe") AND match(cmdline, "(ntds|\.dit|login data|cookies|web data|/y|/vss)"),
    1, 0)
| eval is_sensitive_path_cli=if(
    match(img, "(cmd\\.exe|powershell\\.exe|pwsh\\.exe|wscript\\.exe|cscript\\.exe|mshta\\.exe)") AND
    match(cmdline, "(\\.ssh|id_rsa|id_ed25519|\\.kdbx|credentials\\\\|\\\\protect\\\\|login data|ntds\.dit|filezilla|recentservers|winscp\.ini|\.pst|\.ost)"),
    1, 0)
| eval is_bulk_enum=if(
    match(img, "(powershell\\.exe|pwsh\\.exe)") AND
    match(cmdline, "(get-childitem.*-recurse|gci.*-recurse|gci.*-r |dir /s|tree /f|compress-archive)") AND
    match(cmdline, "(\.pdf|\.docx|\.xlsx|\.pptx|\.doc|\.xls|\.csv|\.pfx|\.pem|\.key|\.kdbx|\.pst)"),
    1, 0)
| eval is_bulk_copy=if(
    match(img, "(robocopy\\.exe|xcopy\\.exe)") AND
    match(cmdline, "(\.ssh|credential|protect|sam|ntds|password|secret|appdata|kdbx|filezilla)"),
    1, 0)
| eval is_sensitive_file_created=if(
    EventCode IN (11, 23) AND
    match(target, "(\\.ssh[\\/]id_rsa|\\.ssh[\\/]id_ed25519|microsoft\\\\credentials\\\\\.+|microsoft\\\\protect\\\\.+|google\\\\chrome.+login data|mozilla.+logins\.json|system32\\\\config\\\\(sam|system|security)|ntds\.dit|\.kdbx|filezilla.+recentservers\.xml|winscp\.ini)"),
    1, 0)
| eval SuspicionScore = is_esentutl + is_sensitive_path_cli + is_bulk_enum + is_bulk_copy + is_sensitive_file_created
| where SuspicionScore > 0
| eval SignalReason = case(
    is_esentutl=1, "ESE Database Extraction (esentutl)",
    is_bulk_enum=1, "PowerShell Recursive File Enumeration for Sensitive Extensions",
    is_sensitive_file_created=1, "Sensitive Credential/Data File Access or Staging",
    is_sensitive_path_cli=1, "CLI Access to Sensitive Credential Path",
    is_bulk_copy=1, "Bulk Copy Tool Targeting Sensitive Paths",
    true(), "Unknown"
)
| eval EventType = case(EventCode=1, "ProcessCreate", EventCode=11, "FileCreate", EventCode=23, "FileDelete", "Other")
| table _time, host, User, Image, CommandLine, TargetFilename, ParentImage, ParentCommandLine, EventType, SignalReason, SuspicionScore
| sort - _time
high severity medium confidence

Detects local data collection across Sysmon Event ID 1 (Process Create), Event ID 11 (File Create), and Event ID 23 (File Delete/moved). Evaluates five signal types: (1) esentutl.exe ESE database extraction, (2) CLI access to known sensitive credential paths, (3) PowerShell recursive enumeration targeting sensitive file extensions, (4) bulk copy tools operating on sensitive locations, (5) direct file staging or access events for high-value credential and data stores. A cumulative SuspicionScore enables prioritization of multi-signal events. Results include EventType to distinguish process-based from file-based activity.

Data Sources

Process: Process CreationFile: File CreationSysmon Event ID 1Sysmon Event ID 11Sysmon Event ID 23

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Backup agents (Veeam, Acronis, Windows Server Backup) creating shadow copies that trigger file access on ntds.dit or registry hives during scheduled backup windows
  • IT provisioning scripts using robocopy to migrate user profile data during workstation replacement — verify against change management records
  • Password manager applications (KeePass, Bitwarden) writing to their own .kdbx or database files during normal save operations
  • Security auditing tools (Nessus, Qualys, CrowdStrike) enumerating installed software or configuration via PowerShell
  • Developer environments using Get-ChildItem or find to enumerate project directories that happen to contain key or certificate files
Download portable Sigma rule (.yml)

Other platforms for T1005

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Recursive Document Collection via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', and file extension patterns. Sysmon Event ID 11: FileCreate for df00tech-filelist.csv in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 showing the full collection script. File access events (if SACL auditing enabled, Security Event ID 4663) for each document accessed during enumeration.

  2. Test 2Browser Credential Database Extraction via esentutl

    Expected signal: Sysmon Event ID 1: Process Create for esentutl.exe with CommandLine containing '/y', 'Login Data', '/d', and '/o' flags. Sysmon Event ID 11: FileCreate for df00tech-logindata.db in %TEMP%. Security Event ID 4688 (if command line auditing enabled) capturing the full esentutl command. File access event on the Chrome Login Data file path.

  3. Test 3SSH Private Key Collection

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '.ssh' and 'copy' and 'id_rsa'. Sysmon Event ID 11: FileCreate for both the test key file in .ssh and the copied file in %TEMP%. DeviceFileEvents (MDE): FileCreated action on .ssh directory path with id_rsa in filename, initiating process cmd.exe. Security Event ID 4663 on the .ssh directory if SACL auditing is enabled.

  4. Test 4Windows DPAPI Credential Store Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'dir /s /b' and 'Microsoft\Credentials'. Security Event ID 4688 (if command line auditing enabled). If SACL auditing is configured on the Credentials directory, Security Event ID 4663 for directory access. DeviceProcessEvents (MDE) will capture the command with full path context.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1119Automated CollectionT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1003.001LSASS MemoryT1003.003NTDST1552.001Credentials In FilesT1059.001PowerShellT1059.003Windows Command ShellT1006Direct Volume Access

Same Tactic: Collection

Popular Detections