title: Data from Local System (T1005)
id: df00tech-t1005
status: experimental
description: "Adversaries may search local system sources, such as file systems, configuration files, local databases, and process memory to find files of interest and sensitive data prior to Exfiltration. Adversaries commonly target credential stores (Windows DPAPI, browser databases, SSH keys), corporate documents (Office files, PDFs), and system databases (Active Directory NTDS.dit, SAM hive) using command interpreters, native OS utilities like esentutl.exe and robocopy.exe, or custom malware. Observed threat actors include Kimsuky (document theft), HAFNIUM (data collection post-exploitation), LAPSUS$ (credential and file theft for extortion), and malware families such as QakBot (esentutl for browser credential extraction) and BADNEWS (recursive crawl for Office/PDF files)."
references:
  - https://attack.mitre.org/techniques/T1005/
  - https://df00tech.com/detections/T1005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup software (Veeam, Windows Backup, Acronis) accessing credential stores or NTDS.dit via VSS snapshots during scheduled jobs"
  - "Password managers (KeePass, Bitwarden) or browser sync services accessing their own databases during normal operation — exclude by initiating process name"
  - IT administrators using robocopy or esentutl for legitimate data migration or database maintenance with documented change tickets
  - Antivirus or EDR products performing file scanning across sensitive directories — typically run as SYSTEM from known product binaries
  - Developers using Get-ChildItem -Recurse on document libraries for legitimate scripting or reporting tasks
level: high