1. Home
  2. Detection Strategies
  3. Detection of Local Data Collection Prior to Exfiltration

Detection of Local Data Collection Prior to Exfiltration

Technique Detected:  Data from Local System | T1005

ID: DET0380
Domains: Enterprise
Analytics: AN1070, AN1071, AN1072, AN1073, AN1074
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1070

Adversaries collecting local files via PowerShell, WMI, or direct file API calls often include recursive file listings, targeted file reads, and temporary file staging.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
TargetFilePathRegex Allows tuning for file extensions or paths of sensitive data (e.g., *.xls, *.db, *.pdf).
ParentProcessFilter Used to scope monitoring to suspicious parent/child process trees like PowerShell or WMI spawning file reads.

AN1071

Adversaries using bash scripts or tools to recursively enumerate user home directories, config files, or SSH keys.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
TimeWindow Time span to correlate multiple file access events indicative of scripted or bulk access.
ScriptToolName List of tools (e.g., `find`, `grep`, `tar`, `scp`) that may be benign but are context-sensitive.

AN1072

Adversary use of bash/zsh or AppleScript to locate files and exfil targets like user keychains or documents.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process:spawn
File Access (DC0055) fs:fsusage read/write
Mutable Elements
Field Description
UserContext Useful for excluding known admin or scheduled jobs.
TargetVolume Focus monitoring on removable drives or external paths.

AN1073

Collection of device configuration via CLI commands (e.g., show running-config, copy flash, more), often followed by TFTP/SCP transfers.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:cli command logging
Mutable Elements
Field Description
CommandScope Defines list of configuration or diagnostic commands to monitor.
AuthenticatedUserList Helps reduce false positives by whitelisting known admins.

AN1074

Adversaries accessing datastore or configuration files via vim-cmd, esxcli, or SCP to extract logs, VMs, or host configurations.

Log Sources
Data Component Name Channel
File Access (DC0055) esxis:vmkernel Datastore Access
Command Execution (DC0064) esxi:hostd Command Execution
Mutable Elements
Field Description
AccessPathRegex Regex for filtering targeted VM paths or files like *.vmdk, *.vmx.
InteractiveShellUsage Tune to distinguish between interactive and script-driven data access.