Data from Local System

Jump to: navigation, search
Data from Local System
ID T1005
Tactic Collection
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
System Requirements Privileges to access certain files and directories
Data Sources File monitoring, Process monitoring, Process command-line parameters

Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.

Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a Command-Line Interface, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.


  • APT1 has collected files from a local victim.1
  • Threat Group-3390 actors saved RAR files for exfiltration in the Recycler directory on a victim system.2
  • Stealth Falcon malware gathers data from the local victim system.3
  • Patchwork collected and exfiltrated files from the infected system.4
  • FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.5
  • CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.6
  • MobileOrder exfiltrates data collected from the victim mobile device.7
  • Rover searches for files on local drives based on a predefined list of file extensions.8
  • When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.9


Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting10 tools, like AppLocker,1112 or Software Restriction Policies13 where appropriate.14


Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.