Data from Local System (T1005) is a MITRE ATT&CK technique in the Collection tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may search local system sources, such as file systems, configuration files, and local databases, to find files of interest and sensitive data prior to exfiltration. Adversaries may do this using a command shell (e.g., cmd) or scripting language (e.g., PowerShell) to search through the local file system, registry, and other data stores. Targeting of local data is common in both financially motivated attacks and espionage campaigns. Attackers typically search for documents containing sensitive business information, source code, customer data, intellectual property, financial records, and credentials. After identifying target files, attackers typically compress and encrypt the data before exfiltration to reduce transfer size and evade data loss prevention tools that inspect file contents. Understanding data collection behaviors is essential for building effective data-centric security monitoring.
“Data from Local System is documented as technique T1005 in the MITRE ATT&CK knowledge base under the Collection tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Data from Local System activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for mass file access events on endpoints, particularly processes reading large numbers of document files (Office documents, PDFs, text files) from user directories in short time periods suggesting automated collection.
Alert on compression utility usage followed by large file creation in staging directories, as attackers typically archive collected data before exfiltration to reduce transfer size and potentially encrypt contents.
Track access to sensitive data repositories including source code directories, financial document stores, and customer database exports, alerting on access by accounts or processes with no legitimate business need.
Detect staging behavior by monitoring for large amounts of data being consolidated into single directories or archives before being moved toward network egress points or removable media.
Monitor clipboard access by unusual processes on systems containing sensitive information, as attackers may use keyloggers and clipboard monitors to capture credentials and sensitive data as users interact with applications.
These realistic alert examples show what Data from Local System looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
PowerShell script executed on executive workstation EX-WS-001 performing recursive search and copy of all .xlsx, .docx, .pdf, and .pptx files to a staging directory in C:\Users\Public. The script collected 2,847 documents totaling 4.3GB within 8 minutes. A 7zip compression process then created an encrypted archive of the staged files before network activity began toward an external destination.
mysqldump process executed on database server DB-PROD-02 exporting the customer_data database containing 2.3 million customer records to a CSV file. The process was initiated by the web application service account, which has no legitimate reason to export full database contents. The export file was subsequently compressed and accessed by a process making network connections to an external IP address.
Git clone command executed by developer account on build server BUILD-01, cloning all 47 repositories from the internal GitLab instance to a local directory. This full repository clone representing 28GB of source code is unusual as developers typically clone only their working repositories. The account used has access to repositories outside its team scope due to overly permissive GitLab group settings.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Data from Local System. Build detection skills with zero consequences — free forever.
Data exfiltration is the unauthorized transfer of sensitive data from a victim environment to attacker-controlled infras…
Read more GlossaryData Loss Prevention (DLP) is a set of technologies and policies that detect and prevent unauthorized transmission, stor…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more GlossaryLog management is the process of collecting, normalizing, storing, retaining, and analyzing log data from across the IT …
Read more Career PathDFIR Analysts combine forensic investigation with incident response. You collect and analyze digital evidence from compr…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more