Esc
Data from Local System - T1005

(ATT&CK® Technique)
Definition

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1005["Data from Local System"] --> |accesses| File["File"]; class T1005 OffensiveTechniqueNode;
        class File ArtifactNode; click File href "/dao/artifact/d3f:File";
        click T1005 href "/offensive-technique/attack/T1005/"; click File href "/dao/artifact/d3f:File"; T1005["Data from Local System"] --> |accesses| LocalResource["Local Resource"]; class T1005 OffensiveTechniqueNode;
        class LocalResource ArtifactNode; click LocalResource href "/dao/artifact/d3f:LocalResource";
        click T1005 href "/offensive-technique/attack/T1005/"; click LocalResource href "/dao/artifact/d3f:LocalResource";                          RestoreFile["Restore File"] -->
          | restores | File["File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1005["Data from Local System"] ;
          class RestoreFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; DecoyFile["Decoy File"] -->
          | spoofs | File["File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1005["Data from Local System"] ;
          class DecoyFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | File["File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1005["Data from Local System"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                                        FileEviction["File Eviction"] -->
          | deletes | File["File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1005["Data from Local System"] ;
          class FileEviction DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | File["File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1005["Data from Local System"] ;
          class FileEncryption DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                           LocalFilePermissions["Local File Permissions"] -->
          | restricts | File["File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1005["Data from Local System"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class File ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";              RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | File["File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1005["Data from Local System"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class File ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; FileAnalysis["File Analysis"] -->
          | analyzes | File["File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1005["Data from Local System"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";
json