T1005 — Data from Local System

Technique

T1005

Tactics

Collection

MISP citations

0

KEV CVEs mapped

46

Community rules

14

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1005

MITRE description

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-48928
• CVE-2025-48927
• CVE-2025-43200
• CVE-2025-24991
• CVE-2025-22226
• CVE-2025-21418
• CVE-2025-0111
• CVE-2024-55550
• CVE-2024-53150
• CVE-2024-5217
• CVE-2024-50302
• CVE-2024-4978
• CVE-2024-4879
• CVE-2024-48248
• CVE-2024-41713
• CVE-2024-38475
• CVE-2024-34102
• CVE-2024-24919
• CVE-2024-23692
• CVE-2024-0769
• CVE-2023-4966
• CVE-2023-49103
• CVE-2023-38950
• CVE-2023-38831
• CVE-2023-36884
• CVE-2023-34362
• CVE-2021-29256
• CVE-2021-27104
• CVE-2021-27103
• CVE-2021-27102
• CVE-2021-27101
• CVE-2021-26855
• CVE-2021-26085
• CVE-2020-8196
• CVE-2020-8195
• CVE-2020-8193
• CVE-2020-5902
• CVE-2020-3452
• CVE-2019-5591
• CVE-2019-1653
• CVE-2019-13608
• CVE-2019-11634
• CVE-2018-0296
• CVE-2017-5638
• CVE-2017-11292
• CVE-2013-0629

Detection coverage

SigmaHQ community rules

• Potential Conti Ransomware Database Dumping Activity Via SQLCmd (emerging-threats)
• Shai-Hulud NPM Package Malicious Exfiltration via Curl (emerging-threats)
• OpenCanary - SMB File Open Request (core)
• AWS EC2 VM Export Failure (core)
• Script Interpreter Spawning Credential Scanner - Linux (core)
• Cisco Collect Data (core)
• Crash Dump Created By Operating System (core)
• ADFS Database Named Pipe Connection By Uncommon Tool (core)
• Esentutl Steals Browser Information (core)
• Veeam Backup Database Suspicious Query (core)
• VeeamBackup Database Credentials Dump Via Sqlcmd.EXE (core)
• SQLite Chromium Profile Data DB Access (core)
• SQLite Firefox Profile Data DB Access (core)
• Script Interpreter Spawning Credential Scanner - Windows (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.