T1005 Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1005 Data from Local System
Comments
This diagnostic statement protects against Data from Local System through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    PR.DS-01.01 Data-at-rest protection Mitigates T1005 Data from Local System
    Comments
    This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
    References
      PR.DS-01.02 Data loss prevention Mitigates T1005 Data from Local System
      Comments
      The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
      References
        PR.DS-10.01 Data-in-use protection Mitigates T1005 Data from Local System
        Comments
        This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
        References

          Known Exploited Vulnerabilities Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability secondary_impact T1005 Data from Local System
          Comments
          This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.
          References
          CVE-2019-13608 Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
          References
          CVE-2021-29256 Arm Mali GPU Kernel Driver Use-After-Free Vulnerability secondary_impact T1005 Data from Local System
          Comments
          This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.
          References
          CVE-2017-11292 Adobe Flash Player Type Confusion Vulnerability secondary_impact T1005 Data from Local System
          Comments
          This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.
          References
          CVE-2023-34362 Progress MOVEit Transfer SQL Injection Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
          References
          CVE-2021-27101 Accellion FTA SQL Injection Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands.
          References
          CVE-2021-27103 Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request.
          References
          CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability primary_impact T1005 Data from Local System
          Comments
          Attackers can use malicious Human Interface Devices (keyboard, mouse, etc.) to trigger a kernel-level memory leak due to improper initialization and use of uninitialized resources. This leads to the returning of the uninitialized kernel data, which can be collected and exfiltrated.
          References
          CVE-2024-4978 Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.
          References
          CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.
          References
          CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability primary_impact T1005 Data from Local System
          Comments
          This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. After bypassing authentication with CVE-2025-0108, the attacker can exploit this to gain read access to system files with "nobody" privileges.
          References
          CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability primary_impact T1005 Data from Local System
          Comments
          Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.
          References
          CVE-2025-48928 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability primary_impact T1005 Data from Local System
          Comments
          TeleMessage TM SNGL utilizes a JavaServer Pages framework which improperly handles content in heaps and making them functionally the same as a core dump file. Attackers with local access can use this to obtain sensitive information, including credentials.
          References
          CVE-2025-48927 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability primary_impact T1005 Data from Local System
          Comments
          TeleMessage TM SNGL's Spring Boot Actuator exposes the /heapdump endpoint publicly, allowing an unauthenticated attacker to access it.
          References
          CVE-2019-5591 Fortinet FortiOS Default Configuration Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server.
          References
          CVE-2021-27104 Accellion FTA OS Command Injection Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.
          References
          CVE-2021-27102 Accellion FTA OS Command Injection Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.
          References
          CVE-2023-4966 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability primary_impact T1005 Data from Local System
          CVE-2025-21418 Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability primary_impact T1005 Data from Local System
          Comments
          Exploiting this buffer overflow vulnerability could lead to an adversary gaining elevated privileges on the machine, leading to the potential for process injection using malicious code, as well as data loss.
          References
          CVE-2023-38831 RARLAB WinRAR Code Execution Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.
          References
          CVE-2023-36884 Microsoft Windows Search Remote Code Execution Vulnerability secondary_impact T1005 Data from Local System
          Comments
          This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft's Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.
          References
          CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2021-26855, also known as ProxyLogon, allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
          References
          CVE-2020-5902 F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” - CISA Advisory
          References
          CVE-2019-11634 Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows
          References
          CVE-2017-5638 Apache Struts Remote Code Execution Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.
          References
          CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability primary_impact T1005 Data from Local System
          Comments
          CVE-2024-5217 is an input validation vulnerability that could enable an unauthenticated user to remotely execute code within the context of the ServiceNow Platform due to incomplete input validation in a GlideExpression Script. Organizations often use the ServiceNow platform to host sensitive data about their employees, including their personally identifiable information and HR records related to their employment.
          References
          CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability primary_impact T1005 Data from Local System
          Comments
          CVE-2024-4879 is a Template Injection Vulnerability in ServiceNow UI Macros. When ServiceNow instances are installed public-facing instead of internally, they can be exploited for arbitrary code execution. Adversaries have been observed selling data exfiltrated through this exploit.
          References
          CVE-2025-43200 Apple Multiple Products Unspecified Vulnerability secondary_impact T1005 Data from Local System
          Comments
          A zero-click attack leveraging this vulnerability involves sending a maliciously crafted photo or video in an iCloud link via the Messages app. Reports indicate that the targeted devices are then compromised with Paragon's Graphite spyware.
          References
          CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability primary_impact T1005 Data from Local System
          Comments
          This vulnerability, present in VMWare ESXi, Workstation, and Fusion, is the result of an out-of-bounds read in the Host Guest File System (HGFS) and can be exploited by attackers with administrative privileges to disclose sensitive information from the VMX process. An attacker could then move into the hypervisor itself.
          References
          CVE-2025-24991 Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability primary_impact T1005 Data from Local System
          Comments
          This vulnerability is facilitated by the insertion of information into log files, which could lead to the disclosure of said sensitive information through an attack. In order to exploit this vulnerability, an attacker needs physical access to the system, such as the ability to mount an external drive.
          References
          CVE-2024-53150 Linux Kernel Out-of-Bounds Read Vulnerability primary_impact T1005 Data from Local System
          Comments
          By crafting a malicious USB audio device, an attacker can trigger an out-of-bounds read error in the kernel, potentially exposing sensitive kernel information.
          References
          CVE-2020-8193 Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability primary_impact T1005 Data from Local System
          Comments
          CVE-2020-8193 is an Authorization Bypass vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP Appliance in various versions allows attacker to bypass authentication mechanisms via crafted requests.
          References
          CVE-2024-24919 Check Point Quantum Security Gateways Information Disclosure Vulnerability primary_impact T1005 Data from Local System
          Comments
          CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point's Quantum Security Gateway products. It's been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates.
          References
          CVE-2023-49103 ownCloud graphapi Information Disclosure Vulnerability primary_impact T1005 Data from Local System
          Comments
          This vulnerability is exploited through an unauthenticated information disclosure flaw in the Graph API extension of ownCloud. Attackers first used this vulnerability to gain initial access by targeting the /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php endpoint, which allowed them to leak sensitive information via the PHP function phpinfo. By modifying the requested URI to bypass Apache web server rewrite rules, attackers could access environment variables containing secrets, such as usernames, passwords, and license keys.
          References
          CVE-2021-26085 Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability primary_impact T1005 Data from Local System
          Comments
          This vulnerability allows viewing of restricted resources via a pre-authorization arbitrary file read vulnerability.
          References
          CVE-2020-8196 Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2020-8196 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
          References
          CVE-2020-8195 Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability primary_impact T1005 Data from Local System
          Comments
          CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
          References
          CVE-2019-1653 Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability secondary_impact T1005 Data from Local System
          Comments
          CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices.
          References
          CVE-2018-0296 Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability primary_impact T1005 Data from Local System
          Comments
          CVE-2018-0296 is a critical vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and access sensitive system information.
          References
          CVE-2020-3452 Cisco ASA and FTD Read-Only Path Traversal Vulnerability primary_impact T1005 Data from Local System
          Comments
          CVE-2020-3452 is a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.
          References
          CVE-2013-0629 Adobe ColdFusion Directory Traversal Vulnerability secondary_impact T1005 Data from Local System
          Comments
          This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories
          References
          CVE-2024-55550 Mitel MiCollab Path Traversal Vulnerability primary_impact T1005 Data from Local System
          Comments
          Due to improper input sanitization, a user with administrative credentials can access and read arbitrary files on the MiCollab server.
          References
          CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability primary_impact T1005 Data from Local System
          Comments
          An unauthenticated attacker can send a request to the NAKIVO Backup & Replication endpoint that contains a path to a sensitive file, leading to arbitrary file read.
          References
          CVE-2024-41713 Mitel MiCollab Path Traversal Vulnerability primary_impact T1005 Data from Local System
          Comments
          This path traversal vulnerability can lead to privilege escalation on MiCollab, which can then lead to other exploits such as CVE-2024-55550.
          References
          CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability primary_impact T1005 Data from Local System
          Comments
          This path traversal vulnerability in D-Link DIR-859 WiFi routers can lead to information disclosure, such as configuration files. As these devices are end-of-life, the manufacturer has no intention of patching this.
          References
          CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability primary_impact T1005 Data from Local System
          Comments
          This directory traversal vulnerability, if exploited using a malicious payload in an HTTP GET request, allows an unauthenticated attacker to access and read arbitrary files, leading to potential exfiltration/disclosure.
          References

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.malware.variety.Capture stored data Capture data stored on system disk related-to T1005 Data from Local System
          attribute.confidentiality.data_disclosure None related-to T1005 Data from Local System

          Azure Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening technique_scores T1005 Data from Local System
          Comments
          This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.
          References
          defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1005 Data from Local System
          Comments
          This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
          References