MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Collection/ T1005

T1005Data from Local System

T1005 — Data from Local System is a MITRE ATT&CK technique in the Collection tactic. Clankerusecase tracks 18 detection use cases covering it and 58 threat-intel articles citing it.

Collection

View on the matrix → Filter Detection Library MITRE official spec ↗

18Use cases

58Articles

0Sub-techniques

1Tactic

Use cases covering this technique (18)

Crypto-wallet file/keystore access by non-wallet process Internal actions · alerting DSΣP [WEEKLY] Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes Internal actions · alerting DSPDD Cisco ASA - Device File Copy Activity ESCU actions · hunting P Cisco ASA - Device File Copy to Remote Location ESCU actions · hunting P ESXi Sensitive Files Accessed ESCU actions · alerting P ESXi VM Exported via Remote Tool ESCU actions · alerting P Sqlite Module In Temp Folder ESCU actions · alerting P Cisco TFTP Server Configuration for Data Exfiltration ESCU actions · alerting P [LLM] Non-forensic process bulk-reading the App.MenuItem Biome stream Bespoke actions · hunting DSΣPDDCS [LLM] High-volume scripted access to Tchap Matrix endpoint (bulk public-room scraping) Bespoke actions · hunting DSPDDCS [LLM] OpenClaw agent runtime reads secrets store (.env / .aws / id_rsa) followed by external network egress Bespoke actions · alerting DSPDDCS [LLM] Cargo build script spawning git with onering's exfil --pretty=format JSON Bespoke actions · alerting DSΣPDDCS [LLM] Node/npm/Bun process enumerating cloud, wallet, AI, and messaging credential file paths Bespoke actions · hunting DSPDDCS [LLM] Non-browser process copying Chrome/Edge/Brave Login Data, Web Data, or wallet extension LevelDB state Bespoke actions · alerting DSΣPDDCS [LLM] Inbound HTTP request bearing sidoraress backdoor x-operation operator tokens Bespoke c2 · alerting SΣPDD [LLM] s1ngularity collection artifact — `/tmp/inventory.txt` written by node/npm on runner Bespoke actions · alerting DSΣPDDCS [LLM] AI session-log harvest via prompt-log extract.sh writing markdown with embedded secrets Bespoke actions · alerting DSΣPDDCS [LLM] s1ngularity nx: /tmp/inventory.txt staging file created on host Bespoke actions · alerting DSΣPDD

Articles citing this technique (58)

crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15

med Over 73,000 French govt employees affected in Tchap messenger breach art-35

high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36

high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41

high npm v12 delivers one of the biggest security improvements in years art-46

crit Compromised Rust crate onering performs code exfiltration art-66

crit Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System art-85

high Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens art-194

crit Laravel Lang Supply Chain Advisory art-211

high Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer art-212

crit Webworm: New burrowing techniques art-240

high Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again! art-254

crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267

crit IT threat evolution in Q1 2026. Mobile statistics art-278

crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312

crit Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack art-315

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316

crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332

high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection art-334

crit CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister art-336

crit Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer art-345

high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346

high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348

high It's time to treat browser extensions like supply chain attack vectors art-354

high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm art-361

high GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays art-367

high Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow art-379

high hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far art-403

high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405

high Aikido Attack finds multiple 0-days in Hoppscotch art-406

high axios compromised on npm: maintainer account hijacked, RAT deployed art-421

crit litellm: Credential Stealer Hidden in PyPI Wheel art-423

crit Popular telnyx package compromised on PyPI by TeamPCP art-425

high Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised art-430

crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434

high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444

high TeamPCP deploys CanisterWorm on NPM following Trivy compromise art-445

crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458

crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459

high Glassworm Strikes Popular React Native Phone Number Packages art-466

crit Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories art-468

crit Sednit reloaded: Back in the trenches art-477

crit Persistent XSS/RCE using WebSockets in Storybook’s dev server art-494

high Astro Full-Read SSRF via Host Header Injection art-510

crit SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel art-518

high npm backdoor lets hackers hijack gambling outcomes art-535

high 10,000 Open-Source Projects Now Secured by Harden-Runner Community-Tier: A Milestone Three Years in the Making art-536

high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537

high 280+ Leaky Skills: How OpenClaw & ClawHub Are Exposing API Keys and PII art-573

high npx Confusion: Packages That Forgot to Claim Their Own Name art-578

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594

high G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets art-604

high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605

crit Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT art-608

crit s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware art-778

high npm Supply Chain Attack via Open Source maintainer compromise art-794

high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806

high Lottie Player npm package compromised for crypto wallet theft art-1096