Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0380: Detection of Local Data Collection Prior to Exfiltration

DET0380 is a detection strategy for spotting local data collection before exfiltration, tied to ATT&CK technique T1005: Data from Local System. Its busines...

EnterpriseDET0380Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0380 is a detection strategy for spotting local data collection before exfiltration, tied to ATT&CK technique T1005: Data from Local System. Its business value is early warning: if defenders can identify unusual access to local files, configuration data, databases, virtual machine files, or process memory before data leaves the environment, incident responders may have more time to contain the activity and determine what information is at risk.

Executive priority

Treat this as a control-validation question for data-loss readiness: do security teams have evidence when sensitive local data is being searched, staged, or accessed in unusual ways on systems that matter to operations? Because the related technique spans ESXi, Linux, macOS, and network devices, leaders should ask whether monitoring covers high-value infrastructure as well as user endpoints. This is relevant to incident decision-making, compliance evidence around sensitive-data access, and resilience planning where local system data includes configuration, virtual machine, or operational data.

Technical view

The official detection strategy object does not provide detailed detection logic, platforms, or tactics, but its relationship to T1005 anchors the analytic focus: local-system collection prior to exfiltration. SOC and detection teams should validate telemetry that shows file-system access, command or scripting interpreter activity, network device CLI activity, access to local databases or configuration files, virtual machine file access, and suspicious reads of process memory where available. Detection should emphasize behavioral context: unusual volume, unusual paths, unusual users or processes, access to sensitive local repositories, and collection activity preceding possible exfiltration indicators.

Likely telemetry

  • Endpoint file access and file discovery events where available
  • Process execution and command-line telemetry for command or scripting interpreters
  • Shell history or audit logs on Linux and macOS systems where collected
  • Network device CLI and configuration access logs
  • ESXi or virtualization host logs related to virtual machine file access

Detection direction

  • Confirm whether coverage includes the related T1005 platforms: ESXi, Linux, macOS, and network devices; do not assume endpoint EDR alone covers them.
  • Tune analytics around sensitive local sources such as configuration files, local databases, virtual machine files, and process memory rather than only generic file reads.
  • Correlate local collection behavior with preceding command or scripting interpreter use and subsequent exfiltration-related signals when available.
  • Account for legitimate administrator, backup, indexing, troubleshooting, and configuration-management activity to reduce false positives.
  • Prioritize detections on high-value systems and accounts, especially where local data could expose credentials, infrastructure configuration, or regulated information.

Mitigation priorities

  • Identify the local data stores and systems where collection would create the highest business risk.
  • Limit and review privileged access to sensitive local files, configuration stores, virtual machine files, and administrative interfaces.
  • Enable or improve audit logging for local file access, process execution, CLI usage, and privileged activity on the platforms in scope.
  • Separate legitimate administrative, backup, and monitoring workflows from ad hoc interactive access so anomalous collection is easier to detect.
  • Use incident response playbooks that require rapid scoping of accessed local data before assuming whether exfiltration occurred.
Analyst notes and limits

This take is based on a detection strategy object with no official description or detection text. The strongest ATT&CK-supported context is the relationship to T1005, which describes adversaries searching local system sources for files of interest and sensitive data prior to exfiltration, including via command and scripting interpreters or network device CLI activity.

No active exploitation, actor usage, vendor tooling, concrete analytic logic, or guaranteed coverage is supplied. The detection strategy itself has no specified platforms or tactics; platform references come only from the related T1005 technique. Local environment architecture, logging configuration, and data classification are required to turn this into deployable detections.

Official MITRE ATT&CK definition

Detection of Local Data Collection Prior to Exfiltration

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1005 Data from Local System This object detects Data from Local System.
Relationship explorer

All related ATT&CK context

detects · Technique T1005: Data from Local System Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e6ab9be27f97ed7b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e6ab9be27f97…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0380
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use