Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0749: Detection of Data from Local System

DET0749 is a MITRE ATT&CK for ICS detection strategy for identifying activity related to Data from Local System (T0893): attempts to collect information fr...

ICSDET0749Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0749 is a MITRE ATT&CK for ICS detection strategy for identifying activity related to Data from Local System (T0893): attempts to collect information from local sources such as file systems, configuration files, or local databases. For an ICS environment, this matters because locally stored specifications, schematics, diagrams, device details, or process information can help an adversary understand operations and prepare follow-on actions. The supplied ATT&CK object does not provide a detection procedure or platform scope, so organizations should treat it as a validation prompt rather than a ready-made analytic.

Executive priority

Security leaders should use this object to ask whether sensitive engineering and operational data on local systems is inventoried, access-controlled, monitored, and reviewable during an incident. The business priority is not only data confidentiality; in ICS, exposure of local configuration or layout information can affect operational resilience, response planning, and cyber-physical risk decisions. Because ATT&CK provides no official detection details for DET0749, priority should go to proving telemetry coverage and governance around where critical local data resides and who or what can access it.

Technical view

SOC, detection engineering, and IR teams should validate monitoring for access to local file systems, configuration files, and local databases that contain control system specifications, schematics, diagrams, device information, or process documentation. Relationship context indicates adversaries may use command-line interface or scripting techniques to interact with the file system, so defenders should correlate local data access with command execution and scripting activity where those logs are available. Since platforms and tactics are not specified for the detection strategy, teams must map this to their own ICS asset classes, engineering workstations, servers, and other systems that actually store local operational data before writing or tuning detections.

Likely telemetry

  • File access, file read, file copy, and directory enumeration logs for sensitive local paths where available
  • Operating system command execution telemetry where available
  • Scripting activity telemetry where available
  • Local database access logs where relevant and available
  • Configuration file access or change records

Detection direction

  • First identify local repositories of sensitive ICS data; detection quality depends on knowing which paths, files, databases, and hosts matter.
  • Baseline legitimate access by engineers, operators, maintenance personnel, and approved tools to reduce false positives from normal operational workflows.
  • Correlate unusual local data access with command-line or scripting activity when telemetry exists, because the related technique description references those interaction methods.
  • Watch for access patterns that are inconsistent with role, host, time window, or operational need, while avoiding assumptions about platform coverage because ATT&CK does not specify platforms for this strategy.
  • Confirm that logs are retained and searchable for incident response; absence of file, command, or script telemetry is a material blind spot for this behavior.

Mitigation priorities

  • Inventory and classify sensitive local ICS data such as specifications, schematics, diagrams, configuration files, and local databases.
  • Limit access to those local data sources based on operational role and need-to-know principles.
  • Harden and monitor systems that store local engineering or operational data, prioritizing assets most important to safe and continuous operations.
  • Enable and retain appropriate host, file, command, script, and database telemetry where feasible in the local environment.
  • Use incident response exercises to confirm teams can determine what local data was accessed, by whom, from which system, and whether access was expected.
Analyst notes and limits

This Glexia take is based on the official DET0749 metadata and its stated relationship to T0893 Data from Local System. The detection strategy itself contains no official description, detection logic, tactics, platforms, or labels. The most useful defensive action is therefore local scoping: identify where sensitive ICS data lives and validate whether monitoring can distinguish expected operational access from suspicious collection behavior.

ATT&CK fields supplied for DET0749 are sparse. No official detection text, platform list, tactic mapping, or implementation guidance is provided. The related T0893 description supports local file system, configuration file, local database, command-line interface, and scripting context, but specific analytics, thresholds, tools, or coverage claims require environment-specific evidence.

Official MITRE ATT&CK definition

Detection of Data from Local System

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0893 Data from Local System This object detects Data from Local System.
Relationship explorer

All related ATT&CK context

detects · Technique T0893: Data from Local System ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
baced2f2c342e280...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle baced2f2c342…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0749
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use