Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0893: Data from Local System

Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.

Adversaries may do this using Command-Line Interface or Scripting techniques to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.

ICST0893TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This technique matters because local ICS systems often hold the information an adversary needs to understand operations: engineering files, control layouts, schematics, configuration files, local databases, and process documentation. Even before disruption occurs, collection from workstations, HMIs, historians, control servers, application servers, jump hosts, switches, and firewalls can expose operational knowledge that increases risk to safety, resilience, intellectual property, and incident response decision-making.

Executive priority

Leaders should treat this as an operational information protection issue, not just endpoint monitoring. The priority is to know where sensitive ICS design and process data resides, who can access it, whether access is logged, and whether loss of that data would affect business continuity, regulatory evidence, or cyber-physical risk. Budget and control decisions should prioritize file permission hygiene, encryption of sensitive information, DLP where appropriate, and user training around attempts to obtain or manipulate access.

Technical view

SOC, detection engineering, and IR teams should validate visibility into local file access and collection behavior on the ICS assets identified in the ATT&CK relationships, especially engineering workstations, HMIs, data historians, control servers, application servers, and jump hosts. Because the ATT&CK object provides no official detection text, teams should use DET0749 as the linked detection strategy reference and tune locally for unusual access to engineering files, configuration stores, local databases, diagrams, schematics, and process telemetry repositories. Related techniques in the description include command-line interface, scripting, and automated collection, so validation should include whether those activity classes are logged and reviewable in ICS zones.

Likely telemetry

  • File access, file read, file copy, and directory enumeration logs on ICS workstations and servers
  • Endpoint process execution telemetry for command-line and scripting activity where safely collectable
  • Authentication and authorization logs showing access to sensitive local directories, databases, and configuration files
  • Database access logs for local historian or application data stores where available
  • DLP alerts or audit events for attempted transfer of engineering plans, recipes, intellectual property, process telemetry, or similar operational information

Detection direction

  • Confirm which ICS assets actually contain sensitive operational files and whether file access to those locations is logged.
  • Prioritize monitoring of engineering workstations, HMIs, historians, control servers, application servers, and jump hosts because these are explicitly targeted assets for this technique.
  • Tune for unusual bulk access, access outside normal engineering workflows, unexpected scripting or command-line interaction with sensitive directories, and access by accounts that do not normally handle control-system documentation.
  • Use DLP detections cautiously in ICS environments: validate that monitored data categories map to real operational information and that controls do not disrupt legitimate engineering or operational workflows.
  • Account for false positives from maintenance, backups, reporting, engineering changes, and historian exports; detection should rely on baselines and asset role context.

Mitigation priorities

  • Inventory sensitive local ICS data stores, including configuration files, schematics, diagrams, engineering plans, local databases, recipes, intellectual property, and process telemetry repositories.
  • Restrict file and directory permissions so access aligns with operational roles and privileged accounts are not broadly exposed.
  • Encrypt sensitive information at rest where supported by the asset and operational constraints.
  • Deploy or tune DLP capabilities at appropriate host, network, email, web, or physical media transfer points to identify attempted movement of operational information.
  • Train users who access ICS environments to recognize social engineering or access manipulation attempts that could lead to unauthorized data collection.
Analyst notes and limits

The object is in the ICS ATT&CK domain and is linked to multiple ICS asset types, including workstations, HMIs, data historians, control servers, application servers, jump hosts, switches, and firewalls. ATT&CK also links software examples Duqu, Flame, and ACAD/Medre.A as using this behavior; this should be used as historical technique context, not as evidence of current activity in any environment.

MITRE provides no official detection text, no tactic value, and no platform value directly on the technique. Platform context comes only from related ICS assets and software relationships. Local architecture, asset criticality, logging capability, and operational workflow baselines are required before making coverage or exposure claims.

Official MITRE ATT&CK definition

Data from Local System

Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.

Adversaries may do this using Command-Line Interface or Scripting techniques to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S0038: Duqu

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [1]

Windows
Malware ICS

S0143: Flame

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [1]

Windows
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M0941: Encrypt Sensitive Information ICS uses · Malware S0038: Duqu ICS uses · Malware S0143: Flame ICS uses · Malware S1000: ACAD/Medre.A ICS targets · ICS Asset A0016: Firewall ICS targets · ICS Asset A0007: Control Server ICS targets · ICS Asset A0015: Switch ICS targets · ICS Asset A0006: Data Historian ICS mitigates · Mitigation M0803: Data Loss Prevention ICS mitigates · Mitigation M0922: Restrict File and Directory Permissions ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS mitigates · Mitigation M0917: User Training ICS targets · ICS Asset A0008: Application Server ICS detects · Detection Strategy DET0749: Detection of Data from Local System ICS targets · ICS Asset A0001: Workstation ICS targets · ICS Asset A0012: Jump Host ICS
Mitigations

Mitigation direction

Mitigation ICS

M0803: Data Loss Prevention

Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.

Mitigation ICS

M0917: User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
20796c65f17a6f8e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 20796c65f17a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T0893
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use