MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1119: Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.

In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.

This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

vsphere_suspicious_user_activity: PT-CR-518: Mass_downloading_files_of_critical_VM: Files from multiple security-critical virtual machines are downloaded
hacking_tools: PT-CR-2244: SOAPHound_Usage: SOAPHound was used, which is a tool that collects Active Directory data via the Active Directory Web Services (ADWS) protocol
pt_application_firewall: PT-CR-640: Web_Automation_Tool: The use of software for automation of requests to web services

Detection

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

IDDS0022Data source and componentFile: File AccessDescription

Monitor for unexpected files (e.g., .pdf, .docx, .jpg, etc.) viewed for collecting internal data.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that could be taken to collect internal data.

Mitigation

IDM1029NameRemote Data StorageDescription

Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means.

IDM1041NameEncrypt Sensitive InformationDescription

Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline cracking through Brute Force techniques.