Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.
In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023)
This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1119 | Automated Collection |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Automated Collection attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Automated Collection attacks involve adversaries using automated tools or scripts to systematically gather sensitive data from local systems, such as documents, credentials, or other valuable information. These attacks are often designed to collect large volumes of data without alerting security systems, preparing it for exfiltration or malicious use. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, allowing security teams to quickly detect unusual patterns of data collection or manipulation that could indicate an ongoing attack.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized collection of data or the use of automated tools to extract sensitive information, providing proactive defense against these stealthy techniques. This solution ensures that organizations can detect and mitigate automated collection attempts before sensitive data is compromised.
References
|