T1119 Automated Collection

This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.

This diagnostic statement protects against Adversary-in-the-middle: ARP Cache Poisoning through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle

This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.

This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.

This is the exploitation of a public facing server. In-the-wild reporting documents that exploitation of this vulnerability was used to install a webshell on the victim machine, and then captured and exfiltrated client credit card information.

The following Microsoft Sentinel Hunting queries can identify potentially malicious automated collection: "Multiple large queries made by user" and "Query data volume anomolies" can identify that automated queries are being used to collect data in bulk. "New ServicePrincipal running queries" can indicate that an application is performing automated collection via queries. The following Microsoft Sentinel Analytics queries can identify potentially malicious automated collection: "Mass secret retrieval from Azure Key Vault" and "Azure Key Vault access TimeSeries anomaly" can detect a sudden increase in access counts, which may indicate that an adversary is dumping credentials via automated methods. "Users searching for VIP user activity" can identify potentially suspicious Log Analytics queries by users looking for a listing of 'VIP' activity. The coverage for these queries is minimal (applicable to specific technologies) resulting in an overall Minimal score.

The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that storage volumes are encrypted, which may mitigate adversary attempts to automate collection within cloud environments: "ec2-ebs-encryption-by-default" which is run periodically and "encrypted-volumes" which is run on configuration changes. Coverage factor is minimal for these rules, since they are specific to EBS volumes and will only prevent certain forms of collection since adversaries with access to mounted volumes may be able to decrypt their contents, resulting in an overall score of Minimal.

This control's Information protection policies can detect and encrypt sensitive information at rest on supported platforms, which can inhibit automated data collection activities.

This control can detect sensitive information at rest, which may be indicative of data collection activities.

Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. Information Protection Protects from Automated Collection attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company. License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2