Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.
In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023)
This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.DS-10.01 | Data-in-use protection | Mitigates | T1119 | Automated Collection |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1119 | Automated Collection |
Comments
This diagnostic statement protects against Adversary-in-the-middle: ARP Cache Poisoning through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle
References
|
ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1119 | Automated Collection |
Comments
This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
ID.AM-08.05 | Data destruction procedures | Mitigates | T1119 | Automated Collection |
Comments
This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Profile host | Enumerating the state of the current host | related-to | T1119 | Automated Collection | |
action.hacking.variety.Scan network | Enumerating the state of the network | related-to | T1119 | Automated Collection | |
action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1119 | Automated Collection | |
attribute.confidentiality.data_disclosure | None | related-to | T1119 | Automated Collection |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1119 | Automated Collection |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious automated collection: "Multiple large queries made by user" and "Query data volume anomolies" can identify that automated queries are being used to collect data in bulk. "New ServicePrincipal running queries" can indicate that an application is performing automated collection via queries.
The following Microsoft Sentinel Analytics queries can identify potentially malicious automated collection: "Mass secret retrieval from Azure Key Vault" and "Azure Key Vault access TimeSeries anomaly" can detect a sudden increase in access counts, which may indicate that an adversary is dumping credentials via automated methods. "Users searching for VIP user activity" can identify potentially suspicious Log Analytics queries by users looking for a listing of 'VIP' activity.
The coverage for these queries is minimal (applicable to specific technologies) resulting in an overall Minimal score.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
aws_config | AWS Config | technique_scores | T1119 | Automated Collection |
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that storage volumes are encrypted, which may mitigate adversary attempts to automate collection within cloud environments: "ec2-ebs-encryption-by-default" which is run periodically and "encrypted-volumes" which is run on configuration changes.
Coverage factor is minimal for these rules, since they are specific to EBS volumes and will only prevent certain forms of collection since adversaries with access to mounted volumes may be able to decrypt their contents, resulting in an overall score of Minimal.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1119 | Automated Collection |
Comments
This control's Information protection policies can detect and encrypt sensitive information at rest on supported platforms, which can inhibit automated data collection activities.
References
|
DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1119 | Automated Collection |
Comments
This control can detect sensitive information at rest, which may be indicative of data collection activities.
References
|
PUR-INPR-E5 | Information Protection | Technique Scores | T1119 | Automated Collection |
Comments
Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly.
Information Protection Protects from Automated Collection attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2
References
|