Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.
In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023)
This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1119 | Automated Collection |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1119 | Automated Collection |
Comments
This diagnostic statement protects against Adversary-in-the-middle: ARP Cache Poisoning through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1119 | Automated Collection |
Comments
This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1119 | Automated Collection |
Comments
This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Profile host | Enumerating the state of the current host | related-to | T1119 | Automated Collection | |
| action.hacking.variety.Scan network | Enumerating the state of the network | related-to | T1119 | Automated Collection | |
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1119 | Automated Collection | |
| attribute.confidentiality.data_disclosure | None | related-to | T1119 | Automated Collection |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_config | AWS Config | technique_scores | T1119 | Automated Collection |
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that storage volumes are encrypted, which may mitigate adversary attempts to automate collection within cloud environments: "ec2-ebs-encryption-by-default" which is run periodically and "encrypted-volumes" which is run on configuration changes.
Coverage factor is minimal for these rules, since they are specific to EBS volumes and will only prevent certain forms of collection since adversaries with access to mounted volumes may be able to decrypt their contents, resulting in an overall score of Minimal.
References
|