Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1119 | Automated Collection | |
| AC-17 | Remote Access | Protects | T1119 | Automated Collection | |
| AC-18 | Wireless Access | Protects | T1119 | Automated Collection | |
| AC-19 | Access Control for Mobile Devices | Protects | T1119 | Automated Collection | |
| AC-20 | Use of External Systems | Protects | T1119 | Automated Collection | |
| CM-2 | Baseline Configuration | Protects | T1119 | Automated Collection | |
| CM-6 | Configuration Settings | Protects | T1119 | Automated Collection | |
| CM-8 | System Component Inventory | Protects | T1119 | Automated Collection | |
| CP-6 | Alternate Storage Site | Protects | T1119 | Automated Collection | |
| CP-7 | Alternate Processing Site | Protects | T1119 | Automated Collection | |
| CP-9 | System Backup | Protects | T1119 | Automated Collection | |
| SC-36 | Distributed Processing and Storage | Protects | T1119 | Automated Collection | |
| SC-4 | Information in Shared System Resources | Protects | T1119 | Automated Collection | |
| SI-12 | Information Management and Retention | Protects | T1119 | Automated Collection | |
| SI-23 | Information Fragmentation | Protects | T1119 | Automated Collection | |
| SI-4 | System Monitoring | Protects | T1119 | Automated Collection | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1119 | Automated Collection | |
| azure_sentinel | Azure Sentinel | technique_scores | T1119 | Automated Collection |
Comments
The following Azure Sentinel Hunting queries can identify potentially malicious automated collection: "Multiple large queries made by user" and "Query data volume anomolies" can identify that automated queries are being used to collect data in bulk. "New ServicePrincipal running queries" can indicate that an application is performing automated collection via queries.
The following Azure Sentinel Analytics queries can identify potentially malicious automated collection: "Mass secret retrieval from Azure Key Vault" and "Azure Key Vault access TimeSeries anomaly" can detect a sudden increase in access counts, which may indicate that an adversary is dumping credentials via automated methods. "Users searching for VIP user activity" can identify potentially suspicious Log Analytics queries by users looking for a listing of 'VIP' activity.
The coverage for these queries is minimal (applicable to specific technologies) resulting in an overall Minimal score.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1119 | Automated Collection |
Comments
This control's Information protection policies can detect and encrypt sensitive information at rest on supported platforms, which can inhibit automated data collection activities.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1119 | Automated Collection |
Comments
This control can detect sensitive information at rest, which may be indicative of data collection activities.
References
|