1. Home
  2. ATT&CK Techniques
  3. T1119 Automated Collection

T1119 Automated Collection Mappings

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1119 Automated Collection
AC-17 Remote Access Protects T1119 Automated Collection
AC-18 Wireless Access Protects T1119 Automated Collection
AC-19 Access Control for Mobile Devices Protects T1119 Automated Collection
AC-20 Use of External Systems Protects T1119 Automated Collection
CM-2 Baseline Configuration Protects T1119 Automated Collection
CM-6 Configuration Settings Protects T1119 Automated Collection
CM-8 System Component Inventory Protects T1119 Automated Collection
CP-6 Alternate Storage Site Protects T1119 Automated Collection
CP-7 Alternate Processing Site Protects T1119 Automated Collection
CP-9 System Backup Protects T1119 Automated Collection
SC-36 Distributed Processing and Storage Protects T1119 Automated Collection
SC-4 Information in Shared System Resources Protects T1119 Automated Collection
SI-12 Information Management and Retention Protects T1119 Automated Collection
SI-23 Information Fragmentation Protects T1119 Automated Collection
SI-4 System Monitoring Protects T1119 Automated Collection
SI-7 Software, Firmware, and Information Integrity Protects T1119 Automated Collection
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1119 Automated Collection
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1119 Automated Collection
aws_config AWS Config technique_scores T1119 Automated Collection
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that storage volumes are encrypted, which may mitigate adversary attempts to automate collection within cloud environments: "ec2-ebs-encryption-by-default" which is run periodically and "encrypted-volumes" which is run on configuration changes. Coverage factor is minimal for these rules, since they are specific to EBS volumes and will only prevent certain forms of collection since adversaries with access to mounted volumes may be able to decrypt their contents, resulting in an overall score of Minimal.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html