Description
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.
In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023)
This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.
Platforms
Mitigations (2)
Remote Data StorageM1029
Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means.
Encrypt Sensitive InformationM1041
Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline crack
Threat Groups (21)
| ID | Group | Context |
|---|---|---|
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) conducted large-scale data exfiltration in the Stryker operation, consistent with automated or... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has deployed scripts on compromised systems that automatically scan for interesting documents... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) engages in mass collection from compromised systems during intrusions.(Citation: Cadet Blizzard em... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used batch scripts to collect data.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) used a batch script to perform a series of discovery techniques and saves it to a text file.(Citation: M... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has performed frequent and scheduled data collection from victim networks.(Citation: Microsoft NICKE... |
| G0053 | FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) scans processes on all victim systems in the environment and uses automated scripts to pull back the res... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used MSGraph to exfiltrate data from email, OneDrive, and SharePoint.(Citation: Microsoft Silk Ty... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) used a custom tool, <code>sql.net4.exe</code>, to query SQL databases and then identify and extract pe... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.(... |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) delivered a PowerShell script capable of recursively scanning victim machines looking for vario... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used a file stealer to steal documents and images with the following extensions: txt, pdf, png,... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used automated collection.(Citation: Unit42 OilRig Playbook 2023) |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log fi... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) developed a file stealer to search C:\ and collect files with certain extensions. [Patchwork](https... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has collected information automatically using the adversary's [USBferry](https://attack.mitre.... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to automatically collect system and network configuration information.(Citation: AT... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used custom DLLs for continuous retrieval of data from memory.(Citation: NCC Group Chimera Januar... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) ran a command to compile an archive of file types of interest from the victim user's direct... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) used custom batch scripts to collect files automatically from a targeted system.(Citation: Secu... |
Associated Software (46)
| ID | Name | Type | Context |
|---|---|---|---|
| S0098 | T9000 | Malware | [T9000](https://attack.mitre.org/software/S0098) searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc,... |
| S0090 | Rover | Malware | [Rover](https://attack.mitre.org/software/S0090) automatically collects files from the local system and removable drives based on a predefined list of... |
| S0339 | Micropsia | Malware | [Micropsia](https://attack.mitre.org/software/S0339) executes an RAR tool to recursively archive files based on a predefined list of file extensions (... |
| S1043 | ccf32 | Malware | [ccf32](https://attack.mitre.org/software/S1043) can be used to automatically collect files from a compromised host.(Citation: Bitdefender FunnyDream ... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) searches for stored credentials associated with cryptocurrency wallets and notifies the command an... |
| S0244 | Comnie | Malware | [Comnie](https://attack.mitre.org/software/S0244) executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the tempo... |
| S0684 | ROADTools | Tool | [ROADTools](https://attack.mitre.org/software/S0684) automatically gathers data from Azure AD environments using the Azure Graph API.(Citation: Roadto... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can automatically archive collected data.(Citation: Red Canary NETWIRE January 2020) |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) contains a module for recursively parsing through files and directories to gather valid credit card ... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) used file system monitoring to track modification and enable automatic exfiltration.(Citation: Talo... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can automatically gather the username, domain name, machine name, and other information from a compr... |
| S0238 | Proxysvc | Malware | [Proxysvc](https://attack.mitre.org/software/S0238) automatically collects data about the victim and sends it to the control server.(Citation: McAfee ... |
| S0128 | BADNEWS | Malware | [BADNEWS](https://attack.mitre.org/software/S0128) monitors USB devices and copies files with certain extensions to a predefined directory.(Citation: ... |
| S0467 | TajMahal | Malware | [TajMahal](https://attack.mitre.org/software/S0467) has the ability to index and compress files into a send queue for exfiltration.(Citation: Kaspersk... |
| S0257 | VERMIN | Malware | [VERMIN](https://attack.mitre.org/software/S0257) saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt .(Citation: Uni... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has automatically collected mouse clicks, continuous screenshots on the machine, and set timers t... |
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has the ability to automatically collect host data, secrets, system information, and endpoints.(... |
| S0466 | WindTail | Malware | [WindTail](https://attack.mitre.org/software/S0466) can identify and add files that possess specific file extensions to an array for archiving.(Citati... |
| S0136 | USBStealer | Malware | For all non-removable drives on a victim, [USBStealer](https://attack.mitre.org/software/S0136) executes automated collection of certain files for lat... |
| S0622 | AppleSeed | Malware | [AppleSeed](https://attack.mitre.org/software/S0622) has automatically collected data from USB drives, keystrokes, and screen images before exfiltrati... |
References
Frequently Asked Questions
What is T1119 (Automated Collection)?
T1119 is a MITRE ATT&CK technique named 'Automated Collection'. It belongs to the Collection tactic(s). Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting...
How can T1119 be detected?
Detection of T1119 (Automated Collection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1119?
There are 2 documented mitigations for T1119. Key mitigations include: Remote Data Storage, Encrypt Sensitive Information.
Which threat groups use T1119?
Known threat groups using T1119 include: VOID MANTICORE, Gamaredon Group, Ember Bear, RedCurl, APT1, Ke3chang, FIN5, HAFNIUM.