# T1119 Automated Collection

-----------------------------------------------------------------------

## Technique Description

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. 

This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.

## Technique Detection

Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), as well as through cloud APIs and command line interfaces.

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Linux

  * macOS

  * Windows

  * IaaS

  * SaaS

### System Requirements:

  * Permissions to access directories, files, and API endpoints that store information of interest.

### Data Sources:

  * **File:** File Access

  * **Script:** Script Execution

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used a file stealer to steal documents and images with the following extensions: txt, pdf, png, jpg, doc, xls, xlm, odp, ods, odt, rtf, ppt, xlsx, xlsm, docx, pptx, and jpeg.(Citation: TrendMicro Confucius APT Aug 2021)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) used custom batch scripts to collect files automatically from a targeted system.(Citation: Secureworks BRONZE PRESIDENT December 2019)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to automatically collect system and network configuration information.(Citation: ATT Sidewinder January 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used a script to collect information about the infected system.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used custom DLLs for continuous retrieval of data from memory.(Citation: NCC Group Chimera January 2021)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts via [Empire](https://attack.mitre.org/software/S0363), gathering the username, domain name, machine name, and other system information.(Citation: Talos Frankenstein June 2019)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has collected information automatically using the adversary's [USBferry](https://attack.mitre.org/software/S0452) attack.(Citation: TrendMicro Tropic Trooper May 2020)	| 
| FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) scans processes on all victim systems in the environment and uses automated scripts to pull back the results.(Citation: Mandiant FIN5 GrrCON Oct 2016)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used automated collection.(Citation: Unit 42 Playbook Dec 2017)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has deployed scripts on compromised systems that automatically scan for interesting documents.(Citation: ESET Gamaredon June 2020)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used the Csvde tool to collect Active Directory files and data.(Citation: Symantec Cicada November 2020)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) developed a file stealer to search C:\ and collect files with certain extensions. [Patchwork](https://attack.mitre.org/groups/G0040) also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.(Citation: TrendMicro Patchwork Dec 2017)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.(Citation: FireEye FIN6 April 2016)(Citation: Trend Micro FIN6 October 2019)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) ran a command to compile an archive of file types of interest from the victim user's directories.(Citation: SecureWorks BRONZE UNION June 2017)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.(Citation: DOJ GRU Indictment Jul 2018)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) used a batch script to perform a series of discovery techniques and saves it to a text file.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has performed frequent and scheduled data collection from victim networks.(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1119)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- File extensions that do not end in a standard compressed file extension name will be difficult to detect.

## Analytical References

  * [Powershell command and script logging (crowdstrike)](https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/)
  * [Scripting threat detection (redcanary)](https://redcanary.com/threat-detection-report/techniques/scripting/)
  * [Windows script executing Powershell (elastic)](https://www.elastic.co/guide/en/siem/guide/current/windows-script-executing-powershell.html)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** Identify all file creations with compressed file types.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID: 11 AND *.<compressed file extension here>```
  
  * **Query:** ```Event_ID: 1 AND *compression executable here*```

#### Analytic 2

  * **Information:** Identify compressed files in temp directories

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID: 11 AND *.<compressed file extension here> AND (C:\Windows\temp\* OR %APPDATA%\temp* OR appdata\local\temp)```
  
  
#### Analytic 3

  * **Information:** Detect command-line script execution	

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID:4104```

  * **Query:** ```Event_ID:1 AND (powershell.exe OR cmd.exe)```

  * **Query:** ```Event_ID:4688 AND parent.process.name:(cscript.exe OR wscript.exe)```
  
#### Analytic 4

  * **Information:** Monitor file write and execute in temp directories

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_ID:4663 AND (C:\Windows\temp\* OR %APPDATA%\temp* OR appdata\local\temp)```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Suricata can be utilized to alert when these file types are mismatched. This can be exceptionally useful.

#### Analytic 4

  * **Information:** Identify compressed files traversing the network over protocols like smb, ftp, telnet, http etc...

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** 

  * **Query:** ```smb.fn == *.<compression type here>```

  * **Query:** ```ftp.fn == *.<compression type here>```

  * **Query:** ```email.fn == *.<compression type here>```
