Home/ATT&CK Technique/Automated Collection
ATT&CK Technique

Automated Collection

T1119 · collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.

This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.

IaaSLinuxmacOSOffice SuiteSaaSWindows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
franceAnimal Farm
chinaAoqin Dragon
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT28
chinaAPT31
iranAPT33
iranOilRig

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1598 · Phishing for Information ×1.20T1598.003 · Spearphishing Link ×1.20
resource-development earlier
T1584.006 · Web Services ×1.20
initial-access earlier
T1659 · Content Injection ×1.20
persistence earlier
T1543.001 · Launch Agent ×1.20
privilege-escalation earlier
T1055.012 · Process Hollowing ×1.20T1546.001 · Change Default File Association ×1.20
credential-access earlier
T1212 · Exploitation for Credential Access ×1.20T1003.008 · /etc/passwd and /etc/shadow ×1.20
collection same
T1125 · Video Capture ×1.20T1025 · Data from Removable Media ×1.20
command-and-control later
T1071.003 · Mail Protocols ×1.20
exfiltration later
T1052 · Exfiltration Over Physical Medium ×1.20
other same
T1218.007 · Msiexec ×1.20T1480.001 · Environmental Keying ×1.20

Atomic Tests

4
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptwindowsAutomated Collection Command Prompt
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection to see what was collected. 
mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
dir c: /b /s .docx | findstr /e .docx
for /R c:\ %f in (*.docx) do copy /Y %f %temp%\T1119_command_prompt_collection
powershellwindowsAutomated Collection PowerShell
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection to see what was collected. 
New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
powershellwindowsRecon information for export with PowerShell
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected. 
Get-Service > $env:TEMP\T1119_1.txt
Get-ChildItem Env: > $env:TEMP\T1119_2.txt
Get-Process > $env:TEMP\T1119_3.txt
command_promptwindowsRecon information for export with Command Prompt
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected. 
sc query type=service > %TEMP%\T1119_1.txt
doskey /history > %TEMP%\T1119_2.txt
wmic process list > %TEMP%\T1119_3.txt
tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1029Remote Data Storage

Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data.

Centralized Log Management
  • Configure endpoints to forward security logs to a centralized log collector or SIEM.
  • Use tools like Splunk Graylog, or Security Onion to aggregate and store logs.
  • Example command (Linux): sudo auditd | tee /var/log/audit/audit.log | nc <remote-log-server> 514 Remote File Storage Solutions:.
  • Utilize cloud storage solutions like AWS S3, Google Cloud Storage, or Azure Blob Storage for sensitive data.
  • Ensure proper encryption at rest and access control policies (IAM roles, ACLs).
Intrusion Detection Log Forwarding
  • Forward logs from IDS/IPS systems (e.g., Zeek/Suricata) to a remote security information system.
Example for Suricata log forwarding: `outputs
  • type: syslog protocol: tls address: <remote-syslog-server>` Immutable Backup Configurations:.
  • Enable immutable storage settings for backups to prevent adversaries from modifying or deleting data.
  • Example: AWS S3 Object Lock.
Data Encryption
  • Ensure encryption for sensitive data using AES-256 at rest and TLS 1.2+ for data in transit. Tools: OpenSSL, BitLocker, LUKS for Linux.
M1041Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering.

Encrypt Data at Rest
  • Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
  • Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.
Encrypt Data in Transit
  • Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
  • Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.
Encrypt Backups
  • Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
  • Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.
Encrypt Application Secrets
  • Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
  • Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.
Database Encryption
  • Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
  • Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 4
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Caldera Emulation

1
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
collectionwindows, linuxAdvanced File Search and Stager
.\file_search.ps1 -Extensions '#{windows.included.extensions}' -ExcludedExtensions '#{windows.excluded.extensions}'
 -Directories '#{windows.included.directories}' -ExcludedDirectories '#{windows.excluded.directories}'
 -AccessedCutoff #{file.last.accessed} -ModifiedCutoff #{file.last.modified}
 -SearchStrings '#{file.sensitive.content}' -StagingDirectory '#{windows.staging.location}'
 -SafeMode $#{safe.mode.enabled} -PseudoExtension #{pseudo.data.identifier}

Comply & Defend

NIST 800-53AC-16, AC-17, AC-18, AC-19, AC-20, CM-02, CM-06, CM-08, CP-06, CP-07, CP-09, SC-04, SC-36, SI-04, SI-07, SI-12, SI-23
D3FEND11 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin