EXPLORE

← Back to Explore

T1119

Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, t...

IaaSLinuxmacOSOffice SuiteSaaSWindows

11

Detections

3

Sources

20

Threat Actors

BY SOURCE

4sigma4splunk_escu3elastic

PROCEDURES (8)

Api2 detections

Auto-extracted: 2 detections for api

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Aws1 detections

Auto-extracted: 1 detections for aws

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (20)

Agrius APT1 APT28 Chimera Confucius Ember Bear FIN5 FIN6 Gamaredon Group HAFNIUM Ke3chang menuPass Mustang Panda OilRig Patchwork RedCurl Sidewinder Threat Group-3390 Tropic Trooper Winter Vivern

DETECTIONS (11)

Automated Collection Command PowerShell

Automated Collection Command Prompt

AWS EC2 Export Task

AWS Exfiltration via Anomalous GetObject API Activity

AWS Exfiltration via Batch Service

AWS Exfiltration via DataSync Task

GCP Pub/Sub Subscription Creation

Potential Database Dumping Activity

Recon Information for Export with Command Prompt

Recon Information for Export with PowerShell

Windows File Collection Via Copy Utilities