Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of Scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Remote File Copy to identify and move files.

ID: T1119

Tactic: Collection

Platform:  Linux, macOS, Windows

System Requirements:  Permissions to access directories and files that store information of interest.

Permissions Required:  User

Data Sources:  File monitoring, Data loss prevention, Process command-line parameters

Version: 1.0



APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.[1]


APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[2]


BADNEWS monitors USB devices and copies files with certain extensions to
a predefined directory.[3]


Bankshot recursively generates a list of files within a directory and sends them back to the control server.[4]


Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.[5]


FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[6]


FIN6 has used a script to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[7]


A Helminth VBScript receives a batch script to execute a set of commands in a command prompt.[8]


Each time a new drive is inserted, InvisiMole generates a list of all files on the drive and stores it in an encrypted file.[9]


Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (.xls, .xlsx, .csv, .odt, .doc, .docx, .ppt, .pptx, .pdf, .mdb, .accdb, .accde, *.txt).[10]


OilRig has used automated collection.[11]


Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.[3]


PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[12]


Proxysvc automatically collects data about the victim and sends it to the control server.[13]


Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.[14]


RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.[15]


T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, .ppt, .xls, .docx, .pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.[16]

Threat Group-3390

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[17]


For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[18]


VERMIN saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt .[19]


Zebrocy scans the system and collects files with the following extensions: .docs, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff.[20]


Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through Input Capture and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through Brute Force techniques.

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting [21] tools, like AppLocker, [22] [23] or Software Restriction Policies [24] where appropriate. [25]


Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as Data Staged. As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.


  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  3. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  4. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  5. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  6. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  7. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  8. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  9. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  10. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  11. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  12. Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.
  13. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.