Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files.

ID: T1119
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Linux, Windows, macOS
System Requirements: Permissions to access directories and files that store information of interest.
Permissions Required: User
Data Sources: Data loss prevention, File monitoring, Process command-line parameters
Version: 1.0
Created: 31 May 2017
Last Modified: 31 March 2020

Procedure Examples

Name Description
APT1

APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.[29]

APT28

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[27]

Attor

Attor has automatically collected data about the compromised system.[20]

BADNEWS

BADNEWS monitors USB devices and copies files with certain extensions toa predefined directory.[11]

Bankshot

Bankshot recursively generates a list of files within a directory and sends them back to the control server.[7]

Comnie

Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.[6]

FIN5

FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[30]

FIN6

FIN6 has used a script to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[26]

Frankenstein

Frankenstein has enumerated hosts via Empire, gathering the username, domain name, machine name, and other system information.[31]

Helminth

A Helminth VBScript receives a batch script to execute a set of commands in a command prompt.[12]

InvisiMole

Each time a new drive is inserted, InvisiMole generates a list of all files on the drive and stores it in an encrypted file.[3]

LightNeuron

LightNeuron can be configured to automatically collect files under a specified directory.[18]

MESSAGETAP

MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.[21]

Micropsia

Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (.xls, .xlsx, .csv, .odt, .doc, .docx, .ppt, .pptx, .pdf, .mdb, .accdb, .accde, *.txt).[4]

OilRig

OilRig has used automated collection.[25]

Patchwork

Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.[11]

PoetRAT

PoetRAT used file system monitoring to track modification and enable automatic exfiltration.[19]

PoshC2

PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[1]

Proxysvc

Proxysvc automatically collects data about the victim and sends it to the control server.[8]

Ramsay

Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.[22]

Rover

Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.[9]

RTM

RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.[13][14]

ShimRatReporter

ShimRatReporter gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.[2]

T9000

T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, .ppt, .xls, .docx, .pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.[15]

TajMahal

TajMahal has the ability to index and compress files into a send queue for exfiltration.[23]

Threat Group-3390

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[28]

Tropic Trooper

Tropic Trooper has collected information automatically using the adversary's USBferry attack.[32]

USBStealer

For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[10]

VERMIN

VERMIN saves each collected file with the automatically generated format {{0:dd-MM-yyyy}}.txt .[5]

WindTail

WindTail can identify and add files that possess specific file extensions to an array for archiving.[24]

Zebrocy

Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.[16][17]

Mitigations

Mitigation Description
Encrypt Sensitive Information

Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline cracking through Brute Force techniques.

Remote Data Storage

Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means.

Detection

Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as Data Staged. As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  2. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  3. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  4. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  5. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  6. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  7. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  8. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  9. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  10. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  11. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  12. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  13. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  14. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  15. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  16. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  1. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  2. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  3. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  4. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  5. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  6. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  7. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  8. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  9. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  10. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  11. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  12. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  13. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  14. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  15. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  16. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.