Automated Collection

Jump to: navigation, search
Automated Collection
ID T1119
Tactic Collection
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
System Requirements Permissions to access directories and files that store information of interest.
Permissions Required User
Data Sources File monitoring, Process command-line parameters, Data loss prevention

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of Scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Remote File Copy to identify and move files.


  • FIN6 has used a script to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.1
  • Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.2
  • T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. *.doc, *.ppt, *.xls, *.docx, *.pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.3
  • For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.4


Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through Input Capture and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through Brute Force techniques.

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting5 tools, like AppLocker,67 or Software Restriction Policies8 where appropriate.9


Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as Data Staged. As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.