Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files.

ID: T1119
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Linux, Windows, macOS
System Requirements: Permissions to access directories and files that store information of interest.
Permissions Required: User
Version: 1.0
Created: 31 May 2017
Last Modified: 31 March 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
G0006 APT1

APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.[1]

G0007 APT28

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[2]

S0438 Attor

Attor has automatically collected data about the compromised system.[3]

S0128 BADNEWS

BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory.[4]

S0239 Bankshot

Bankshot recursively generates a list of files within a directory and sends them back to the control server.[5]

G0114 Chimera

Chimera has used custom DLLs for continuous retrieval of data from memory.[6]

S0244 Comnie

Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.[7]

S0538 Crutch

Crutch can automatically monitor removable drives in a loop and copy interesting files.[8]

G0053 FIN5

FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[9]

G0037 FIN6

FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.[10][11]

G0101 Frankenstein

Frankenstein has enumerated hosts via Empire, gathering the username, domain name, machine name, and other system information.[12]

G0047 Gamaredon Group

Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.[13]

S0597 GoldFinder

GoldFinder logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response/status code, HTTP response headers and values, and data received from the C2 node.[14]

S0170 Helminth

A Helminth VBScript receives a batch script to execute a set of commands in a command prompt.[15]

S0260 InvisiMole

InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.[16][17]

S0395 LightNeuron

LightNeuron can be configured to automatically collect files under a specified directory.[18]

G0045 menuPass

menuPass has used the Csvde tool to collect Active Directory files and data.[19]

S0443 MESSAGETAP

MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.[20]

S0455 Metamorfo

Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.[21]

S0339 Micropsia

Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (.xls, .xlsx, .csv, .odt, .doc, .docx, .ppt, .pptx, .pdf, .mdb, .accdb, .accde, *.txt).[22]

G0129 Mustang Panda

Mustang Panda used custom batch scripts to collect files automatically from a targeted system.[23]

S0198 NETWIRE

NETWIRE can automatically archive collected data.[24]

G0049 OilRig

OilRig has used automated collection.[25]

G0116 Operation Wocao

Operation Wocao has used a script to collect information about the infected system.[26]

G0040 Patchwork

Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.[4]

S0428 PoetRAT

PoetRAT used file system monitoring to track modification and enable automatic exfiltration.[27]

S0378 PoshC2

PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[28]

S0238 Proxysvc

Proxysvc automatically collects data about the victim and sends it to the control server.[29]

S0458 Ramsay

Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.[30]

S0090 Rover

Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.[31]

S0148 RTM

RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.[32][33]

S0445 ShimRatReporter

ShimRatReporter gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.[34]

G0121 Sidewinder

Sidewinder has used tools to automatically collect system and network configuration information.[35]

S0491 StrongPity

StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.[36]

S0098 T9000

T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, .ppt, .xls, .docx, .pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.[37]

S0467 TajMahal

TajMahal has the ability to index and compress files into a send queue for exfiltration.[38]

G0027 Threat Group-3390

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[39]

G0081 Tropic Trooper

Tropic Trooper has collected information automatically using the adversary's USBferry attack.[40]

S0136 USBStealer

For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[41]

S0476 Valak

Valak can download a module to search for and build a report of harvested credential data.[42]

S0257 VERMIN

VERMIN saves each collected file with the automatically generated format {{0:dd-MM-yyyy}}.txt .[43]

S0466 WindTail

WindTail can identify and add files that possess specific file extensions to an array for archiving.[44]

S0251 Zebrocy

Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.[45][46]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline cracking through Brute Force techniques.

M1029 Remote Data Storage

Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0012 Script Script Execution

Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as Data Staged. As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  3. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  4. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  5. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  6. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  7. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  8. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  9. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  10. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  11. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  12. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  13. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  14. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  15. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  16. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  17. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  18. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  19. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  20. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  21. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  22. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  23. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  1. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  2. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  5. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  6. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  7. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  8. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  9. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  10. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  11. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  12. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  13. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  14. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  15. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  16. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  17. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  18. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  19. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  20. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  21. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  22. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  23. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.