Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files.
ID | Name | Description |
---|---|---|
G0006 | APT1 |
APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.[1] |
G0007 | APT28 |
APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[2] |
S0438 | Attor |
Attor has automatically collected data about the compromised system.[3] |
S0128 | BADNEWS |
BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory.[4] |
S0239 | Bankshot |
Bankshot recursively generates a list of files within a directory and sends them back to the control server.[5] |
G0114 | Chimera |
Chimera has used custom DLLs for continuous retrieval of data from memory.[6] |
S0244 | Comnie |
Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.[7] |
S0538 | Crutch |
Crutch can automatically monitor removable drives in a loop and copy interesting files.[8] |
G0053 | FIN5 |
FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[9] |
G0037 | FIN6 |
FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.[10][11] |
G0101 | Frankenstein |
Frankenstein has enumerated hosts via Empire, gathering the username, domain name, machine name, and other system information.[12] |
G0047 | Gamaredon Group |
Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.[13] |
S0597 | GoldFinder |
GoldFinder logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response/status code, HTTP response headers and values, and data received from the C2 node.[14] |
S0170 | Helminth |
A Helminth VBScript receives a batch script to execute a set of commands in a command prompt.[15] |
S0260 | InvisiMole |
InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.[16][17] |
S0395 | LightNeuron |
LightNeuron can be configured to automatically collect files under a specified directory.[18] |
G0045 | menuPass |
menuPass has used the Csvde tool to collect Active Directory files and data.[19] |
S0443 | MESSAGETAP |
MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.[20] |
S0455 | Metamorfo |
Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.[21] |
S0339 | Micropsia |
Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (.xls, .xlsx, .csv, .odt, .doc, .docx, .ppt, .pptx, .pdf, .mdb, .accdb, .accde, *.txt).[22] |
G0129 | Mustang Panda |
Mustang Panda used custom batch scripts to collect files automatically from a targeted system.[23] |
S0198 | NETWIRE | |
G0049 | OilRig | |
G0116 | Operation Wocao |
Operation Wocao has used a script to collect information about the infected system.[26] |
G0040 | Patchwork |
Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.[4] |
S0428 | PoetRAT |
PoetRAT used file system monitoring to track modification and enable automatic exfiltration.[27] |
S0378 | PoshC2 |
PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[28] |
S0238 | Proxysvc |
Proxysvc automatically collects data about the victim and sends it to the control server.[29] |
S0458 | Ramsay |
Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.[30] |
S0090 | Rover |
Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.[31] |
S0148 | RTM |
RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.[32][33] |
S0445 | ShimRatReporter |
ShimRatReporter gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.[34] |
G0121 | Sidewinder |
Sidewinder has used tools to automatically collect system and network configuration information.[35] |
S0491 | StrongPity |
StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.[36] |
S0098 | T9000 |
T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, .ppt, .xls, .docx, .pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.[37] |
S0467 | TajMahal |
TajMahal has the ability to index and compress files into a send queue for exfiltration.[38] |
G0027 | Threat Group-3390 |
Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[39] |
G0081 | Tropic Trooper |
Tropic Trooper has collected information automatically using the adversary's USBferry attack.[40] |
S0136 | USBStealer |
For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[41] |
S0476 | Valak |
Valak can download a module to search for and build a report of harvested credential data.[42] |
S0257 | VERMIN |
VERMIN saves each collected file with the automatically generated format {{0:dd-MM-yyyy}}.txt .[43] |
S0466 | WindTail |
WindTail can identify and add files that possess specific file extensions to an array for archiving.[44] |
S0251 | Zebrocy |
Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.[45][46] |
ID | Mitigation | Description |
---|---|---|
M1041 | Encrypt Sensitive Information |
Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline cracking through Brute Force techniques. |
M1029 | Remote Data Storage |
Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
DS0012 | Script | Script Execution |
Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as Data Staged. As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.