security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1119/T1119.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

171 lines
4.5 KiB
Markdown
Raw Permalink Blame History

# T1119 - Automated Collection
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1119)
<blockquote>
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.
In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023)
This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Automated Collection Command Prompt](#atomic-test-1---automated-collection-command-prompt)
- [Atomic Test #2 - Automated Collection PowerShell](#atomic-test-2---automated-collection-powershell)
- [Atomic Test #3 - Recon information for export with PowerShell](#atomic-test-3---recon-information-for-export-with-powershell)
- [Atomic Test #4 - Recon information for export with Command Prompt](#atomic-test-4---recon-information-for-export-with-command-prompt)
<br/>
## Atomic Test #1 - Automated Collection Command Prompt
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
to see what was collected.
**Supported Platforms:** Windows
**auto_generated_guid:** cb379146-53f1-43e0-b884-7ce2c635ff5b
#### Attack Commands: Run with `command_prompt`!
```cmd
mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
dir c: /b /s .docx | findstr /e .docx
for /R c:\ %f in (*.docx) do copy /Y %f %temp%\T1119_command_prompt_collection
```
#### Cleanup Commands:
```cmd
del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1
```
<br/>
<br/>
## Atomic Test #2 - Automated Collection PowerShell
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
to see what was collected.
**Supported Platforms:** Windows
**auto_generated_guid:** 634bd9b9-dc83-4229-b19f-7f83ba9ad313
#### Attack Commands: Run with `powershell`!
```powershell
New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | Out-Null
```
<br/>
<br/>
## Atomic Test #3 - Recon information for export with PowerShell
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
to see what was collected.
**Supported Platforms:** Windows
**auto_generated_guid:** c3f6d794-50dd-482f-b640-0384fbb7db26
#### Attack Commands: Run with `powershell`!
```powershell
Get-Service > $env:TEMP\T1119_1.txt
Get-ChildItem Env: > $env:TEMP\T1119_2.txt
Get-Process > $env:TEMP\T1119_3.txt
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore
Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #4 - Recon information for export with Command Prompt
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
to see what was collected.
**Supported Platforms:** Windows
**auto_generated_guid:** aa1180e2-f329-4e1e-8625-2472ec0bfaf3
#### Attack Commands: Run with `command_prompt`!
```cmd
sc query type=service > %TEMP%\T1119_1.txt
doskey /history > %TEMP%\T1119_2.txt
wmic process list > %TEMP%\T1119_3.txt
tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
```
#### Cleanup Commands:
```cmd
del %TEMP%\T1119_1.txt >nul 2>&1
del %TEMP%\T1119_2.txt >nul 2>&1
del %TEMP%\T1119_3.txt >nul 2>&1
del %TEMP%\T1119_4.txt >nul 2>&1
```
<br/>
Reference in New Issue View Git Blame Copy Permalink