T1119 - Automated Collection

Description from ATT&CK

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [Scripting](https://attack.mitre.org/techniques/T1064) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as File and Directory Discovery and Remote File Copy to identify and move files.

Atomic Tests

Atomic Test #1 - Automated Collection Command Prompt
Atomic Test #2 - Automated Collection PowerShell

Atomic Test #1 - Automated Collection Command Prompt

Automated Collection

Supported Platforms: Windows

Run it with `command_prompt`!

dir c: /b /s .docx | findstr /e .docx
for /R c: %f in (*.docx) do copy %f c:\temp\

Atomic Test #2 - Automated Collection PowerShell

Automated Collection

Supported Platforms: Windows

Run it with `powershell`!

Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}

1.5 KiB Raw Blame History

T1119 - Automated Collection

Description from ATT&CK

Atomic Tests

Atomic Test #1 - Automated Collection Command Prompt

Run it with command_prompt!

Atomic Test #2 - Automated Collection PowerShell

Run it with powershell!

1.5 KiB

Raw Blame History

Run it with `command_prompt`!

Run it with `powershell`!