Find sigma rule

Attack: Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.

In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023)

This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.

MITRE

Tactic

collection

technique

T1119

Test : Recon information for export with Command Prompt

OS

windows

Description:

collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected.

Executor

command_prompt

Sigma Rule

proc_creation_win_sc_query.yml (id: 57712d7a-679c-4a41-a913-87e7175ae429)
proc_creation_win_susp_recon.yml (id: aa2efee7-34dd-446e-8a37-40790a66efd7)
image_load_wmic_remote_xsl_scripting_dlls.yml (id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test