AUTOMATED COLLECTION (T1119)

Written By Jeremy Pickett

Overview

Automated Collection (ATT&CK ID: T1119) is an ATT&CK technique where adversaries leverage automated means to gather information on a target system, enhancing the speed and scale of data collection. This technique fits within the "Collection" tactic of the MITRE ATT&CK framework.

Noteworthy Attacks and Observations

APT28 (Fancy Bear) - 2016

  • Incident: Democratic National Committee (DNC) Hack

  • Details: Leveraged PowerShell scripts and custom malware to collect data, focusing on email archives and documents.

  • Impact: Significant email disclosure, impacting the U.S. 2016 Presidential Election.

  • Technical Insight: Used tools like X-Agent to automate collection of documents, screenshots, and keystrokes.

FIN7 - 2017

  • Incident: Targeting Financial Institutions

  • Details: Used sophisticated phishing campaigns to deliver malware (Carbanak/Anunak) with modules for automated financial data collection.

  • Impact: Theft of millions of credit card records and financial losses.

  • Technical Insight: Malware harvested data from POS systems using scripts to collect payment card data automatically.

Turla Group - 2018

  • Incident: Operation Neuron

  • Details: Conducted espionage against European organizations using the Gazer backdoor to exfiltrate data.

  • Impact: Compromise of sensitive diplomatic communications.

  • Technical Insight: Automated scripts embedded in tools to extract and exfiltrate targeted documents.

APT33 - 2019

  • Incident: Targeting Aerospace and Energy sectors

  • Details: Used DropShot malware to collect system data and exfiltrate it to C2 servers.

  • Impact: Compromise of proprietary and operational data.

  • Technical Insight: Used WMI to pull data efficiently from multiple systems.

Key Tools and Techniques

  • PowerShell Scripts: Utilized for automating data collection due to its flexibility and inclusion in Windows OS.

  • Custom Malware: APTs write specific malware like Carbanak, X-Agent, and Gazer for efficient and stealthy data collection.

  • WMI and Scripting Languages: Used for data extraction on Windows systems due to powerful querying capabilities.

Relevant People and Groups

  • APT28 (Fancy Bear): Linked to Russian military intelligence (GRU), involved in high-profile cyber-espionage campaigns.

  • FIN7 (Carbanak Group): Focuses on financial gain, responsible for sophisticated attacks on retail, hospitality, and financial sectors.

  • Turla Group: Russian-speaking cyber espionage group targeting government and military sectors.

  • APT33: Associated with Iran, targeting aerospace, energy, and other critical infrastructures.

Windows Environments

  • Monitor logs for unusual activation of system utilities like PowerShell scripts.

  • Use tools such as Windows Event Viewer, Sysmon, or SIEM solutions.

  • Ensure only necessary accounts have data access; audit permissions with tools like PowerShell scripts or Security Compliance Toolkit.

  • Install and configure solutions like Microsoft Defender ATP.

  • Segment your network to limit lateral movement; use Windows firewall or advanced solutions.

  • Keep systems updated with Windows Update or WSUS.

MacOS

  • Use macOS built-in logging and Audit subsystem, and review extensive logs.

  • Use solutions such as Jamf, Sophos, or Carbon Black.

  • Limit AppleScript and Unix shell scripting; disable unnecessary services with SIP.

  • Encrypt sensitive data using FileVault and enforce policies.

  • Keep OS and applications updated via automatic updates in System Preferences.

Linux Environments

  • Utilize auditd, journald, or syslog to capture and analyze logs.

  • Use AIDE or Tripwire to monitor changes in key system files.

  • Enforce minimal privilege policies with SELinux, AppArmor, and user permissions.

  • Audit and monitor cron jobs and startup scripts; use tools like crontab commands.

  • Use APT or YUM for OS and application updates.

Amazon AWS

  • Use CloudTrail for logging API activity; CloudWatch for monitoring.

  • Regularly review IAM policies to enforce least privilege.

  • Enable GuardDuty to detect anomalies.

  • Audit permissions; enable server-side encryption.

  • Use AWS Systems Manager Patch Manager.

Google Cloud Platform (GCP)

  • Enable Stackdriver Logging and Monitoring for visibility.

  • Conduct IAM role and permission audits.

  • Use Security Command Center for comprehensive monitoring.

  • Enforce permissions and encryption on Google Cloud Storage.

  • Use Forseti Security for audits and compliance.

Microsoft Azure

  • Detect and respond to potential threats with Azure Security Center.

  • Implement Azure Monitor and Log Analytics.

  • Regularly review Azure AD roles and permissions.

  • Configure storage accounts with proper access controls and encryption.

  • Use Azure Update Management.

Jeremy Pickett
Previous

—User Account Control (T1548.002)
Next

User Execution (T1204)