Автоматизированный сбор данных
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023) This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.
Примеры процедур |
|
| Название | Описание |
|---|---|
| NPPSPY |
NPPSPY collection is automatically recorded to a specified file on the victim machine.(Citation: Huntress NPPSPY 2022) |
| Proxysvc |
Proxysvc automatically collects data about the victim and sends it to the control server.(Citation: McAfee GhostSecret) |
| RotaJakiro |
Depending on the Linux distribution, RotaJakiro executes a set of commands to collect device information and sends the collected information to the C2 server.(Citation: RotaJakiro 2021 netlab360 analysis) |
| WindTail |
WindTail can identify and add files that possess specific file extensions to an array for archiving.(Citation: objective-see windtail2 jan 2019) |
| ShimRatReporter |
ShimRatReporter gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.(Citation: FOX-IT May 2016 Mofang) |
| Pacu |
Pacu can automatically collect data, such as CloudFormation templates, EC2 user data, AWS Inspector reports, and IAM credential reports.(Citation: GitHub Pacu) |
| Bankshot |
Bankshot recursively generates a list of files within a directory and sends them back to the control server.(Citation: McAfee Bankshot) |
| StrongPity |
StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.(Citation: Bitdefender StrongPity June 2020) |
| AppleSeed |
AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.(Citation: KISA Operation Muzabi) |
| NETWIRE |
NETWIRE can automatically archive collected data.(Citation: Red Canary NETWIRE January 2020) |
| Empire |
Empire can automatically gather the username, domain name, machine name, and other information from a compromised system.(Citation: Talos Frankenstein June 2019) |
| LoFiSe |
LoFiSe can collect all the files from the working directory every three hours and place them into a password-protected archive for further exfiltration.(Citation: Kaspersky ToddyCat Check Logs October 2023) |
| InvisiMole |
InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
| PoshC2 |
PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.(Citation: GitHub PoshC2) |
| VERMIN |
VERMIN saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt .(Citation: Unit 42 VERMIN Jan 2018) |
| PACEMAKER |
PACEMAKER can enter a loop to read `/proc/` entries every 2 seconds in order to read a target application's memory.(Citation: Mandiant Pulse Secure Zero-Day April 2021) |
| Lumma Stealer |
Lumma Stealer has automated collection of various information including cryptocurrency wallet details.(Citation: Cybereason LumaStealer Undated) |
| Rover |
Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.(Citation: Palo Alto Rover) |
| LightNeuron |
LightNeuron can be configured to automatically collect files under a specified directory.(Citation: ESET LightNeuron May 2019) |
| ROADTools |
ROADTools automatically gathers data from Azure AD environments using the Azure Graph API.(Citation: Roadtools) |
| DarkGate |
DarkGate searches for stored credentials associated with cryptocurrency wallets and notifies the command and control server when identified.(Citation: Ensilo Darkgate 2018) |
| Metamorfo |
Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.(Citation: FireEye Metamorfo Apr 2018) |
| T9000 |
T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, *.ppt, *.xls, *.docx, *.pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.(Citation: Palo Alto T9000 Feb 2016) |
| Micropsia |
Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt).(Citation: Radware Micropsia July 2018) |
| Attor |
Attor has automatically collected data about the compromised system.(Citation: ESET Attor Oct 2019) |
| Crutch |
Crutch can automatically monitor removable drives in a loop and copy interesting files.(Citation: ESET Crutch December 2020) |
| RTM | |