Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [Scripting](https://attack.mitre.org/techniques/T1064) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.This technique may incorporate use of other techniques such as File and Directory Discovery and Remote File Copy to identify and move files.
-
Atomic Test #3 - Recon information for export with PowerShell
-
Atomic Test #4 - Recon information for export with Command Prompt
Automated Collection
Supported Platforms: Windows
dir c: /b /s .docx | findstr /e .docx
for /R c: %f in (*.docx) do copy %f c:\temp\
Automated Collection
Supported Platforms: Windows
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
collect information for exfiltration
Supported Platforms: Windows
Get-Service > $env:TEMP\T1119_1.txt
Get-ChildItem Env: > $env:TEMP\T1119_2.txt
Get-Process > $env:TEMP\T1119_3.txt
Remove-Item $env:TEMP\T1119_1.txt
Remove-Item $env:TEMP\T1119_2.txt
Remove-Item $env:TEMP\T1119_3.txt
collect information for exfiltration
Supported Platforms: Windows
sc query type=service > %TEMP%\T1119_1.txt
doskey /history > %TEMP%\T1119_2.txt
wmic process list > %TEMP%\T1119_3.txt
tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
del %TEMP%\T1119_1.txt
del %TEMP%\T1119_2.txt
del %TEMP%\T1119_3.txt
del %TEMP%\T1119_4.txt