T1119

Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or ETL services to automatically collect data. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.

Microsoft Sentinel / Defender

kusto

let SensitiveExtensions = dynamic([
  ".doc", ".docx", ".xls", ".xlsx", ".pdf", ".ppt", ".pptx",
  ".mdb", ".accdb", ".csv", ".pst", ".ost", ".kdbx", ".pfx",
  ".pem", ".p12", ".key", ".rtf", ".txt"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // PowerShell recursive document search and collection
    (FileName in~ ("powershell.exe", "pwsh.exe") and
     ProcessCommandLine has_any ("-Recurse", "Get-ChildItem", "GCI ", "gci ") and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    // CMD recursive file enumeration targeting document types
    (FileName =~ "cmd.exe" and
     ProcessCommandLine has "dir" and ProcessCommandLine has "/s" and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    // forfiles automated file processing
    (ProcessCommandLine has "forfiles" and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    // Mass file copy with recursive flags (bulk staging)
    (FileName =~ "robocopy.exe" and
     ProcessCommandLine has_any ("/s", "/e", "/S", "/E", "/MIR", "/mir"))
    or
    (FileName =~ "xcopy.exe" and ProcessCommandLine has_any ("/s", "/S"))
    or
    // Archive tools ingesting document collections (pre-exfiltration staging)
    (FileName in~ ("rar.exe", "winrar.exe") and
     ProcessCommandLine has_any (" a ", "-a", "/a") and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    (FileName =~ "7z.exe" and
     ProcessCommandLine has_any (" a ", "a ") and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    // Python file traversal and collection scripts
    (FileName in~ ("python.exe", "python3.exe") and
     ProcessCommandLine has_any ("os.walk", "glob.glob", "shutil.copy", "os.listdir", "scandir"))
    or
    // VBScript/JScript file collection via Scripting.FileSystemObject
    (FileName in~ ("wscript.exe", "cscript.exe") and
     ProcessCommandLine has_any ("GetFolder", "GetFile", "CopyFile", "MoveFile", "Files"))
)
| extend AutoColl_RecursiveSearch = ProcessCommandLine has_any ("-Recurse", "/s", "/S", "os.walk", "forfiles", "Get-ChildItem")
| extend AutoColl_SensitiveExt = ProcessCommandLine has_any (SensitiveExtensions)
| extend AutoColl_ArchiveTool = FileName in~ ("rar.exe", "winrar.exe", "7z.exe")
| extend AutoColl_MassCopy = FileName in~ ("robocopy.exe", "xcopy.exe")
| extend AutoColl_CredentialFiles = ProcessCommandLine has_any (".pfx", ".pem", ".p12", ".key", ".kdbx")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         AutoColl_RecursiveSearch, AutoColl_SensitiveExt, AutoColl_ArchiveTool,
         AutoColl_MassCopy, AutoColl_CredentialFiles
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Backup software agents (Veeam, Acronis, Windows Backup) performing scheduled recursive file enumeration and copy operations using robocopy or xcopy with standard recursive flags
Enterprise file sync and DLP agents (OneDrive sync client, SharePoint sync, Varonis, Symantec DLP) scanning for specific document types as part of classification and policy enforcement
IT administrators running robocopy or PowerShell Get-ChildItem for bulk file migrations, server decommissions, or departmental data reorganization projects
Software developers using Python scripts with os.walk or glob.glob for build processes, automated test data preparation, or log parsing pipelines
Anti-virus and endpoint security products performing scheduled content-inspection scans that enumerate files by extension type across user directories

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmdline=lower(CommandLine), proc=lower(Image)
| eval RecursiveSearch=if(match(cmdline, "(get-childitem|gci |-recurse|dir /s|forfiles|os\.walk|glob\.glob|scandir)"), 1, 0)
| eval SensitiveExt=if(match(cmdline, "(\.docx?|\.xlsx?|\.pdf|\.pptx?|\.pst|\.ost|\.mdb|\.accdb|\.kdbx|\.pfx|\.pem|\.p12|\.key|\.csv)"), 1, 0)
| eval ArchiveTool=if(match(proc, "(rar\.exe|winrar\.exe|7z\.exe)"), 1, 0)
| eval MassCopy=if(match(proc, "(robocopy\.exe|xcopy\.exe)") AND match(cmdline, "(/s|/e|/mir)"), 1, 0)
| eval ScriptInterpreter=if(match(proc, "(powershell\.exe|pwsh\.exe|python[23]?\.exe|wscript\.exe|cscript\.exe)"), 1, 0)
| eval CredentialFiles=if(match(cmdline, "(\.pfx|\.pem|\.p12|\.key|\.kdbx)"), 1, 0)
| eval SuspicionScore=RecursiveSearch + SensitiveExt + ArchiveTool + MassCopy + CredentialFiles
| where (ScriptInterpreter=1 AND RecursiveSearch=1 AND SensitiveExt=1)
    OR MassCopy=1
    OR (ArchiveTool=1 AND SensitiveExt=1)
    OR SuspicionScore >= 2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        RecursiveSearch, SensitiveExt, ArchiveTool, MassCopy, CredentialFiles, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software agents (Veeam, Acronis, Windows Backup) performing scheduled recursive file enumeration and copy operations using robocopy or xcopy with standard recursive flags
Enterprise file sync and DLP agents (OneDrive sync client, SharePoint sync, Varonis, Symantec DLP) scanning for specific document types as part of classification and policy enforcement
IT administrators running robocopy or PowerShell Get-ChildItem for bulk file migrations, server decommissions, or departmental data reorganization projects
Software developers using Python scripts with os.walk or glob.glob for build processes, automated test data preparation, or log parsing pipelines
Anti-virus and endpoint security products performing scheduled content-inspection scans that enumerate files by extension type across user directories

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  // PowerShell recursive document search
  (process.name in~ ("powershell.exe", "pwsh.exe") and
   process.args : ("-Recurse", "Get-ChildItem", "GCI") and
   process.command_line : ("*.doc*", "*.xls*", "*.pdf", "*.ppt*", "*.pst", "*.ost", "*.mdb", "*.accdb", "*.csv", "*.kdbx", "*.pfx", "*.pem", "*.p12", "*.key", "*.rtf", "*.txt"))
  or
  // CMD recursive file enumeration
  (process.name == "cmd.exe" and
   process.command_line : "*dir*" and process.command_line : "*/s*" and
   process.command_line : ("*.doc*", "*.xls*", "*.pdf", "*.ppt*", "*.pst", "*.ost", "*.mdb", "*.csv", "*.kdbx"))
  or
  // forfiles automated processing
  (process.command_line : "*forfiles*" and
   process.command_line : ("*.doc*", "*.xls*", "*.pdf", "*.pst", "*.kdbx", "*.pfx", "*.pem"))
  or
  // Mass file copy tools
  (process.name == "robocopy.exe" and process.command_line : ("*/s*", "*/e*", "*/MIR*", "*/mir*"))
  or
  (process.name == "xcopy.exe" and process.command_line : "*/s*")
  or
  // Archive tools with document targets
  (process.name in~ ("rar.exe", "winrar.exe") and
   process.command_line : ("* a *", "-a ", "/a ") and
   process.command_line : ("*.doc*", "*.pdf", "*.pst", "*.kdbx", "*.pfx"))
  or
  (process.name == "7z.exe" and
   process.command_line : ("* a *", "a ") and
   process.command_line : ("*.doc*", "*.pdf", "*.pst", "*.kdbx", "*.pfx"))
  or
  // Python file traversal
  (process.name in~ ("python.exe", "python3.exe") and
   process.command_line : ("*os.walk*", "*glob.glob*", "*shutil.copy*", "*scandir*"))
  or
  // WScript/CScript with FSO methods
  (process.name in~ ("wscript.exe", "cscript.exe") and
   process.command_line : ("*GetFolder*", "*GetFile*", "*CopyFile*", "*MoveFile*", "*Files*"))
)

high severity high confidence

Data Sources

Endpoint Windows Event Logs Sysmon via Elastic Agent Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.sysmon_operational-*

False Positives

Backup software agents (e.g., Veeam, Acronis, Windows Backup) that recursively copy or archive documents on a schedule
IT asset management or DLP tools that use PowerShell Get-ChildItem with file extension filters during scheduled scans
Software deployment tooling (e.g., SCCM, PDQ Deploy) that uses robocopy or xcopy with recursive flags for application staging

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "QIDNAME"(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 40)  -- Windows Security, Sysmon, WinCollect
  AND (CATEGORYNAME(category) LIKE '%Process%' OR qid IN (5001, 5002))  -- Process creation events
  AND starttime > (CURRENT_TIMESTAMP - 86400000)  -- Last 24 hours
  AND (
    -- PowerShell recursive collection
    (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
    AND (
      LOWER("Command") LIKE '%-recurse%' OR LOWER("Command") LIKE '%get-childitem%' OR LOWER("Command") LIKE '%gci %'
    )
    AND (
      LOWER("Command") LIKE '%.doc%' OR LOWER("Command") LIKE '%.pdf%' OR LOWER("Command") LIKE '%.pst%'
      OR LOWER("Command") LIKE '%.kdbx%' OR LOWER("Command") LIKE '%.pfx%' OR LOWER("Command") LIKE '%.pem%'
      OR LOWER("Command") LIKE '%.xls%' OR LOWER("Command") LIKE '%.csv%'
    )
  )
  OR (
    -- CMD dir /s with sensitive extensions
    LOWER("Process Name") LIKE '%cmd.exe%'
    AND LOWER("Command") LIKE '%dir%'
    AND LOWER("Command") LIKE '%/s%'
    AND (
      LOWER("Command") LIKE '%.doc%' OR LOWER("Command") LIKE '%.pdf%'
      OR LOWER("Command") LIKE '%.pst%' OR LOWER("Command") LIKE '%.xls%'
    )
  )
  OR (
    -- forfiles processing
    LOWER("Command") LIKE '%forfiles%'
    AND (
      LOWER("Command") LIKE '%.doc%' OR LOWER("Command") LIKE '%.pdf%'
      OR LOWER("Command") LIKE '%.pst%' OR LOWER("Command") LIKE '%.kdbx%'
    )
  )
  OR (
    -- robocopy mass copy
    LOWER("Process Name") LIKE '%robocopy.exe%'
    AND (
      LOWER("Command") LIKE '%/s%' OR LOWER("Command") LIKE '%/e%'
      OR LOWER("Command") LIKE '%/mir%'
    )
  )
  OR (
    -- Archive tools targeting documents
    (LOWER("Process Name") LIKE '%rar.exe%' OR LOWER("Process Name") LIKE '%winrar.exe%' OR LOWER("Process Name") LIKE '%7z.exe%')
    AND (
      LOWER("Command") LIKE '% a %' OR LOWER("Command") LIKE '%-a %'
    )
    AND (
      LOWER("Command") LIKE '%.doc%' OR LOWER("Command") LIKE '%.pdf%'
      OR LOWER("Command") LIKE '%.pst%' OR LOWER("Command") LIKE '%.kdbx%'
    )
  )
  OR (
    -- Python file traversal
    (LOWER("Process Name") LIKE '%python.exe%' OR LOWER("Process Name") LIKE '%python3.exe%')
    AND (
      LOWER("Command") LIKE '%os.walk%' OR LOWER("Command") LIKE '%glob.glob%'
      OR LOWER("Command") LIKE '%shutil.copy%' OR LOWER("Command") LIKE '%scandir%'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (Event ID 4688) Sysmon (Event ID 1) WinCollect Agent

Required Tables

events

False Positives

Enterprise backup agents (Veeam, Commvault, NetBackup) performing scheduled recursive file copies with archive compression
Security scanning tools and DLP agents that enumerate file types across directories during scheduled policy checks
System administrators running legitimate robocopy or xcopy scripts for server migrations or file server restructuring

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/security"
| where EventID = "1" OR EventID = "4688"
| parse field=CommandLine "*" as cmdline nodrop
| parse field=Image "*" as process_image nodrop
| eval cmdline_lower = toLowerCase(cmdline)
| eval proc_lower = toLowerCase(process_image)
// Flag recursive file search patterns
| eval RecursiveSearch = if (
    cmdline_lower matches "*(get-childitem|gci |-recurse|dir /s|forfiles|os\.walk|glob\.glob|scandir)*",
    1, 0
  )
// Flag sensitive file extensions
| eval SensitiveExt = if (
    cmdline_lower matches "*(\.docx?|\.xlsx?|\.pdf|\.pptx?|\.pst|\.ost|\.mdb|\.accdb|\.kdbx|\.pfx|\.pem|\.p12|\.key|\.csv)*",
    1, 0
  )
// Flag archive tools
| eval ArchiveTool = if (
    proc_lower matches "*(rar\.exe|winrar\.exe|7z\.exe)*",
    1, 0
  )
// Flag mass copy operations
| eval MassCopy = if (
    proc_lower matches "*(robocopy\.exe|xcopy\.exe)*"
    and cmdline_lower matches "*(/s|/e|/mir)*",
    1, 0
  )
// Flag script interpreters
| eval ScriptInterpreter = if (
    proc_lower matches "*(powershell\.exe|pwsh\.exe|python[23]?\.exe|wscript\.exe|cscript\.exe)*",
    1, 0
  )
// Flag credential-adjacent file types
| eval CredentialFiles = if (
    cmdline_lower matches "*(\.pfx|\.pem|\.p12|\.key|\.kdbx)*",
    1, 0
  )
// Composite suspicion score
| eval SuspicionScore = RecursiveSearch + SensitiveExt + ArchiveTool + MassCopy + CredentialFiles
// Apply detection logic
| where (ScriptInterpreter = 1 and RecursiveSearch = 1 and SensitiveExt = 1)
    or MassCopy = 1
    or (ArchiveTool = 1 and SensitiveExt = 1)
    or SuspicionScore >= 2
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine,
         RecursiveSearch, SensitiveExt, ArchiveTool, MassCopy, CredentialFiles, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

high severity high confidence

Data Sources

Sysmon via Sumo Logic Windows Collector Windows Security Event Log via Sumo Logic Collector

Required Tables

Sumo Logic _sourceCategory windows/sysmon Sumo Logic _sourceCategory os/windows/security

False Positives

Automated backup jobs using PowerShell scripts with Get-ChildItem and robocopy to copy document libraries to network shares
Enterprise DLP or CASB agents performing scheduled file classification scans that enumerate by extension across local drives
Developer build pipelines or CI scripts that use Python os.walk or glob to collect artifacts for packaging

Google Chronicle / SecOps

yaral

rule automated_collection_t1119 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects automated data collection (T1119) via recursive file enumeration, mass copy tools, document archiving, and scripted file traversal targeting sensitive file types"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1119"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    // Match on known collection patterns with sensitive extensions or recursive flags
    (
      // PowerShell recursive document search
      (
        re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
        and re.regex($e.principal.process.command_line, `(?i)(-Recurse|Get-ChildItem|\bGCI\b|forfiles)`)
        and re.regex($e.principal.process.command_line, `(?i)\.(docx?|xlsx?|pdf|pptx?|pst|ost|mdb|accdb|kdbx|pfx|pem|p12|key|csv)`)
      )
      or
      // CMD recursive enumeration targeting document types
      (
        re.regex($e.principal.process.file.full_path, `(?i)cmd\.exe$`)
        and re.regex($e.principal.process.command_line, `(?i)dir\s.*/s`)
        and re.regex($e.principal.process.command_line, `(?i)\.(docx?|xlsx?|pdf|pst|kdbx|pfx|pem)`)
      )
      or
      // robocopy mass copy with recursive flags
      (
        re.regex($e.principal.process.file.full_path, `(?i)robocopy\.exe$`)
        and re.regex($e.principal.process.command_line, `(?i)(/s|/e|/MIR)`)
      )
      or
      // xcopy recursive staging
      (
        re.regex($e.principal.process.file.full_path, `(?i)xcopy\.exe$`)
        and re.regex($e.principal.process.command_line, `(?i)/s`)
      )
      or
      // Archive tools compressing sensitive documents
      (
        re.regex($e.principal.process.file.full_path, `(?i)(rar\.exe|winrar\.exe|7z\.exe)$`)
        and re.regex($e.principal.process.command_line, `(?i)(\sa\s|-a\s|/a\s)`)
        and re.regex($e.principal.process.command_line, `(?i)\.(docx?|xlsx?|pdf|pst|kdbx|pfx|pem|p12|key|csv)`)
      )
      or
      // Python-based file traversal and collection
      (
        re.regex($e.principal.process.file.full_path, `(?i)python[23]?\.exe$`)
        and re.regex($e.principal.process.command_line, `(?i)(os\.walk|glob\.glob|shutil\.copy|scandir|os\.listdir)`)
      )
      or
      // WScript/CScript using Scripting.FileSystemObject
      (
        re.regex($e.principal.process.file.full_path, `(?i)(wscript\.exe|cscript\.exe)$`)
        and re.regex($e.principal.process.command_line, `(?i)(GetFolder|GetFile|CopyFile|MoveFile|Files)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint Telemetry ingested into Chronicle Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Enterprise backup software (Veeam, Backup Exec) that launches robocopy or PowerShell with Get-ChildItem on a schedule to replicate document repositories
IT operations scripts for data migration projects using xcopy or robocopy with recursive flags to move file shares between servers
Developer tooling or CI/CD pipelines using Python glob or os.walk to collect source files or build artifacts for packaging

CrowdStrike LogScale (CQL)

cql

// T1119 - Automated Collection: Recursive enumeration, mass copy, and document archiving
#event_simpleName = ProcessRollup2
| eval cmdline_lower = lowercase(CommandLine)
| eval proc_lower = lowercase(FileName)
// Detect recursive search patterns
| eval RecursiveSearch = if(
    match(cmdline_lower, "get-childitem|gci |-recurse|dir /s|forfiles|os\.walk|glob\.glob|scandir"),
    1, 0
  )
// Detect sensitive file extension targeting
| eval SensitiveExt = if(
    match(cmdline_lower, "\\.docx?|\\.xlsx?|\\.pdf|\\.pptx?|\\.pst|\\.ost|\\.mdb|\\.accdb|\\.kdbx|\\.pfx|\\.pem|\\.p12|\\.key|\\.csv"),
    1, 0
  )
// Detect archive tools
| eval ArchiveTool = if(
    match(proc_lower, "rar\\.exe|winrar\\.exe|7z\\.exe"),
    1, 0
  )
// Detect mass copy operations with recursive flags
| eval MassCopy = if(
    match(proc_lower, "robocopy\\.exe|xcopy\\.exe")
    and match(cmdline_lower, "/s|/e|/mir"),
    1, 0
  )
// Detect script interpreters used for traversal
| eval ScriptInterpreter = if(
    match(proc_lower, "powershell\\.exe|pwsh\\.exe|python[23]?\\.exe|wscript\\.exe|cscript\\.exe"),
    1, 0
  )
// Detect credential-adjacent files
| eval CredentialFiles = if(
    match(cmdline_lower, "\\.pfx|\\.pem|\\.p12|\\.key|\\.kdbx"),
    1, 0
  )
// Composite risk scoring
| eval SuspicionScore = RecursiveSearch + SensitiveExt + ArchiveTool + MassCopy + CredentialFiles
// Apply detection filter
| where (ScriptInterpreter = 1 and RecursiveSearch = 1 and SensitiveExt = 1)
    or MassCopy = 1
    or (ArchiveTool = 1 and SensitiveExt = 1)
    or SuspicionScore >= 2
| table timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
         RecursiveSearch, SensitiveExt, ArchiveTool, MassCopy, CredentialFiles, SuspicionScore
| sort(field=SuspicionScore, order=desc)
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events CrowdStrike Falcon Data Replicator (FDR)

Required Tables

#event_simpleName = ProcessRollup2

False Positives

Falcon sensor-enrolled backup agents (e.g., CrashPlan, Cohesity) that launch robocopy or PowerShell Get-ChildItem to enumerate and stage document backups on a recurring schedule
Security operations tooling such as endpoint forensic collectors or incident response scripts that use Python os.walk or glob to gather evidence files by extension
Application packaging teams using 7z.exe or WinRAR to bundle document collections for software releases or internal distribution

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1119 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Automated Collection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections