Which SIEM platforms have a T1119 detection rule?

df00tech provides T1119 (Automated Collection) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Automated Collection (T1119)?

Detecting Automated Collection requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1119 detection?

The T1119 detection is rated high severity with medium confidence.

What are common false positives for T1119?

Common false positives for T1119 include: Backup software agents (Veeam, Acronis, Windows Backup) performing scheduled recursive file enumeration and copy operations using robocopy or xcopy with standard recursive flags; Enterprise file sync and DLP agents (OneDrive sync client, SharePoint sync, Varonis, Symantec DLP) scanning for specific document types as part of classification and policy enforcement; IT administrators running robocopy or PowerShell Get-ChildItem for bulk file migrations, server decommissions, or departmental data reorganization projects.

T1119

Automated Collection

Collection Last updated: April 18, 2026

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or ETL services to automatically collect data. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.

What is T1119 Automated Collection?

Automated Collection (T1119) maps to the Collection tactic — the adversary is trying to gather data of interest to their goal in MITRE ATT&CK.

This page provides production-ready detection logic for Automated Collection, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Collection
Technique: T1119 Automated Collection
Canonical reference: https://attack.mitre.org/techniques/T1119/

Microsoft Sentinel / Defender

kusto

let SensitiveExtensions = dynamic([
  ".doc", ".docx", ".xls", ".xlsx", ".pdf", ".ppt", ".pptx",
  ".mdb", ".accdb", ".csv", ".pst", ".ost", ".kdbx", ".pfx",
  ".pem", ".p12", ".key", ".rtf", ".txt"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // PowerShell recursive document search and collection
    (FileName in~ ("powershell.exe", "pwsh.exe") and
     ProcessCommandLine has_any ("-Recurse", "Get-ChildItem", "GCI ", "gci ") and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    // CMD recursive file enumeration targeting document types
    (FileName =~ "cmd.exe" and
     ProcessCommandLine has "dir" and ProcessCommandLine has "/s" and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    // forfiles automated file processing
    (ProcessCommandLine has "forfiles" and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    // Mass file copy with recursive flags (bulk staging)
    (FileName =~ "robocopy.exe" and
     ProcessCommandLine has_any ("/s", "/e", "/S", "/E", "/MIR", "/mir"))
    or
    (FileName =~ "xcopy.exe" and ProcessCommandLine has_any ("/s", "/S"))
    or
    // Archive tools ingesting document collections (pre-exfiltration staging)
    (FileName in~ ("rar.exe", "winrar.exe") and
     ProcessCommandLine has_any (" a ", "-a", "/a") and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    (FileName =~ "7z.exe" and
     ProcessCommandLine has_any (" a ", "a ") and
     ProcessCommandLine has_any (SensitiveExtensions))
    or
    // Python file traversal and collection scripts
    (FileName in~ ("python.exe", "python3.exe") and
     ProcessCommandLine has_any ("os.walk", "glob.glob", "shutil.copy", "os.listdir", "scandir"))
    or
    // VBScript/JScript file collection via Scripting.FileSystemObject
    (FileName in~ ("wscript.exe", "cscript.exe") and
     ProcessCommandLine has_any ("GetFolder", "GetFile", "CopyFile", "MoveFile", "Files"))
)
| extend AutoColl_RecursiveSearch = ProcessCommandLine has_any ("-Recurse", "/s", "/S", "os.walk", "forfiles", "Get-ChildItem")
| extend AutoColl_SensitiveExt = ProcessCommandLine has_any (SensitiveExtensions)
| extend AutoColl_ArchiveTool = FileName in~ ("rar.exe", "winrar.exe", "7z.exe")
| extend AutoColl_MassCopy = FileName in~ ("robocopy.exe", "xcopy.exe")
| extend AutoColl_CredentialFiles = ProcessCommandLine has_any (".pfx", ".pem", ".p12", ".key", ".kdbx")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         AutoColl_RecursiveSearch, AutoColl_SensitiveExt, AutoColl_ArchiveTool,
         AutoColl_MassCopy, AutoColl_CredentialFiles
| sort by Timestamp desc

Detects automated data collection activity using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies key patterns: PowerShell Get-ChildItem recursive searches targeting sensitive file extensions (documents, spreadsheets, PDFs, credential stores), CMD dir /s bulk enumeration, forfiles automated file processing, mass copy tools (robocopy/xcopy) with recursive flags, archive tools (RAR/7z) staging document collections pre-exfiltration, and Python/VBScript file traversal scripts. Enrichment fields classify the collection type by category to assist analyst triage and prioritization.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Backup software agents (Veeam, Acronis, Windows Backup) performing scheduled recursive file enumeration and copy operations using robocopy or xcopy with standard recursive flags
Enterprise file sync and DLP agents (OneDrive sync client, SharePoint sync, Varonis, Symantec DLP) scanning for specific document types as part of classification and policy enforcement
IT administrators running robocopy or PowerShell Get-ChildItem for bulk file migrations, server decommissions, or departmental data reorganization projects
Software developers using Python scripts with os.walk or glob.glob for build processes, automated test data preparation, or log parsing pipelines
Anti-virus and endpoint security products performing scheduled content-inspection scans that enumerate files by extension type across user directories

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmdline=lower(CommandLine), proc=lower(Image)
| eval RecursiveSearch=if(match(cmdline, "(get-childitem|gci |-recurse|dir /s|forfiles|os\.walk|glob\.glob|scandir)"), 1, 0)
| eval SensitiveExt=if(match(cmdline, "(\.docx?|\.xlsx?|\.pdf|\.pptx?|\.pst|\.ost|\.mdb|\.accdb|\.kdbx|\.pfx|\.pem|\.p12|\.key|\.csv)"), 1, 0)
| eval ArchiveTool=if(match(proc, "(rar\.exe|winrar\.exe|7z\.exe)"), 1, 0)
| eval MassCopy=if(match(proc, "(robocopy\.exe|xcopy\.exe)") AND match(cmdline, "(/s|/e|/mir)"), 1, 0)
| eval ScriptInterpreter=if(match(proc, "(powershell\.exe|pwsh\.exe|python[23]?\.exe|wscript\.exe|cscript\.exe)"), 1, 0)
| eval CredentialFiles=if(match(cmdline, "(\.pfx|\.pem|\.p12|\.key|\.kdbx)"), 1, 0)
| eval SuspicionScore=RecursiveSearch + SensitiveExt + ArchiveTool + MassCopy + CredentialFiles
| where (ScriptInterpreter=1 AND RecursiveSearch=1 AND SensitiveExt=1)
    OR MassCopy=1
    OR (ArchiveTool=1 AND SensitiveExt=1)
    OR SuspicionScore >= 2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        RecursiveSearch, SensitiveExt, ArchiveTool, MassCopy, CredentialFiles, SuspicionScore
| sort - SuspicionScore, - _time

Detects automated collection patterns using Sysmon Event ID 1 (Process Creation). Assigns a suspicion score based on: recursive search commands (Get-ChildItem, dir /s, forfiles, os.walk), sensitive file extension targeting (.docx, .xlsx, .pdf, .pst, .kdbx, .pfx), archive tool invocation (RAR, 7z, WinRAR) with document targets, mass copy tools (robocopy/xcopy) with recursive flags, and credential file targeting. Scoring approach helps analysts prioritize higher-confidence events. Results sorted by suspicion score descending, then most recent first.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software agents (Veeam, Acronis, Windows Backup) performing scheduled recursive file enumeration and copy operations using robocopy or xcopy with standard recursive flags
Enterprise file sync and DLP agents (OneDrive sync client, SharePoint sync, Varonis, Symantec DLP) scanning for specific document types as part of classification and policy enforcement
IT administrators running robocopy or PowerShell Get-ChildItem for bulk file migrations, server decommissions, or departmental data reorganization projects
Software developers using Python scripts with os.walk or glob.glob for build processes, automated test data preparation, or log parsing pipelines
Anti-virus and endpoint security products performing scheduled content-inspection scans that enumerate files by extension type across user directories

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  // PowerShell recursive document search
  (process.name in~ ("powershell.exe", "pwsh.exe") and
   process.args : ("-Recurse", "Get-ChildItem", "GCI") and
   process.command_line : ("*.doc*", "*.xls*", "*.pdf", "*.ppt*", "*.pst", "*.ost", "*.mdb", "*.accdb", "*.csv", "*.kdbx", "*.pfx", "*.pem", "*.p12", "*.key", "*.rtf", "*.txt"))
  or
  // CMD recursive file enumeration
  (process.name == "cmd.exe" and
   process.command_line : "*dir*" and process.command_line : "*/s*" and
   process.command_line : ("*.doc*", "*.xls*", "*.pdf", "*.ppt*", "*.pst", "*.ost", "*.mdb", "*.csv", "*.kdbx"))
  or
  // forfiles automated processing
  (process.command_line : "*forfiles*" and
   process.command_line : ("*.doc*", "*.xls*", "*.pdf", "*.pst", "*.kdbx", "*.pfx", "*.pem"))
  or
  // Mass file copy tools
  (process.name == "robocopy.exe" and process.command_line : ("*/s*", "*/e*", "*/MIR*", "*/mir*"))
  or
  (process.name == "xcopy.exe" and process.command_line : "*/s*")
  or
  // Archive tools with document targets
  (process.name in~ ("rar.exe", "winrar.exe") and
   process.command_line : ("* a *", "-a ", "/a ") and
   process.command_line : ("*.doc*", "*.pdf", "*.pst", "*.kdbx", "*.pfx"))
  or
  (process.name == "7z.exe" and
   process.command_line : ("* a *", "a ") and
   process.command_line : ("*.doc*", "*.pdf", "*.pst", "*.kdbx", "*.pfx"))
  or
  // Python file traversal
  (process.name in~ ("python.exe", "python3.exe") and
   process.command_line : ("*os.walk*", "*glob.glob*", "*shutil.copy*", "*scandir*"))
  or
  // WScript/CScript with FSO methods
  (process.name in~ ("wscript.exe", "cscript.exe") and
   process.command_line : ("*GetFolder*", "*GetFile*", "*CopyFile*", "*MoveFile*", "*Files*"))
)

Detects automated data collection activity (T1119) including recursive file enumeration via PowerShell/CMD, mass file copying via robocopy/xcopy, archiving of sensitive file types, and scripted traversal via Python or WScript/CScript using Elastic ECS process events.

high severity high confidence

Data Sources

Endpoint Windows Event Logs Sysmon via Elastic Agent Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.sysmon_operational-*

False Positives

Backup software agents (e.g., Veeam, Acronis, Windows Backup) that recursively copy or archive documents on a schedule
IT asset management or DLP tools that use PowerShell Get-ChildItem with file extension filters during scheduled scans
Software deployment tooling (e.g., SCCM, PDQ Deploy) that uses robocopy or xcopy with recursive flags for application staging

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "QIDNAME"(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 40)  -- Windows Security, Sysmon, WinCollect
  AND (CATEGORYNAME(category) LIKE '%Process%' OR qid IN (5001, 5002))  -- Process creation events
  AND starttime > (CURRENT_TIMESTAMP - 86400000)  -- Last 24 hours
  AND (
    -- PowerShell recursive collection
    (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
    AND (
      LOWER("Command") LIKE '%-recurse%' OR LOWER("Command") LIKE '%get-childitem%' OR LOWER("Command") LIKE '%gci %'
    )
    AND (
      LOWER("Command") LIKE '%.doc%' OR LOWER("Command") LIKE '%.pdf%' OR LOWER("Command") LIKE '%.pst%'
      OR LOWER("Command") LIKE '%.kdbx%' OR LOWER("Command") LIKE '%.pfx%' OR LOWER("Command") LIKE '%.pem%'
      OR LOWER("Command") LIKE '%.xls%' OR LOWER("Command") LIKE '%.csv%'
    )
  )
  OR (
    -- CMD dir /s with sensitive extensions
    LOWER("Process Name") LIKE '%cmd.exe%'
    AND LOWER("Command") LIKE '%dir%'
    AND LOWER("Command") LIKE '%/s%'
    AND (
      LOWER("Command") LIKE '%.doc%' OR LOWER("Command") LIKE '%.pdf%'
      OR LOWER("Command") LIKE '%.pst%' OR LOWER("Command") LIKE '%.xls%'
    )
  )
  OR (
    -- forfiles processing
    LOWER("Command") LIKE '%forfiles%'
    AND (
      LOWER("Command") LIKE '%.doc%' OR LOWER("Command") LIKE '%.pdf%'
      OR LOWER("Command") LIKE '%.pst%' OR LOWER("Command") LIKE '%.kdbx%'
    )
  )
  OR (
    -- robocopy mass copy
    LOWER("Process Name") LIKE '%robocopy.exe%'
    AND (
      LOWER("Command") LIKE '%/s%' OR LOWER("Command") LIKE '%/e%'
      OR LOWER("Command") LIKE '%/mir%'
    )
  )
  OR (
    -- Archive tools targeting documents
    (LOWER("Process Name") LIKE '%rar.exe%' OR LOWER("Process Name") LIKE '%winrar.exe%' OR LOWER("Process Name") LIKE '%7z.exe%')
    AND (
      LOWER("Command") LIKE '% a %' OR LOWER("Command") LIKE '%-a %'
    )
    AND (
      LOWER("Command") LIKE '%.doc%' OR LOWER("Command") LIKE '%.pdf%'
      OR LOWER("Command") LIKE '%.pst%' OR LOWER("Command") LIKE '%.kdbx%'
    )
  )
  OR (
    -- Python file traversal
    (LOWER("Process Name") LIKE '%python.exe%' OR LOWER("Process Name") LIKE '%python3.exe%')
    AND (
      LOWER("Command") LIKE '%os.walk%' OR LOWER("Command") LIKE '%glob.glob%'
      OR LOWER("Command") LIKE '%shutil.copy%' OR LOWER("Command") LIKE '%scandir%'
    )
  )
ORDER BY starttime DESC

Detects automated data collection (T1119) in IBM QRadar by querying process creation events from Windows Security, Sysmon, and WinCollect log sources. Identifies recursive file enumeration via PowerShell/CMD, mass copy operations with robocopy, document archiving via RAR/7z, and Python-based file traversal scripts.

high severity medium confidence

Data Sources

Windows Security Event Log (Event ID 4688) Sysmon (Event ID 1) WinCollect Agent

Required Tables

events

False Positives

Enterprise backup agents (Veeam, Commvault, NetBackup) performing scheduled recursive file copies with archive compression
Security scanning tools and DLP agents that enumerate file types across directories during scheduled policy checks
System administrators running legitimate robocopy or xcopy scripts for server migrations or file server restructuring

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/security"
| where EventID = "1" OR EventID = "4688"
| parse field=CommandLine "*" as cmdline nodrop
| parse field=Image "*" as process_image nodrop
| eval cmdline_lower = toLowerCase(cmdline)
| eval proc_lower = toLowerCase(process_image)
// Flag recursive file search patterns
| eval RecursiveSearch = if (
    cmdline_lower matches "*(get-childitem|gci |-recurse|dir /s|forfiles|os\.walk|glob\.glob|scandir)*",
    1, 0
  )
// Flag sensitive file extensions
| eval SensitiveExt = if (
    cmdline_lower matches "*(\.docx?|\.xlsx?|\.pdf|\.pptx?|\.pst|\.ost|\.mdb|\.accdb|\.kdbx|\.pfx|\.pem|\.p12|\.key|\.csv)*",
    1, 0
  )
// Flag archive tools
| eval ArchiveTool = if (
    proc_lower matches "*(rar\.exe|winrar\.exe|7z\.exe)*",
    1, 0
  )
// Flag mass copy operations
| eval MassCopy = if (
    proc_lower matches "*(robocopy\.exe|xcopy\.exe)*"
    and cmdline_lower matches "*(/s|/e|/mir)*",
    1, 0
  )
// Flag script interpreters
| eval ScriptInterpreter = if (
    proc_lower matches "*(powershell\.exe|pwsh\.exe|python[23]?\.exe|wscript\.exe|cscript\.exe)*",
    1, 0
  )
// Flag credential-adjacent file types
| eval CredentialFiles = if (
    cmdline_lower matches "*(\.pfx|\.pem|\.p12|\.key|\.kdbx)*",
    1, 0
  )
// Composite suspicion score
| eval SuspicionScore = RecursiveSearch + SensitiveExt + ArchiveTool + MassCopy + CredentialFiles
// Apply detection logic
| where (ScriptInterpreter = 1 and RecursiveSearch = 1 and SensitiveExt = 1)
    or MassCopy = 1
    or (ArchiveTool = 1 and SensitiveExt = 1)
    or SuspicionScore >= 2
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine,
         RecursiveSearch, SensitiveExt, ArchiveTool, MassCopy, CredentialFiles, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

Detects automated data collection (T1119) in Sumo Logic by parsing Sysmon Event ID 1 and Security Event ID 4688 process creation logs. Uses a suspicion scoring model to identify recursive enumeration via PowerShell/CMD/Python, mass copy operations, and document archiving with sensitive file type targeting.

high severity high confidence

Data Sources

Sysmon via Sumo Logic Windows Collector Windows Security Event Log via Sumo Logic Collector

Required Tables

Sumo Logic _sourceCategory windows/sysmon Sumo Logic _sourceCategory os/windows/security

False Positives

Automated backup jobs using PowerShell scripts with Get-ChildItem and robocopy to copy document libraries to network shares
Enterprise DLP or CASB agents performing scheduled file classification scans that enumerate by extension across local drives
Developer build pipelines or CI scripts that use Python os.walk or glob to collect artifacts for packaging

Google Chronicle / SecOps

yaral

rule automated_collection_t1119 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects automated data collection (T1119) via recursive file enumeration, mass copy tools, document archiving, and scripted file traversal targeting sensitive file types"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1119"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    // Match on known collection patterns with sensitive extensions or recursive flags
    (
      // PowerShell recursive document search
      (
        re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
        and re.regex($e.principal.process.command_line, `(?i)(-Recurse|Get-ChildItem|\bGCI\b|forfiles)`)
        and re.regex($e.principal.process.command_line, `(?i)\.(docx?|xlsx?|pdf|pptx?|pst|ost|mdb|accdb|kdbx|pfx|pem|p12|key|csv)`)
      )
      or
      // CMD recursive enumeration targeting document types
      (
        re.regex($e.principal.process.file.full_path, `(?i)cmd\.exe$`)
        and re.regex($e.principal.process.command_line, `(?i)dir\s.*/s`)
        and re.regex($e.principal.process.command_line, `(?i)\.(docx?|xlsx?|pdf|pst|kdbx|pfx|pem)`)
      )
      or
      // robocopy mass copy with recursive flags
      (
        re.regex($e.principal.process.file.full_path, `(?i)robocopy\.exe$`)
        and re.regex($e.principal.process.command_line, `(?i)(/s|/e|/MIR)`)
      )
      or
      // xcopy recursive staging
      (
        re.regex($e.principal.process.file.full_path, `(?i)xcopy\.exe$`)
        and re.regex($e.principal.process.command_line, `(?i)/s`)
      )
      or
      // Archive tools compressing sensitive documents
      (
        re.regex($e.principal.process.file.full_path, `(?i)(rar\.exe|winrar\.exe|7z\.exe)$`)
        and re.regex($e.principal.process.command_line, `(?i)(\sa\s|-a\s|/a\s)`)
        and re.regex($e.principal.process.command_line, `(?i)\.(docx?|xlsx?|pdf|pst|kdbx|pfx|pem|p12|key|csv)`)
      )
      or
      // Python-based file traversal and collection
      (
        re.regex($e.principal.process.file.full_path, `(?i)python[23]?\.exe$`)
        and re.regex($e.principal.process.command_line, `(?i)(os\.walk|glob\.glob|shutil\.copy|scandir|os\.listdir)`)
      )
      or
      // WScript/CScript using Scripting.FileSystemObject
      (
        re.regex($e.principal.process.file.full_path, `(?i)(wscript\.exe|cscript\.exe)$`)
        and re.regex($e.principal.process.command_line, `(?i)(GetFolder|GetFile|CopyFile|MoveFile|Files)`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting automated data collection (T1119) via UDM process launch events. Covers PowerShell/CMD recursive enumeration with sensitive file extensions, robocopy/xcopy mass copying, RAR/7z archiving of documents, Python os.walk traversal, and WScript/CScript FileSystemObject usage.

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint Telemetry ingested into Chronicle Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Enterprise backup software (Veeam, Backup Exec) that launches robocopy or PowerShell with Get-ChildItem on a schedule to replicate document repositories
IT operations scripts for data migration projects using xcopy or robocopy with recursive flags to move file shares between servers
Developer tooling or CI/CD pipelines using Python glob or os.walk to collect source files or build artifacts for packaging

CrowdStrike LogScale (CQL)

cql

// T1119 - Automated Collection: Recursive enumeration, mass copy, and document archiving
#event_simpleName = ProcessRollup2
| eval cmdline_lower = lowercase(CommandLine)
| eval proc_lower = lowercase(FileName)
// Detect recursive search patterns
| eval RecursiveSearch = if(
    match(cmdline_lower, "get-childitem|gci |-recurse|dir /s|forfiles|os\.walk|glob\.glob|scandir"),
    1, 0
  )
// Detect sensitive file extension targeting
| eval SensitiveExt = if(
    match(cmdline_lower, "\\.docx?|\\.xlsx?|\\.pdf|\\.pptx?|\\.pst|\\.ost|\\.mdb|\\.accdb|\\.kdbx|\\.pfx|\\.pem|\\.p12|\\.key|\\.csv"),
    1, 0
  )
// Detect archive tools
| eval ArchiveTool = if(
    match(proc_lower, "rar\\.exe|winrar\\.exe|7z\\.exe"),
    1, 0
  )
// Detect mass copy operations with recursive flags
| eval MassCopy = if(
    match(proc_lower, "robocopy\\.exe|xcopy\\.exe")
    and match(cmdline_lower, "/s|/e|/mir"),
    1, 0
  )
// Detect script interpreters used for traversal
| eval ScriptInterpreter = if(
    match(proc_lower, "powershell\\.exe|pwsh\\.exe|python[23]?\\.exe|wscript\\.exe|cscript\\.exe"),
    1, 0
  )
// Detect credential-adjacent files
| eval CredentialFiles = if(
    match(cmdline_lower, "\\.pfx|\\.pem|\\.p12|\\.key|\\.kdbx"),
    1, 0
  )
// Composite risk scoring
| eval SuspicionScore = RecursiveSearch + SensitiveExt + ArchiveTool + MassCopy + CredentialFiles
// Apply detection filter
| where (ScriptInterpreter = 1 and RecursiveSearch = 1 and SensitiveExt = 1)
    or MassCopy = 1
    or (ArchiveTool = 1 and SensitiveExt = 1)
    or SuspicionScore >= 2
| table timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
         RecursiveSearch, SensitiveExt, ArchiveTool, MassCopy, CredentialFiles, SuspicionScore
| sort(field=SuspicionScore, order=desc)
| sort(field=timestamp, order=desc)

CrowdStrike LogScale (CQL) detection for automated data collection (T1119) using Falcon ProcessRollup2 events. Applies a suspicion scoring model across recursive file enumeration (PowerShell, CMD, Python), mass copy operations (robocopy, xcopy), document archiving (RAR, 7-Zip), and WScript/CScript FileSystemObject file collection patterns targeting sensitive document and credential file types.

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events CrowdStrike Falcon Data Replicator (FDR)

Required Tables

#event_simpleName = ProcessRollup2

False Positives

Falcon sensor-enrolled backup agents (e.g., CrashPlan, Cohesity) that launch robocopy or PowerShell Get-ChildItem to enumerate and stage document backups on a recurring schedule
Security operations tooling such as endpoint forensic collectors or incident response scripts that use Python os.walk or glob to gather evidence files by extension
Application packaging teams using 7z.exe or WinRAR to bundle document collections for software releases or internal distribution

Sigma rule & cross-platform mapping

The detection logic for Automated Collection (T1119) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1119 Sigma rules on detection.fyi

Platform-specific guides for T1119

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerShell Recursive Document Collection to Staging Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', '.docx', '.xlsx', '.pdf'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage for each copied file. PowerShell ScriptBlock Log Event ID 4104 with the full collection script. Security Event ID 4663 (if SACL auditing enabled) for each source document read.
Test 2CMD Recursive File Enumeration with dir /s
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'dir /s /b' and '.docx', '.xlsx', '.pdf'. Sysmon Event ID 11: File creation event for %TEMP%\df00tech-filelist.txt. Security Event ID 4688 (if process creation auditing and command line logging are enabled) with full command line including extension targets.
Test 3forfiles Automated Document Enumeration
Expected signal: Sysmon Event ID 1: Process Create for the shell executing forfiles with CommandLine containing 'forfiles', '/S', and '.docx'. Child cmd.exe process creation events as forfiles spawns a cmd.exe instance per matching file. Sysmon Event ID 11: File creation for %TEMP%\df00tech-forfiles.txt. The child cmd.exe processes with 'echo @PATH' are also logged individually.
Test 47-Zip Archive Collection — Document Staging Pre-Exfiltration
Expected signal: Sysmon Event ID 1: Process Create with Image=7z.exe, CommandLine containing 'a' (add to archive), target paths with '.docx', '.xlsx', '.pdf', '-r' (recursive), and '-p' (password). Sysmon Event ID 11: File creation event for %TEMP%\df00tech-archive.7z. Security Event ID 4663 (if auditing enabled) for each source document file opened by 7z.exe during archiving.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1119 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Automated Collection

What is T1119 Automated Collection?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1119

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Collection

Popular Detections

What is T1119 Automated Collection?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1119

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox