Which SIEM platforms have a T1119 detection rule?

df00tech provides T1119 (Automated Collection) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Automated Collection (T1119)?

Detecting Automated Collection requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1119 detection?

The T1119 detection is rated high severity with medium confidence.

What are common false positives for T1119?

Common false positives for T1119 include: Backup software agents (Veeam, Acronis, Windows Backup) performing scheduled recursive file enumeration and copy operations using robocopy or xcopy with standard recursive flags; Enterprise file sync and DLP agents (OneDrive sync client, SharePoint sync, Varonis, Symantec DLP) scanning for specific document types as part of classification and policy enforcement; IT administrators running robocopy or PowerShell Get-ChildItem for bulk file migrations, server decommissions, or departmental data reorganization projects.

T1119 Elastic Security · Elastic

Detect Automated Collection in Elastic Security

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or ETL services to automatically collect data. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.

MITRE ATT&CK

Tactic: Collection
Technique: T1119 Automated Collection
Canonical reference: https://attack.mitre.org/techniques/T1119/

Elastic Detection Query

Elastic Security (Elastic)

eql

process where event.type == "start" and
(
  // PowerShell recursive document search
  (process.name in~ ("powershell.exe", "pwsh.exe") and
   process.args : ("-Recurse", "Get-ChildItem", "GCI") and
   process.command_line : ("*.doc*", "*.xls*", "*.pdf", "*.ppt*", "*.pst", "*.ost", "*.mdb", "*.accdb", "*.csv", "*.kdbx", "*.pfx", "*.pem", "*.p12", "*.key", "*.rtf", "*.txt"))
  or
  // CMD recursive file enumeration
  (process.name == "cmd.exe" and
   process.command_line : "*dir*" and process.command_line : "*/s*" and
   process.command_line : ("*.doc*", "*.xls*", "*.pdf", "*.ppt*", "*.pst", "*.ost", "*.mdb", "*.csv", "*.kdbx"))
  or
  // forfiles automated processing
  (process.command_line : "*forfiles*" and
   process.command_line : ("*.doc*", "*.xls*", "*.pdf", "*.pst", "*.kdbx", "*.pfx", "*.pem"))
  or
  // Mass file copy tools
  (process.name == "robocopy.exe" and process.command_line : ("*/s*", "*/e*", "*/MIR*", "*/mir*"))
  or
  (process.name == "xcopy.exe" and process.command_line : "*/s*")
  or
  // Archive tools with document targets
  (process.name in~ ("rar.exe", "winrar.exe") and
   process.command_line : ("* a *", "-a ", "/a ") and
   process.command_line : ("*.doc*", "*.pdf", "*.pst", "*.kdbx", "*.pfx"))
  or
  (process.name == "7z.exe" and
   process.command_line : ("* a *", "a ") and
   process.command_line : ("*.doc*", "*.pdf", "*.pst", "*.kdbx", "*.pfx"))
  or
  // Python file traversal
  (process.name in~ ("python.exe", "python3.exe") and
   process.command_line : ("*os.walk*", "*glob.glob*", "*shutil.copy*", "*scandir*"))
  or
  // WScript/CScript with FSO methods
  (process.name in~ ("wscript.exe", "cscript.exe") and
   process.command_line : ("*GetFolder*", "*GetFile*", "*CopyFile*", "*MoveFile*", "*Files*"))
)

high severity high confidence

Detects automated data collection activity (T1119) including recursive file enumeration via PowerShell/CMD, mass file copying via robocopy/xcopy, archiving of sensitive file types, and scripted traversal via Python or WScript/CScript using Elastic ECS process events.

Data Sources

EndpointWindows Event LogsSysmon via Elastic AgentElastic Endpoint Security

Required Tables

logs-endpoint.events.process-*winlogbeat-*logs-windows.sysmon_operational-*

False Positives & Tuning

Backup software agents (e.g., Veeam, Acronis, Windows Backup) that recursively copy or archive documents on a schedule
IT asset management or DLP tools that use PowerShell Get-ChildItem with file extension filters during scheduled scans
Software deployment tooling (e.g., SCCM, PDQ Deploy) that uses robocopy or xcopy with recursive flags for application staging

Download portable Sigma rule (.yml)

Other platforms for T1119

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerShell Recursive Document Collection to Staging Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', '.docx', '.xlsx', '.pdf'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage for each copied file. PowerShell ScriptBlock Log Event ID 4104 with the full collection script. Security Event ID 4663 (if SACL auditing enabled) for each source document read.
Test 2CMD Recursive File Enumeration with dir /s
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'dir /s /b' and '.docx', '.xlsx', '.pdf'. Sysmon Event ID 11: File creation event for %TEMP%\df00tech-filelist.txt. Security Event ID 4688 (if process creation auditing and command line logging are enabled) with full command line including extension targets.
Test 3forfiles Automated Document Enumeration
Expected signal: Sysmon Event ID 1: Process Create for the shell executing forfiles with CommandLine containing 'forfiles', '/S', and '.docx'. Child cmd.exe process creation events as forfiles spawns a cmd.exe instance per matching file. Sysmon Event ID 11: File creation for %TEMP%\df00tech-forfiles.txt. The child cmd.exe processes with 'echo @PATH' are also logged individually.
Test 47-Zip Archive Collection — Document Staging Pre-Exfiltration
Expected signal: Sysmon Event ID 1: Process Create with Image=7z.exe, CommandLine containing 'a' (add to archive), target paths with '.docx', '.xlsx', '.pdf', '-r' (recursive), and '-p' (password). Sysmon Event ID 11: File creation event for %TEMP%\df00tech-archive.7z. Security Event ID 4663 (if auditing enabled) for each source document file opened by 7z.exe during archiving.

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1119 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Automated Collection in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1119

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1119

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox