title: Automated Collection (T1119)
id: df00tech-t1119
status: experimental
description: "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or ETL services to automatically collect data. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments."
references:
  - https://attack.mitre.org/techniques/T1119/
  - https://df00tech.com/detections/T1119
author: df00tech
date: 2026/04/18
tags:
  - attack.t1119
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup software agents (Veeam, Acronis, Windows Backup) performing scheduled recursive file enumeration and copy operations using robocopy or xcopy with standard recursive flags"
  - "Enterprise file sync and DLP agents (OneDrive sync client, SharePoint sync, Varonis, Symantec DLP) scanning for specific document types as part of classification and policy enforcement"
  - "IT administrators running robocopy or PowerShell Get-ChildItem for bulk file migrations, server decommissions, or departmental data reorganization projects"
  - "Software developers using Python scripts with os.walk or glob.glob for build processes, automated test data preparation, or log parsing pipelines"
  - Anti-virus and endpoint security products performing scheduled content-inspection scans that enumerate files by extension type across user directories
level: high