Last reviewed:
T1119 describes scripted harvesting of data at scale once access exists: looped S3 object reads, bulk database exports, storage-bucket crawls. The cloud telltale is volume and regularity rather than any single read. DCV's depth here comes from Amazon Macie, whose SensitiveData:S3Object findings for financial, personal and multi-category data identify which buckets an automated sweep would actually hurt, with Chronicle's AUTOMATED_COLLECTION rules covering GCP storage. Encryption-by-default checks from AWS Config reduce what a collector can use afterwards.
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.
In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.
This functionality could also be built into remote access tools.
This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.
Platforms: IaaS, Linux, macOS, Office Suite, SaaS, Windows.
DCV maps 11 detections across 2 cloud providers to T1119. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Macie | AWS | 7 | 0.86 |
| AWS Config Rules | AWS | 3 | 0.50 |
| GCP Chronicle | GCP | 1 | 0.80 |
CloudSigma has coverage metadata for 11 T1119 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1119, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1119 describes scripted harvesting of data at scale once access exists: looped S3 object reads, bulk database exports, storage-bucket crawls. The cloud telltale is volume and regularity rather than any single read. DCV's depth here comes from Amazon Macie, whose SensitiveData:S3Object findings for financial, personal and multi-category data identify which buckets an automated sweep would actually hurt, with Chronicle's AUTOMATED_COLLECTION rules covering GCP storage. Encryption-by-default checks from AWS Config reduce what a collector can use afterwards.
DCV maps 11 cloud-native detections to T1119 across 2 cloud providers, drawn from AWS Config Rules, AWS Macie and GCP Chronicle.
T1119 is part of MITRE ATT&CK TA0009 Collection: How adversaries gather data of interest before exfiltration.
CloudSigma ships 3 validated Sigma rules for T1119 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.