title: Automated Collection Command PowerShell
author: frack113
date: 2021/07/28
description: Once established within a system or network, an adversary may use automated
    techniques for collecting internal data.
detection:
    SELECTION_1:
        ScriptBlockText: '*.doc*'
    SELECTION_10:
        ScriptBlockText: '*Get-ChildItem*'
    SELECTION_11:
        ScriptBlockText: '* -Recurse *'
    SELECTION_12:
        ScriptBlockText: '* -Include *'
    SELECTION_2:
        ScriptBlockText: '*.docx*'
    SELECTION_3:
        ScriptBlockText: '*.xls*'
    SELECTION_4:
        ScriptBlockText: '*.xlsx*'
    SELECTION_5:
        ScriptBlockText: '*.ppt*'
    SELECTION_6:
        ScriptBlockText: '*.pptx*'
    SELECTION_7:
        ScriptBlockText: '*.rtf*'
    SELECTION_8:
        ScriptBlockText: '*.pdf*'
    SELECTION_9:
        ScriptBlockText: '*.txt*'
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10
        and SELECTION_11 and SELECTION_12)
falsepositives:
- Unknown
id: c1dda054-d638-4c16-afc8-53e007f3fbc5
level: medium
logsource:
    category: ps_script
    definition: Script block logging must be enabled
    product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119
yml_filename: powershell_automated_collection.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script