- Tactics
- Collection
- Platforms
- Office Suite, SaaS
- Reference
- attack.mitre.org/techniques/T1213.005
Description
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:
- Testing / development credentials (i.e., Chat Messages)
- Source code snippets
- Links to network shares and other internal resources
- Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)
- Discussions about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker 2021)(Citation: Microsoft DEV-0537)
In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.(Citation: Sentinel Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Collection tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1005 — Data from Local System
- T1025 — Data from Removable Media
- T1039 — Data from Network Shared Drive
- T1056 — Input Capture
- T1074 — Data Staged
- T1113 — Screen Capture
- T1114 — Email Collection
- T1115 — Clipboard Data
- T1119 — Automated Collection
- T1123 — Audio Capture
- T1125 — Video Capture
- T1185 — Browser Session Hijacking