Collection (17 techniques)
Gathering information of interest to the adversary.
The Collection tactic groups MITRE ATT&CK techniques used by adversaries togathering information of interest to the adversary. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1005 — Data from Local SystemESXi, Linux, macOS, Network Devices, Windows
- T1025 — Data from Removable MediaLinux, macOS, Windows
- T1039 — Data from Network Shared DriveLinux, macOS, Windows
- T1056 — Input CaptureLinux, macOS, Network Devices, Windows
- T1074 — Data StagedESXi, IaaS, Linux, macOS, Windows
- T1113 — Screen CaptureLinux, macOS, Windows
- T1114 — Email CollectionWindows, macOS, Linux, Office Suite
- T1115 — Clipboard DataLinux, macOS, Windows
- T1119 — Automated CollectionIaaS, Linux, macOS, Office Suite, SaaS, Windows
- T1123 — Audio CaptureLinux, macOS, Windows
- T1125 — Video CaptureLinux, macOS, Windows
- T1185 — Browser Session HijackingWindows
- T1213 — Data from Information RepositoriesLinux, Windows, macOS, SaaS, IaaS, Office Suite
- T1530 — Data from Cloud StorageIaaS, Office Suite, SaaS
- T1557 — Adversary-in-the-MiddleLinux, macOS, Network Devices, Windows
- T1560 — Archive Collected DataLinux, macOS, Windows
- T1602 — Data from Configuration RepositoryNetwork Devices
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses