Collection (17 techniques)
Gathering information of interest to the adversary.
The Collection tactic groups MITRE ATT&CK techniques used by adversaries togathering information of interest to the adversary. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1005 - Data from Local SystemESXi, Linux, macOS, Network Devices, Windows
- T1025 - Data from Removable MediaLinux, macOS, Windows
- T1039 - Data from Network Shared DriveLinux, macOS, Windows
- T1056 - Input CaptureLinux, macOS, Network Devices, Windows
- T1074 - Data StagedESXi, IaaS, Linux, macOS, Windows
- T1113 - Screen CaptureLinux, macOS, Windows
- T1114 - Email CollectionWindows, macOS, Linux, Office Suite
- T1115 - Clipboard DataLinux, macOS, Windows
- T1119 - Automated CollectionIaaS, Linux, macOS, Office Suite, SaaS, Windows
- T1123 - Audio CaptureLinux, macOS, Windows
- T1125 - Video CaptureLinux, macOS, Windows
- T1185 - Browser Session HijackingWindows
- T1213 - Data from Information RepositoriesLinux, Windows, macOS, SaaS, IaaS, Office Suite
- T1530 - Data from Cloud StorageIaaS, Office Suite, SaaS
- T1557 - Adversary-in-the-MiddleLinux, macOS, Network Devices, Windows
- T1560 - Archive Collected DataLinux, macOS, Windows
- T1602 - Data from Configuration RepositoryNetwork Devices
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses