Collection (17 techniques)
Gathering information of interest to the adversary.
The Collection tactic groups MITRE ATT&CK techniques used by adversaries to gathering information of interest to the adversary. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1005 — Data from Local System ESXi, Linux, macOS, Network Devices, Windows
- T1025 — Data from Removable Media Linux, macOS, Windows
- T1039 — Data from Network Shared Drive Linux, macOS, Windows
- T1056 — Input Capture Linux, macOS, Network Devices, Windows
- T1074 — Data Staged ESXi, IaaS, Linux, macOS, Windows
- T1113 — Screen Capture Linux, macOS, Windows
- T1114 — Email Collection Windows, macOS, Linux, Office Suite
- T1115 — Clipboard Data Linux, macOS, Windows
- T1119 — Automated Collection IaaS, Linux, macOS, Office Suite, SaaS, Windows
- T1123 — Audio Capture Linux, macOS, Windows
- T1125 — Video Capture Linux, macOS, Windows
- T1185 — Browser Session Hijacking Windows
- T1213 — Data from Information Repositories Linux, Windows, macOS, SaaS, IaaS, Office Suite
- T1530 — Data from Cloud Storage IaaS, Office Suite, SaaS
- T1557 — Adversary-in-the-Middle Linux, macOS, Network Devices, Windows
- T1560 — Archive Collected Data Linux, macOS, Windows
- T1602 — Data from Configuration Repository Network Devices
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses