The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
View in MITRE ATT&CK®| Technique ID | Technique Name | Number of Mappings | Number of Subtechniques |
|---|---|---|---|
| T1113 | Screen Capture | 4 | 0 |
| T1557 | Adversary-in-the-Middle | 54 | 4 |
| T1602 | Data from Configuration Repository | 47 | 2 |
| T1123 | Audio Capture | 3 | 0 |
| T1114 | Email Collection | 31 | 3 |
| T1025 | Data from Removable Media | 21 | 0 |
| T1119 | Automated Collection | 26 | 0 |
| T1115 | Clipboard Data | 5 | 0 |
| T1530 | Data from Cloud Storage | 71 | 0 |
| T1005 | Data from Local System | 21 | 0 |
| T1560 | Archive Collected Data | 7 | 3 |
| T1185 | Browser Session Hijacking | 23 | 0 |
| T1125 | Video Capture | 3 | 0 |
| T1074 | Data Staged | 2 | 1 |
| T1039 | Data from Network Shared Drive | 3 | 0 |
| T1056 | Input Capture | 5 | 4 |
| T1213 | Data from Information Repositories | 45 | 5 |