Collection (MITRE Tactic)
What is Collection (MITRE Tactic)?
Collection (MITRE Tactic)The MITRE ATT&CK tactic (TA0009) covering techniques used to gather information of interest before it is exfiltrated.
Collection (MITRE ATT&CK tactic TA0009) groups techniques attackers use to identify and stage data of value before exfiltration. Common techniques include screen capture, keylogging, clipboard monitoring, audio and video capture, archiving files from local and network drives, mailbox harvesting in Microsoft 365 or Google Workspace, automated collection scripts, and accessing cloud storage buckets. Adversaries typically compress and encrypt the data into staging archives (.zip, .rar, .7z) in temp directories to keep network throughput low and to bypass DLP signatures. Defenders detect Collection through DLP rules, mailbox-audit logs, anomalous file-access patterns, large local archive creation, EDR detections on screen-capture and keylogger APIs, and honey files that fire alerts when read.
● Examples
- 01
An attacker zipping every .docx and .xlsx in a finance share into a single archive in C:\Users\Public\.
- 02
Enabling mailbox forwarding rules in M365 to siphon executive emails to an external address.
● Frequently asked questions
What is Collection (MITRE Tactic)?
The MITRE ATT&CK tactic (TA0009) covering techniques used to gather information of interest before it is exfiltrated. It belongs to the Defense & Operations category of cybersecurity.
What does Collection (MITRE Tactic) mean?
The MITRE ATT&CK tactic (TA0009) covering techniques used to gather information of interest before it is exfiltrated.
How does Collection (MITRE Tactic) work?
Collection (MITRE ATT&CK tactic TA0009) groups techniques attackers use to identify and stage data of value before exfiltration. Common techniques include screen capture, keylogging, clipboard monitoring, audio and video capture, archiving files from local and network drives, mailbox harvesting in Microsoft 365 or Google Workspace, automated collection scripts, and accessing cloud storage buckets. Adversaries typically compress and encrypt the data into staging archives (.zip, .rar, .7z) in temp directories to keep network throughput low and to bypass DLP signatures. Defenders detect Collection through DLP rules, mailbox-audit logs, anomalous file-access patterns, large local archive creation, EDR detections on screen-capture and keylogger APIs, and honey files that fire alerts when read.
How do you defend against Collection (MITRE Tactic)?
Defences for Collection (MITRE Tactic) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Collection (MITRE Tactic)?
Common alternative names include: Data staging, TA0009.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 398
Exfiltration
The MITRE ATT&CK tactic (TA0010) covering techniques used to transfer stolen data out of a victim network to an attacker-controlled location.
- malware№ 590
Keylogger
Software or hardware that records the keystrokes a user types, used to steal passwords, financial data, or messages.
- privacy№ 278
Data Loss Prevention (DLP)
A set of technologies and policies that detect and block unauthorized exfiltration of sensitive data across endpoints, networks, email, and cloud services.
- defense-ops№ 265
Cyber Kill Chain
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
- malware№ 1083
Spyware
Malware that secretly collects information about a user, device, or organization and sends it to an external party.