Collection consists of techniques adversaries may use to gather information relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email.
Tactic Overview
Tactic ID: TA0009 — Matrix: Enterprise — Techniques: 17
The Collection tactic represents a phase in the adversary lifecycle where the adversary is trying to gather data of interest to their goal. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 17 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (17)
The following techniques are categorized under the Collection tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1557 | Adversary-in-the-Middle (3 sub-techniques) | Adversaries position themselves between network communications to intercept and relay data, enabling credential capture and session hijacking. | T1557 |
T1560 | Archive Collected Data (3 sub-techniques) | Adversaries compress and encrypt collected data before exfiltration using tools like 7-Zip, WinRAR, and tar. | T1560 |
T1123 | Audio Capture | Adversaries capture audio from microphones to collect sensitive information from conversations. | T1123 |
T1119 | Automated Collection | Adversaries use automated scripts and tools to systematically collect large volumes of data from compromised systems. | T1119 |
T1185 | Browser Session Hijacking | Adversaries inject into browser processes to access authenticated web sessions and steal information. | T1185 |
T1115 | Clipboard Data | Adversaries capture clipboard contents to collect passwords, cryptocurrency addresses, and other sensitive data copied by users. | T1115 |
T1530 | Data from Cloud Storage | Adversaries access and collect data from cloud storage services like S3, Azure Blob Storage, and Google Cloud Storage. | T1530 |
T1602 | Data from Configuration Repository (2 sub-techniques) | Adversaries collect configuration data from network device repositories (SNMP, TFTP/SSH configs) containing credentials and architecture info. | T1602 |
T1213 | Data from Information Repositories (3 sub-techniques) | Adversaries mine information repositories like SharePoint, Confluence, and code repos for sensitive data. | T1213 |
T1005 | Data from Local System | Adversaries search local system sources including file systems, databases, and memory for sensitive information. | T1005 |
T1039 | Data from Network Shared Drive | Adversaries search network shared drives and file servers for sensitive data to collect. | T1039 |
T1025 | Data from Removable Media | Adversaries collect data from removable media devices connected to compromised systems. | T1025 |
T1074 | Data Staged (2 sub-techniques) | Adversaries stage collected data in central locations before exfiltration, often in temporary directories. | T1074 |
T1114 | Email Collection (3 sub-techniques) | Adversaries collect email data from local clients, servers, or cloud services for intelligence gathering. | T1114 |
T1056 | Input Capture (4 sub-techniques) | Adversaries capture user input through keylogging, GUI input capture, web portals, or credential API hooking to steal credentials. | T1056 |
T1113 | Screen Capture | Adversaries capture screenshots to collect information about the user's desktop, applications, and activity. | T1113 |
T1125 | Video Capture | Adversaries capture video from webcams and other recording devices to gather visual intelligence. | T1125 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Data Loss Prevention (DLP)
- Encrypt sensitive data
- Monitor for bulk data access
- Restrict access to sensitive repositories
- Audit file access patterns
Detection Strategies
Effective detection of Collection techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Collection tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Collection Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026