Collection, Tactic TA0009 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Collection, Tactic TA0009 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/tactics/enterprise">Tactics</a></li> <li class="breadcrumb-item"><a href="/tactics/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Collection</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Collection </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>The adversary is trying to gather data of interest to their goal.</p><p>Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> TA0009</div> <div class="card-data"><span class="h5 card-title">Created: </span>17 October 2018</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>05 September 2024</div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of TA0009" href="/versions/v16/tactics/TA0009/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of TA0009" href="/versions/v16/tactics/TA0009/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="techniques">Techniques</h2><h6 class="table-object-count">Techniques: 17</h6> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1557"> T1557 </a> </td> <td> <a href="/techniques/T1557"> Adversary-in-the-Middle </a> </td> <td> Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as <a href="/techniques/T1040">Network Sniffing</a>, <a href="/techniques/T1565/002">Transmitted Data Manipulation</a>, or replay attacks (<a href="/techniques/T1212">Exploitation for Credential Access</a>). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1557/001"> .001 </a> </td> <td> <a href="/techniques/T1557/001"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </td> <td> By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1557/002"> .002 </a> </td> <td> <a href="/techniques/T1557/002"> ARP Cache Poisoning </a> </td> <td> Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as <a href="/techniques/T1040">Network Sniffing</a> or <a href="/techniques/T1565/002">Transmitted Data Manipulation</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1557/003"> .003 </a> </td> <td> <a href="/techniques/T1557/003"> DHCP Spoofing </a> </td> <td> Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as <a href="/techniques/T1040">Network Sniffing</a> or <a href="/techniques/T1565/002">Transmitted Data Manipulation</a>. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1557/004"> .004 </a> </td> <td> <a href="/techniques/T1557/004"> Evil Twin </a> </td> <td> Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as <a href="/techniques/T1040">Network Sniffing</a>, <a href="/techniques/T1565/002">Transmitted Data Manipulation</a>, or <a href="/techniques/T1056">Input Capture</a>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1560"> T1560 </a> </td> <td> <a href="/techniques/T1560"> Archive Collected Data </a> </td> <td> An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1560/001"> .001 </a> </td> <td> <a href="/techniques/T1560/001"> Archive via Utility </a> </td> <td> Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1560/002"> .002 </a> </td> <td> <a href="/techniques/T1560/002"> Archive via Library </a> </td> <td> An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including <a href="/techniques/T1059/006">Python</a> rarfile , libzip , and zlib . Most libraries include functionality to encrypt and/or compress data. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1560/003"> .003 </a> </td> <td> <a href="/techniques/T1560/003"> Archive via Custom Method </a> </td> <td> An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1123"> T1123 </a> </td> <td> <a href="/techniques/T1123"> Audio Capture </a> </td> <td> An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1119"> T1119 </a> </td> <td> <a href="/techniques/T1119"> Automated Collection </a> </td> <td> Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a <a href="/techniques/T1059">Command and Scripting Interpreter</a> to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1185"> T1185 </a> </td> <td> <a href="/techniques/T1185"> Browser Session Hijacking </a> </td> <td> Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1115"> T1115 </a> </td> <td> <a href="/techniques/T1115"> Clipboard Data </a> </td> <td> Adversaries may collect data stored in the clipboard from users copying information within or between applications. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1530"> T1530 </a> </td> <td> <a href="/techniques/T1530"> Data from Cloud Storage </a> </td> <td> Adversaries may access data from cloud storage. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1602"> T1602 </a> </td> <td> <a href="/techniques/T1602"> Data from Configuration Repository </a> </td> <td> Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1602/001"> .001 </a> </td> <td> <a href="/techniques/T1602/001"> SNMP (MIB Dump) </a> </td> <td> Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1602/002"> .002 </a> </td> <td> <a href="/techniques/T1602/002"> Network Device Configuration Dump </a> </td> <td> Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1213"> T1213 </a> </td> <td> <a href="/techniques/T1213"> Data from Information Repositories </a> </td> <td> Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., <a href="/techniques/T1537">Transfer Data to Cloud Account</a>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1213/001"> .001 </a> </td> <td> <a href="/techniques/T1213/001"> Confluence </a> </td> <td> Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1213/002"> .002 </a> </td> <td> <a href="/techniques/T1213/002"> Sharepoint </a> </td> <td> Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint: </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1213/003"> .003 </a> </td> <td> <a href="/techniques/T1213/003"> Code Repositories </a> </td> <td> Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1213/004"> .004 </a> </td> <td> <a href="/techniques/T1213/004"> Customer Relationship Management Software </a> </td> <td> Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1213/005"> .005 </a> </td> <td> <a href="/techniques/T1213/005"> Messaging Applications </a> </td> <td> Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1005"> T1005 </a> </td> <td> <a href="/techniques/T1005"> Data from Local System </a> </td> <td> Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1039"> T1039 </a> </td> <td> <a href="/techniques/T1039"> Data from Network Shared Drive </a> </td> <td> Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within <a href="/software/S0106">cmd</a> may be used to gather information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1025"> T1025 </a> </td> <td> <a href="/techniques/T1025"> Data from Removable Media </a> </td> <td> Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within <a href="/software/S0106">cmd</a> may be used to gather information. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1074"> T1074 </a> </td> <td> <a href="/techniques/T1074"> Data Staged </a> </td> <td> Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as <a href="/techniques/T1560">Archive Collected Data</a>. Interactive command shells may be used, and common functionality within <a href="/software/S0106">cmd</a> and bash may be used to copy data into a staging location. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1074/001"> .001 </a> </td> <td> <a href="/techniques/T1074/001"> Local Data Staging </a> </td> <td> Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as <a href="/techniques/T1560">Archive Collected Data</a>. Interactive command shells may be used, and common functionality within <a href="/software/S0106">cmd</a> and bash may be used to copy data into a staging location. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1074/002"> .002 </a> </td> <td> <a href="/techniques/T1074/002"> Remote Data Staging </a> </td> <td> Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as <a href="/techniques/T1560">Archive Collected Data</a>. Interactive command shells may be used, and common functionality within <a href="/software/S0106">cmd</a> and bash may be used to copy data into a staging location. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1114"> T1114 </a> </td> <td> <a href="/techniques/T1114"> Email Collection </a> </td> <td> Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1114/001"> .001 </a> </td> <td> <a href="/techniques/T1114/001"> Local Email Collection </a> </td> <td> Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user鈥檚 local system, such as Outlook storage or cache files. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1114/002"> .002 </a> </td> <td> <a href="/techniques/T1114/002"> Remote Email Collection </a> </td> <td> Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as <a href="/software/S0413">MailSniper</a> can be used to automate searches for specific keywords. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1114/003"> .003 </a> </td> <td> <a href="/techniques/T1114/003"> Email Forwarding Rule </a> </td> <td> Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim鈥檚 organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators. Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1056"> T1056 </a> </td> <td> <a href="/techniques/T1056"> Input Capture </a> </td> <td> Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. <a href="/techniques/T1056/004">Credential API Hooking</a>) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. <a href="/techniques/T1056/003">Web Portal Capture</a>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1056/001"> .001 </a> </td> <td> <a href="/techniques/T1056/001"> Keylogging </a> </td> <td> Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when <a href="/techniques/T1003">OS Credential Dumping</a> efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1056/002"> .002 </a> </td> <td> <a href="/techniques/T1056/002"> GUI Input Capture </a> </td> <td> Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: <a href="/techniques/T1548/002">Bypass User Account Control</a>). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1056/003"> .003 </a> </td> <td> <a href="/techniques/T1056/003"> Web Portal Capture </a> </td> <td> Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1056/004"> .004 </a> </td> <td> <a href="/techniques/T1056/004"> Credential API Hooking </a> </td> <td> Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials. Unlike <a href="/techniques/T1056/001">Keylogging</a>, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1113"> T1113 </a> </td> <td> <a href="/techniques/T1113"> Screen Capture </a> </td> <td> Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1125"> T1125 </a> </td> <td> <a href="/techniques/T1125"> Video Capture </a> </td> <td> An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Collection, Tactic TA0009 - Enterprise | MITRE ATT&CK®