DFIR Global

By

Campbell McKenzie

·

MITRE ATT&CK Collection (TA0009)

The MITRE ATT&CK Collection (TA0009) tactic outlines how adversaries gather valuable data from a target environment after gaining access. This data may include sensitive documents, user credentials, or network information. Techniques include capturing screenshots, keylogging, accessing stored data (files, emails, databases), and monitoring network traffic. Attackers may also collect audio, video, or system logs. Once…

The MITRE ATT&CK Collection (TA0009) tactic outlines how adversaries gather valuable data from a target environment after gaining access. This data may include sensitive documents, user credentials, or network information. Techniques include capturing screenshots, keylogging, accessing stored data (files, emails, databases), and monitoring network traffic. Attackers may also collect audio, video, or system logs. Once gathered, this data is often staged for exfiltration.

Key techniques for data collection include:

  1. File and Clipboard Capture: Adversaries access and copy files from systems or shared drives that hold sensitive information. They may also capture clipboard contents, which might contain passwords, tokens, or sensitive data transferred during operations.
  2. Input Capture (Keylogging): Attackers install keyloggers to record keystrokes from the target system, capturing credentials or sensitive text that users enter. This method allows adversaries to obtain usernames, passwords, and other input data without raising alarms.
  3. Screen Capture: Attackers may take screenshots of the system, providing visual access to sensitive information displayed on the victim’s machine. This technique is often used when attackers want to capture data that isn’t easily copied through files or text.
  4. Email Collection: Adversaries access stored emails or actively monitor incoming and outgoing email communications. This can reveal sensitive conversations, business strategies, or confidential documents. Email servers or individual client email applications may be targeted.
  5. Data from Network Shared Drives: Attackers can access shared drives or network storage that contains sensitive documents, databases, or system configurations. By mapping these resources, they collect valuable information stored across the organization’s infrastructure.
  6. Browser Data Collection: Attackers may steal data stored in web browsers, such as cached credentials, session cookies, and autofill information. This can provide immediate access to web applications or portals used by the target.

Mitigation Strategies:

  1. Data Encryption: Encrypt sensitive files and communications to make it harder for attackers to collect readable data.
  2. Access Control: Implement strict access controls and user permissions to limit who can access sensitive data.
  3. Monitor File Access: Continuously monitor file access and transfers for unusual activity that could indicate data collection.

These measures help to prevent unauthorized collection and protect sensitive data from being gathered by attackers.

For more details, visit the MITRE ATT&CK Collection page.

Tags: