In the Cyber World, attackers not just go after the money, they collect whatever data they can. Once inside a network, their mission shifts from intrusion to information harvesting — capturing sensitive data, files, credentials, screenshots, or even keystrokes that could unlock more secrets.

The Collection (TA0009) tactic in the MITRE ATT&CK framework covers all the techniques adversaries use to gather data before exfiltrating it out of the environment.

🔍 Common Techniques Under TA0009

Here are the key sub-techniques attackers use to scoop up valuable intel:

1. Clipboard Data (T1115)🧾 Attackers access clipboard content to steal copied passwords, credit card details, or confidential text.Example: Malware hooks into clipboard monitoring APIs to capture data before users paste it.

2. Data from Local System (T1005)💻 Collecting files directly from infected systems—documents, spreadsheets, credentials, and more.Example: Attackers script searches for “confidential,” “passwords,” or “finance” keywords.

3. Data from Network Shared Drive (T1039)🌐 Adversaries hunt shared drives for sensitive corporate data, backup files, or blueprints.

4. Data from Cloud Storage (T1530)☁️ They target data stored in services like Google Drive, OneDrive, or AWS S3 using compromised credentials or tokens.

5. Input Capture (T1056)⌨️ Keylogging, screen capturing, or even camera activation to record user activity.Example: A trojan silently records keystrokes and sends them to a remote server.

6. Screen Capture (T1113)🖼️ Capturing screenshots helps attackers see what users see — including financial dashboards or system controls.

7. Audio Capture (T1123)🎙️ Spying tools can activate microphones to eavesdrop on meetings or conversations.

8. Video Capture (T1125)📹 Attackers can use compromised webcams to monitor environments in real time.

9. Automated Collection (T1119)🤖 Automated scripts or tools that continuously collect new data as it appears on the system.

10. Data Staged (T1074)🧰 Before exfiltration, attackers gather and compress data into one place, ready for transfer.
    

💣 Real-World Example

A recent ransomware campaign was discovered where attackers didn’t encrypt files immediately.Instead, they spent weeks collecting data from shared drives, cloud folders, and employee desktops — ensuring they had maximum leverage before launching encryption and ransom demands.

This double-extortion method made it impossible for victims to hide the breach.

🛡️ Recommendations – How to Defend Against Data Collection

✅ Implement Least Privilege: Limit user and system access to only the data needed.

✅ Monitor File Access Patterns: Use SIEM tools to detect unusual data access or file copying activity.

✅ Disable Unused Peripheral Access: Block unauthorized microphone, camera, and USB access.

✅ Encrypt Sensitive Data: Even if attackers collect files, encryption makes them unreadable.

✅ Cloud Security Posture Management: Regularly audit access to cloud drives and storage buckets.

✅ Behavioral Monitoring: Look for abnormal clipboard, screenshot, or keylogging activity.

✅ Regular Awareness Training: Employees should recognize phishing, social engineering, and unauthorized tool installations.

⚔️ Final Thought

Collection is a quiet but critical stage of an attack — it’s where data turns into power.Organizations that can detect early data gathering can stop breaches before the real damage begins.

🔐 Stay alert. Watch what’s being collected — before your data walks out the door.