Home  >  APT29  >  Results  >  Elastic  >  Collection

Tactic Results: Collection (TA0009) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
Data from Local System
(T1005)
Recursively collected files found in C:\Users\Pam\ using PowerShell
powershell.exe reading files in C:\Users\Pam\
2.A.3
Telemetry (Correlated)
Telemetry showed file reads of C:\Users\Pam\*. The event was correlated to a parent General detection for malicious file execution. [1]
Read data in the user's Downloads directory using PowerShell
powershell.exe reading files in C:\Users\pam\Downloads\
7.B.1
None
No detection capability demonstrated for this procedure.
Recursively collected files found in C:\Users\Pam\ using PowerShell
powershell.exe reading files in C:\Users\Pam\
9.B.4
Telemetry (Correlated)
Telemetry showed file reads of C:\Users\Pam\*. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Read and collected a local file using PowerShell
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
17.B.1
None
No detection capability demonstrated for this procedure.
Input Capture
(T1056)
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
7.A.3
Technique (Correlated, Alert)
A Technique alert detection for "ATT&CK T1056 Input Capture" (low severity) was generated for powershell.exe calling the NtUserGetAsyncKeyState API. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe calling the NtUserGetAsyncKeyState. API. The event was correlated to a parent General detection for malicious file execution. [1]
Clipboard Data
(T1115)
Captured clipboard contents using PowerShell
powershell.exe executing Get-Clipboard
7.A.2
Technique (Correlated, Alert)
A Technique alert detection (low severity) for "ATT&CK T1115 Clipboard Data" was generated for powershell.exe calling the NtUserGetClipboardData API. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe calling the NtUserGetClipboardData API. The detection was correlated to a parent alert for malicious file execution. [1]
Email Collection
(T1114)
Dumped messages from the local Outlook inbox using PowerShell
outlook.exe spawning from svchost.exe or powershell.exe
17.A.1
Telemetry (Correlated)
Telemetry showed outlook.exe spawning from svchost.exe, which is indicative of programmatic access to Outlook emails. The detection was correlated to a parent alert for the "First Seen Process in an Environment". [1] [2] [3]
Data Staged
(T1074)
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
2.A.5
Technique (Configuration Change (Detections), Correlated)
A Technique detection for "Data Staged" was generated due to the NtCreateFile API being used to create Draft.zip. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed file creation of Draft.zip. The event was correlated to a parent General detection for malicious file execution. [1]
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
powershell.exe creating the file working.zip
9.B.5
Telemetry (Correlated)
Telemetry showed a File Created event for powershell.exe creating working.zip. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Staged collected file into directory using PowerShell
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
17.B.2
Telemetry (Correlated)
Telemetry showed the file creation event for MITRE-ATTACK-EVALS.HTML. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Automated Collection
(T1119)
Scripted search of filesystem for document and media files using PowerShell 
powershell.exe executing (Get-)ChildItem
2.A.2
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The event was correlated to a parent General detection for malicious file execution. [1]
Scripted search of filesystem for document and media files using PowerShell 
powershell.exe executing (Get-)ChildItem​
9.B.3
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. This event was correlated to a General detection for the execution of a malicious file (python.exe). [1]
Screen Capture
(T1113)
Captured and saved screenshots using PowerShell
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
7.A.1
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection (low severity) for "Screen Capture" was generated for powershell.exe calling the NtGdiCreateCompatibleBitmap API. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. The event was correlated to a parent General detection for malicious file execution. [1]