Objective:

Gather data of interest for exfiltration or operational use. Collection consists of techniques adversaries may use to gather information. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

• ID: TA0009:

  • https://attack.mitre.org/tactics/TA0009/

Linux Context:

• Collection targets sensitive files like /etc/passwd, /var/www/html, or application configs using cat, find, or grep. Attackers compress data with tar -czf or zip for efficiency, while memory dumps via LiME or /proc/kcore capture volatile secrets. Databases (e.g., MySQL’s mysqldump) are prime targets, as are cloud storage mounts (e.g., S3 buckets). In containerized environments, attackers scrape secrets from /var/run/secrets/.

Key Techniques:

• Archive Collected Data (T1560): Creating tarballs for exfiltration.

• Data from Local System (T1005): Copying config files.

• Data from Information Repositories (T1213): Dumping Git repos.

Linux Example:

• Running tar -czf secrets.tar.gz /etc/* or mysqldump -u root db > dump.sql.

Defender Strategies:

• Monitor file access with EDR or inotify, encrypt sensitive data, and restrict database exports. Use DLP to detect archiving.