收集信息
对手正试图收集与其目标相关的数据。
收集包括攻击者可能用来收集信息的技术,并且从中收集与实现对手目标相关的信息来源。通常,收集数据后的下一个目标是窃取(泄露)数据。常见的目标源包括各种驱动器类型、浏览器、音频、视频和电子邮件。常见的收集方法包括捕获屏幕截图和键盘输入。
技术: 17
| 编号 | 名字 | 描述 | |
|---|---|---|---|
| T1557 | 中间的对手 | 攻击者可能会尝试使用中间对手 (AiTM) 技术在两个或多个联网设备之间定位自己,以支持网络嗅探或传输的数据操作等后续行为。通过滥用可以确定网络流量的常见网络协议(例如 ARP、DNS、LLMNR 等)的功能,攻击者可能会强制设备通过对手控制系统进行通信,以便他们可以收集信息或执行其他操作。 | |
| .001 | LLMNR/NBT-NS 中毒和 SMB 中继 | 通过响应 LLMNR/NBT-NS 网络流量,攻击者可能会欺骗名称解析的权威源,以强制与对手控制的系统进行通信。此活动可用于收集或中继身份验证材料。 | |
| .002 | ARP 缓存中毒 | 攻击者可能会毒害地址解析协议 (ARP) 缓存,以便在两个或多个网络设备的通信之间定位自己。此活动可用于启用后续行为,例如网络嗅探或传输的数据操作。 | |
| .003 | DHCP 欺骗 | 攻击者可以通过欺骗动态主机配置协议 (DHCP) 流量并在受害网络上充当恶意 DHCP 服务器,将网络流量重定向到对手拥有的系统。通过实现中间对手 (AiTM) 位置,攻击者可以收集网络通信,包括传递的凭据,尤其是通过不安全、未加密协议发送的凭据。这也可能启用后续行为,例如网络嗅探或传输的数据操作。 | |
| T1560 | 存档收集的数据 | 攻击者可能会压缩和/或加密在泄露之前收集的数据。压缩数据有助于对收集的数据进行模糊处理,并最大程度地减少通过网络发送的数据量。加密可用于隐藏从检测中泄露的信息,或在防御者检查时使泄露不那么显眼。 | |
| .001 | 通过实用程序存档 | 攻击者可能会使用实用程序在泄露之前压缩和/或加密收集的数据。许多实用程序都包含压缩、加密或以其他方式将数据打包为更容易/更安全传输的格式的功能。 | |
| .002 | 通过图书馆存档 | 攻击者可能会使用第三方库压缩或加密在泄露之前收集的数据。存在许多可以存档数据的库,包括Python rarfile,libzip和zlib。大多数库都包含加密和/或压缩数据的功能。 | |
| .003 | 通过自定义方法存档 | 攻击者可以使用自定义方法压缩或加密在泄露之前收集的数据。攻击者可以选择使用自定义存档方法,例如使用 XOR 进行加密,或者在没有外部库或实用程序引用的情况下实现流密码。还使用了众所周知的压缩算法的自定义实现。 | |
| T1123 | 音频捕获 | 攻击者可以利用计算机的外围设备(例如,麦克风和网络摄像头)或应用程序(例如,语音和视频呼叫服务)来捕获录音,以便收听敏感对话以收集信息。 | |
| T1119 | 自动收集 | 一旦在系统或网络中建立,攻击者可能会使用自动化技术来收集内部数据。执行此技术的方法可能包括使用命令和脚本解释器在特定时间间隔搜索和复制符合设置条件(如文件类型、位置或名称)的信息。在基于云的环境中,攻击者还可能使用云 API、命令行界面或提取、转换和加载 (ETL) 服务来自动收集数据。此功能也可以内置到远程访问工具中。 | |
| T1185 | 浏览器会话劫持 | 攻击者可能会利用浏览器软件中的安全漏洞和固有功能来更改内容、修改用户行为和拦截信息,作为各种浏览器会话劫持技术的一部分。 | |
| T1115 | 剪贴板数据 | 攻击者可能会从在应用程序内部或应用程序之间复制信息的用户那里收集存储在剪贴板中的数据。 | |
| T1530 | 来自云存储的数据 | 攻击者可能会从不安全的云存储中访问数据。 | |
| T1602 | 来自配置存储库的数据 | 攻击者可能会从配置存储库收集与托管设备相关的数据。管理系统使用配置存储库来配置、管理和控制远程系统上的数据。配置存储库还可以促进设备的远程访问和管理。 | |
| .001 | SNMP (MIB Dump) | 攻击者可能会以管理信息库 (MIB) 为目标,以收集和/或挖掘使用简单网络管理协议 (SNMP) 管理的网络中的有价值信息。 | |
| .002 | 网络设备配置转储 | 攻击者可以访问网络配置文件以收集有关设备和网络的敏感数据。网络配置是一个文件,其中包含确定设备操作的参数。设备通常在运行时存储配置的内存中副本,并在非易失性存储上存储单独的配置,以便在设备重置后加载。攻击者可以检查配置文件,以显示有关目标网络及其布局、网络设备及其软件的信息,或识别合法帐户和凭据以供以后使用。 | |
| T1213 | 来自信息存储库的数据 | 攻击者可以利用信息存储库来挖掘有价值的信息。信息存储库是允许存储信息的工具,通常用于促进用户之间的协作或信息共享,并且可以存储各种数据,这些数据可能有助于对手实现进一步的目标,或直接访问目标信息。攻击者还可能滥用外部共享功能与组织外部的收件人共享敏感文档。 | |
| .001 | 合流 | 攻击者可以利用 Confluence 存储库来挖掘有价值的信息。Confluence 通常与 Atlassian JIRA 一起出现在开发环境中,通常用于存储与开发相关的文档,但通常可能包含更多类别的有用信息,例如: | |
| .002 | 共享点 | 攻击者可以利用 SharePoint 存储库作为挖掘有价值信息的来源。SharePoint 通常包含有用的信息,供攻击者了解内部网络和系统的结构和功能。例如,以下是可能对对手具有潜在价值的示例信息列表,这些信息也可以在 SharePoint 上找到: | |
| .003 | 代码存储库 | 攻击者可以利用代码存储库来收集有价值的信息。代码存储库是存储源代码和自动化软件构建的工具/服务。它们可以在内部或私人托管在第三方站点上,例如Github,GitLab,SourceForge和BitBucket。用户通常通过 Web 应用程序或命令行实用程序(如 git)与代码存储库进行交互。 | |
| T1005 | 来自本地系统的数据 | 攻击者可能会搜索本地系统源(例如文件系统和配置文件或本地数据库),以在泄露之前查找感兴趣的文件和敏感数据。 | |
| T1039 | 来自网络共享云端硬盘的数据 | 攻击者可能会在他们遭到入侵的计算机上搜索网络共享以查找感兴趣的文件。敏感数据可以通过共享网络驱动器(主机共享目录、网络文件服务器等)从远程系统收集,这些驱动器可在渗透之前从当前系统访问。可以使用交互式命令外壳,并且可以使用 cmd 中的常见功能来收集信息。 | |
| T1025 | 来自可移动媒体的数据 | 攻击者可能会在已入侵的计算机上搜索连接的可移动媒体,以查找感兴趣的文件。敏感数据可以在渗透之前从连接到受感染系统的任何可移动媒体(光盘驱动器、USB 存储器等)收集。可以使用交互式命令外壳,并且可以使用 cmd 中的常见功能来收集信息。 | |
| T1074 | 数据暂存 | 攻击者可能会在泄露之前将收集的数据暂存到中央位置或目录中。数据可以保存在单独的文件中,也可以通过存档收集的数据等技术合并到一个文件中。可以使用交互式命令外壳,并且可以使用 cmd 和 bash 中的常见功能将数据复制到暂存位置。 | |
| .001 | 本地数据暂存 | 攻击者可能会在泄露之前将收集的数据暂存到本地系统上的中心位置或目录中。数据可以保存在单独的文件中,也可以通过存档收集的数据等技术合并到一个文件中。可以使用交互式命令外壳,并且可以使用 cmd 和 bash 中的常见功能将数据复制到暂存位置。 | |
| .002 | 远程数据暂存 | 攻击者可能会在泄露之前,将从多个系统收集的数据暂存到一个系统上的中心位置或目录中。数据可以保存在单独的文件中,也可以通过存档收集的数据等技术合并到一个文件中。可以使用交互式命令外壳,并且可以使用 cmd 和 bash 中的常见功能将数据复制到暂存位置。 | |
| T1114 | 电子邮件收集 | 攻击者可能会以用户电子邮件为目标来收集敏感信息。电子邮件可能包含敏感数据,包括商业机密或个人信息,这些数据可能对对手有价值。攻击者可以从邮件服务器或客户端收集或转发电子邮件。 | |
| .001 | 本地电子邮件收集 | 攻击者可能会以本地系统上的用户电子邮件为目标,以收集敏感信息。包含电子邮件数据的文件可以从用户的本地系统(如 Outlook 存储或缓存文件)获取。 | |
| .002 | 远程电子邮件收集 | 攻击者可能会以 Exchange 服务器、Office 365 或 Google Workspace 为目标来收集敏感信息。攻击者可以利用用户的凭据并直接与 Exchange 服务器交互,以从网络内部获取信息。攻击者还可以访问面向外部的 Exchange 服务、Office 365 或 Google Workspace,以使用凭据或访问令牌访问电子邮件。MailSniper等工具可用于自动搜索特定关键字。 | |
| .003 | 电子邮件转发规则 | 攻击者可能会设置电子邮件转发规则来收集敏感信息。攻击者可能会滥用电子邮件转发规则来监视受害者的活动,窃取信息,并进一步获取有关受害者或受害者组织的情报,以用作进一步攻击或操作的一部分。此外,电子邮件转发规则可以允许攻击者保持对受害者电子邮件的持久访问,即使在管理员重置已泄露的凭据后也是如此。大多数电子邮件客户端允许用户为各种电子邮件功能创建收件箱规则,包括转发给其他收件人。这些规则可以通过本地电子邮件应用程序、Web 界面或命令行界面创建。邮件可以转发给内部或外部收件人,并且没有限制此规则范围的限制。管理员还可以为具有相同注意事项和结果的用户帐户创建转发规则。 | |
| T1056 | 输入捕获 | 攻击者可能会使用捕获用户输入的方法来获取凭据或收集信息。在正常的系统使用过程中,用户通常会向各种不同的位置提供凭据,例如登录页面/门户或系统对话框。输入捕获机制可能对用户透明(例如凭据 API 挂钩),或者依赖于欺骗用户将输入提供给他们认为是真正的服务(例如 Web 门户捕获)。 | |
| .001 | 键盘记录 | 攻击者可能会记录用户击键,以便在用户键入凭据时拦截凭据。当操作系统凭据转储工作无效时,键盘日志记录可能会用于获取新访问机会的凭据,并且可能需要攻击者在很长一段时间内拦截系统上的击键,然后才能成功捕获凭据。 | |
| .002 | 图形用户界面输入捕获 | 攻击者可能会模仿常见的操作系统 GUI 组件,以通过看似合法的提示提示用户输入凭据。当执行的程序需要比当前用户上下文中存在的权限更多的权限时,操作系统通常会提示用户输入适当的凭据来授权任务的提升权限(例如:绕过用户帐户控制)。 | |
| .003 | 门户网站捕获 | 攻击者可能会在面向外部的门户(如 VPN 登录页面)上安装代码,以捕获和传输尝试登录服务的用户的凭据。例如,受损的登录页面可能会在用户登录到服务之前记录提供的用户凭据。 | |
| .004 | 凭据 API 挂钩 | 攻击者可能会挂接到 Windows 应用程序编程接口 (API) 函数来收集用户凭据。恶意挂钩机制可能会捕获包含显示用户身份验证凭据的参数的 API 调用。与键盘记录不同,此技术专门关注包含显示用户凭据的参数的 API 函数。挂钩涉及将调用重定向到这些函数,可以通过以下方式实现: | |
| T1113 | 屏幕截图 | 攻击者可能会尝试获取桌面的屏幕截图,以在操作过程中收集信息。屏幕捕获功能可以作为入侵后操作中使用的远程访问工具的功能包含在内。通常也可以通过本机实用程序或 API 调用(如 、 或 .CopyFromScreen``xwd``screencapture |
|
| T1125 | 视频捕获 | 攻击者可以利用计算机的外围设备(例如,集成摄像头或网络摄像头)或应用程序(例如,视频呼叫服务)来捕获视频记录以收集信息。也可以从设备或应用程序捕获图像,可能以指定的间隔代替视频文件。 |
The adversary is trying to gather data of interest to their goal.
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
Techniques: 17
| ID | Name | Description | |
|---|---|---|---|
| T1557 | Adversary-in-the-Middle | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions. | |
| .001 | LLMNR/NBT-NS Poisoning and SMB Relay | By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. | |
| .002 | ARP Cache Poisoning | Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. | |
| .003 | DHCP Spoofing | Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. | |
| T1560 | Archive Collected Data | An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. | |
| .001 | Archive via Utility | Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. | |
| .002 | Archive via Library | An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile , libzip , and zlib . Most libraries include functionality to encrypt and/or compress data. | |
| .003 | Archive via Custom Method | An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used. | |
| T1123 | Audio Capture | An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. | |
| T1119 | Automated Collection | Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. | |
| T1185 | Browser Session Hijacking | Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques. | |
| T1115 | Clipboard Data | Adversaries may collect data stored in the clipboard from users copying information within or between applications. | |
| T1530 | Data from Cloud Storage | Adversaries may access data from improperly secured cloud storage. | |
| T1602 | Data from Configuration Repository | Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices. | |
| .001 | SNMP (MIB Dump) | Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP). | |
| .002 | Network Device Configuration Dump | Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. | |
| T1213 | Data from Information Repositories | Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. | |
| .001 | Confluence | Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: | |
| .002 | Sharepoint | Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint: | |
| .003 | Code Repositories | Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. | |
| T1005 | Data from Local System | Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. | |
| T1039 | Data from Network Shared Drive | Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. | |
| T1025 | Data from Removable Media | Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. | |
| T1074 | Data Staged | Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. | |
| .001 | Local Data Staging | Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. | |
| .002 | Remote Data Staging | Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. | |
| T1114 | Email Collection | Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. | |
| .001 | Local Email Collection | Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. | |
| .002 | Remote Email Collection | Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords. | |
| .003 | Email Forwarding Rule | Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators. Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes. | |
| T1056 | Input Capture | Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture). | |
| .001 | Keylogging | Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. | |
| .002 | GUI Input Capture | Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control). | |
| .003 | Web Portal Capture | Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. | |
| .004 | Credential API Hooking | Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: | |
| T1113 | Screen Capture | Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture. |
|
| T1125 | Video Capture | An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. |