ποΈ Data Collection: Explained
Once access is established and the attacker has escalated privileges, the next step is often data collectionβlocating, staging, and preparing valuable data for exfiltration or analysis. This is a high-value phase where adversaries pursue specific intelligence goals aligned with the campaign's purpose.
π― Why Data Collection Mattersβ
This stage transforms access into actionable intelligence.
- π Intellectual property can be copied.
- π§Ύ Credentials and tokens can be reused.
- π Secrets in memory or config files can provide deeper access.
- π¦ Archives or databases may contain the crown jewels.
π What Kind of Data is Targeted?β
| Category | Examples | MITRE ATT&CK IDs |
|---|
| π Credentials | .git-credentials, secrets.xml, LSASS | T1555, T1003, T1552 |
| π§Ύ Documents | Contracts, R&D, strategy docs | T1005, T1119 |
| π³ Financial Data | Invoices, payment records, banking files | T1005, T1213 |
| π οΈ Configs/Secrets | API keys, SSH keys, .env files | T1552.001, T1552.004 |
| π§ Behavioral Logs | Keystrokes, screen captures, clipboard | T1056, T1113, T1115 |
| πΈ Media | Video/Audio/Photos (esp. in espionage) | T1123, T1125 |
| π‘οΈ Security Artifacts | AV logs, SIEM configs, firewall rules | T1083, T1518 |
π Collection Techniquesβ
| Technique | Description |
|---|
| π§ Memory scraping | Grabbing secrets from RAM or process memory |
| π Directory traversal | Recursively searching home dirs and shares |
| π§ͺ Keyword scanning | Looking for "password", "confidential", etc. |
| ποΈ Registry scraping | For credential remnants or configuration info |
| π¦ Local staging | Archiving data (ZIP, RAR) before exfil |
| π Clipboard/keylog monitoring | Capturing transient but sensitive user input |
βοΈ OPSEC & Noise Considerationsβ
| Concern | Description |
|---|
| π File Access Logs | Bulk reads can trigger DLP or AV logging |
| π¨ EDR Detection | Suspicious API calls (e.g., LSASS access) |
| π Collection Loops | May indicate automation, risk triggering SIEM |
| π΅οΈββοΈ Staging Clues | Use of C:\Users\Public is often monitored |
| Tool/Framework | Purpose |
|---|
| π¦ Mimikatz | Credentials from memory, DPAPI |
| 𧬠SharpHound | AD recon, collects user/group data |
| π¦ WinRAR/7-Zip | Staging files for exfil |
| π§ PowerView | File share enumeration and discovery |
| πͺ Seatbelt | Pulls system artifacts and secrets |
| π Rclone | Automated sync to cloud exfil targets |
π Real-World Examplesβ
| Incident | Data Targeted |
|---|
| SolarWinds Breach | Red Team reports, credentials |
| Equifax Breach | SSNs, PII from DBs |
| Conti Playbook Leaks | PowerShell scripts for ZIP staging |
π Summaryβ
Data collection is the bridge between access and impact.
- It prepares for exfiltration, intelligence analysis, or future compromise.
- Defensive teams must monitor usage patterns, not just tool signatures.
π§ If an attacker is reading your documentation, configs, and exportsβyou're in the collection phase. Your secrets are next.