Collection
Details
| ID | PT0010 |
| MITRE ATT&CK ID | TA0009 |
| Created | 2026-06-22 |
| Last Modified | 2026-06-22 |
| Contributors | slashsec |
| Version Permalink | Link |
Description
The adversary is trying to gather information or physical items of interest.
Collection consists of techniques for capturing data, documents, media, or assets relevant to the engagement objective. Examples include photography, copying materials, and removing items from secure areas when permitted by access gained in earlier phases.
Techniques
| ID | Name | Description |
|---|---|---|
| P0027 | Steal Hardware | Adversaries may remove physical computing or storage hardware from the target environment. Stolen hardware can contain data, credentials, or configuration information useful for follow-on access and analysis. |
| P0027.001 | Steal Endpoint Device | Adversaries may take laptops, desktops, tablets, or other endpoint devices from workspaces, labs, or unsecured areas. Endpoint theft can expose local storage, cached credentials, and peripheral tokens left with the device. |
| P0027.002 | Steal Removable Media | Adversaries may remove USB drives, external hard disks, backup tapes, or other portable storage found on site. Removable media may hold sensitive files, keys, or images copied from internal systems. |
| P0027.003 | Steal Server Hardware | Adversaries may remove servers, NAS appliances, or other rack-mounted or closet storage systems when physical access permits. Server hardware theft can provide drives, memory, and configuration labels tied to the target environment. |
| P0028 | Copy Information | Adversaries may duplicate information in place without removing the original materials. Copying preserves access to content while leaving source documents, displays, or boards apparently undisturbed. |
| P0028.001 | Photograph Information | Adversaries may capture images of documents, whiteboards, posted schedules, screen displays, or labels using phones or cameras. Photography allows quick collection without removing originals from the facility. |
| P0028.002 | Photocopy Documents | Adversaries may use copiers, scanners, or multifunction devices to duplicate paper records on site. Photocopying can produce full copies of binders, visitor logs, or internal memos while originals remain in place. |
| P0029 | Steal Information | Adversaries may remove physical documents, files, or other recorded information from the target environment. Stolen materials can include paper records, binders, mail, and other portable information carriers taken from offices or secure storage. |
| P0030 | Plant Surveillance Device | Adversaries may conceal listening devices, cameras, or other recorders in the target environment to capture audio or video after they leave. Implants can be placed in offices, meeting rooms, cabling paths, or furnishings to collect information without continuous on-site presence. |