The adversary is trying to gather data of interest to their goal.
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
| ID | Name | Description | |
| T2060 | Adversary-in-the-Middle | Adversaries may position themselves between networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks. By abusing features of common networking protocols, adversaries force a device to communicate through an adversary-controlled system to collect information or perform additional actions. | |
| T2063 | Archive Collected Data | An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. | |
| T2061 | Audio Capture | Adversaries can leverage a a vehicle's built-in peripheral devices and applications to capture audio recordings for eavesdropping on sensitive conversations, allowing them to gather valuable information. These recordings could be used for various malicious purposes, including espionage, or theft of sensitive information. | |
| T2062 | Data from Local System | Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. | |
| T2064 | Data Staged | Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. | |
| T2058 | Personal Information Collection | Adversaries may target the Personal Information to gather sensitive personal data from vehicle systems. Modern vehicles, equipped with advanced technology, store and transmit a wealth of personal information, ranging from driver's license details to personal identification numbers. The primary motive behind this technique is often to leverage collected data for ransom or to facilitate data leaks, exploiting the rich trove of personal information that vehicles now hold. | |
| T2059 | Vehicle Telemetry Collection | Adversaries may target the telematics systems within modern vehicles to collect a vast array of data. These systems, designed for navigation, safety, and entertainment, also generate and store detailed telemetry information. This information, which can include location data, vehicle usage patterns, and even driver behavior, is extremely valuable for adversaries. By tapping into these systems, adversaries can gain insights into the movements and habits of individuals or organizations, potentially leading to further exploitation or surveillance activities. | |