Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0009: Collection

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

EnterpriseTA0009TacticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Collection is the point in an intrusion where an adversary gathers data that matters to their objective before using it or attempting to steal it. For leaders, this tactic matters because it is often where business-sensitive information, credentials, communications, screenshots, keystrokes, browser data, email, audio, video, or file content may become exposed inside the environment before an exfiltration event is confirmed.

Executive priority

Treat Collection as a business-impact warning point, not just a technical phase. Security leaders should ask whether the organization can identify unusual access to high-value data sources, preserve evidence for incident response, and demonstrate to auditors that sensitive information repositories are monitored and governed. Because the ATT&CK object does not specify platforms or detections, priority should be driven by local data criticality, regulatory obligations, and where collection of email, drives, browser data, screenshots, keyboard input, audio, or video would create the greatest operational or compliance risk.

Technical view

SOC, detection engineering, and IR teams should map this tactic to local data sources and ATT&CK techniques under Collection rather than relying on this tactic object alone. Validate whether telemetry exists for access to files, browsers, email stores, user input capture indicators, screen capture activity, and media devices where applicable. Since no official detection guidance or relationship context is supplied, detection logic should be built from specific Collection techniques and local baselines for normal user, administrative, and application behavior.

Likely telemetry

  • File and drive access logs for repositories containing sensitive or mission-critical data
  • Email access and mailbox activity logs
  • Browser-related artifacts and access records where collected by endpoint or enterprise tooling
  • Endpoint process, command, and application activity related to screenshots or user input capture
  • Signals related to audio, video, camera, or microphone access where relevant and legally permissible

Detection direction

  • Start with business-defined sensitive data locations and validate that access, copying, and aggregation are visible to the SOC.
  • Build detections from specific ATT&CK Collection techniques, because this tactic-level object has no official detection text and no supplied platform scope.
  • Tune for context: legitimate backup, eDiscovery, administrative support, accessibility tools, collaboration software, and user productivity workflows can resemble collection behavior.
  • Look for combinations of signals, such as unusual data-source access plus staging or input/screen capture activity, rather than single weak indicators.
  • Confirm incident responders can quickly answer what was accessed, by whom, from where, and whether the data was later used or exfiltrated.

Mitigation priorities

  • Prioritize data governance: identify high-value information sources and apply least-privilege access controls.
  • Ensure logging and retention are sufficient for sensitive file stores, email, browser-related data sources, and endpoint activity relevant to collection behaviors.
  • Use identity and access management reviews to reduce unnecessary access to information an adversary would want to gather.
  • Harden endpoints and enterprise applications against unauthorized access to screenshots, keyboard input, audio, video, and email where controls are available.
  • Exercise incident response playbooks for suspected data collection so teams can scope exposure before confirmed exfiltration.
Analyst notes and limits

This is a tactic-level ATT&CK object, so it describes adversary intent rather than one concrete procedure. The most useful defensive work is to connect TA0009 to the organization’s critical data map and then validate telemetry and controls against the specific Collection techniques relevant to that environment.

No official detection guidance, platforms, tactics list, aliases, labels, or relationship context were supplied. This take therefore avoids platform-specific claims and does not assert active exploitation, attribution, or guaranteed detection coverage. Local environment evidence is required to determine actual exposure and monitoring maturity.

Official MITRE ATT&CK definition

Collection

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
8f439a9cc1968a0d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 8f439a9cc196…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0009
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use