Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0035: Collection

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

MobileTA0035TacticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Collection is the point in an intrusion where an adversary gathers data that may later be exfiltrated. For leaders, this matters because the business impact often depends less on initial access and more on what sensitive information the adversary can find before removal. In the mobile ATT&CK domain, the supplied object does not specify platforms or techniques, so teams should treat it as a planning category for validating whether sensitive data locations, access controls, and monitoring are sufficient to prove what was or was not gathered during an incident.

Executive priority

Prioritize Collection as a data-risk and incident-readiness question: do you know where sensitive information resides, who or what can access it, and what evidence would show attempted gathering before exfiltration? This supports business continuity, breach assessment, regulatory evidence, and executive decision-making during response. Because this object has no supplied detection guidance or relationships, coverage decisions should be based on local data classification, mobile security architecture, and logging realities rather than assumptions from ATT&CK alone.

Technical view

For SOC, detection engineering, and IR teams, use this tactic as a validation checkpoint across the mobile ATT&CK domain: confirm which data stores and application locations contain information of interest, what access events are logged, and how analysts would distinguish normal user or application access from suspicious aggregation or staging behavior. Since the object provides no specific platforms, techniques, or detection text, avoid writing generic detections from this tactic alone; map local controls and telemetry to the specific Collection techniques relevant to the environment when available.

Likely telemetry

  • Access logs for sensitive files, application data stores, or managed content repositories where available
  • Mobile device management or enterprise mobility management audit events where deployed
  • Application audit logs showing reads, exports, or bulk access to protected data
  • Identity and access management logs for accounts accessing sensitive mobile-accessible resources
  • Data loss prevention or content protection alerts where configured

Detection direction

  • Validate whether the organization can observe access to sensitive data before exfiltration, not only the outbound transfer event.
  • Tune detections around abnormal volume, unusual timing, unexpected application context, or access to sensitive locations, using local baselines to reduce false positives.
  • Do not treat this tactic alone as a detection rule; it is a behavioral objective that requires technique-specific and environment-specific analytics.
  • Review blind spots where mobile-accessible data is stored in applications, synchronized repositories, or unmanaged locations without adequate audit logging.
  • During incidents, preserve evidence that can answer what data was accessed or gathered, even if exfiltration is not yet proven.

Mitigation priorities

  • Start with data inventory and classification so defenders know what Collection would matter most to the business.
  • Limit access to sensitive information using least privilege and managed identity controls appropriate to the environment.
  • Ensure mobile-accessible repositories and applications produce audit logs sufficient for incident reconstruction.
  • Apply data protection and content control measures where sensitive information can be accessed from mobile workflows.
  • Test incident response playbooks for the question: what evidence proves whether sensitive data was gathered prior to exfiltration?
Analyst notes and limits

This is a tactic-level ATT&CK object, not a specific technique. It provides strategic context for adversary objectives but no relationship context, platform detail, or official detection guidance. Use it to structure coverage discussions and then pivot to applicable Collection techniques and local architecture for actionable engineering.

The supplied fields do not identify specific mobile platforms, procedures, mitigations, detections, or related techniques. No claims can be made about active exploitation, actor attribution, customer exposure, or guaranteed detection coverage from this object alone.

Official MITRE ATT&CK definition

Collection

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
389a9d73f71312f0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 389a9d73f713…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0035
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use