Collection

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

Techniques

Techniques: 2
ID Name Description
VT0018 Input Capture Adversaries may use methods of capturing user input to obtain machine identities and credentials or collect information. During normal system usage, users often provide machine identities and credentials to various different locations, such as system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service.
.001 Keylogging Adversaries may log user keystrokes to intercept credentials and password-protected machine identities as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
VT0022 Man-in-the-Middle (MITM) A man in the middle (MITM) attack is a general term for when adversaries position themselves between a user and an application or a device for the purpose of eavesdropping or impersonation of legitimate communication.
.001 TLS Stripping An adversary managed to intercept a connection and tries to decrypt the secure communication between a client and a server, using SSL stripping. SSL stripping attack downgrades HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The adversary sends an unencrypted version of the application’s site to the user while maintaining the secured session with the application, acting as a "bridge" between them.(Cirtation:Imperva)
.002 DNS Hijacking The adversary is trying to perform a Man in the Middle (MITM) attack using Domain Name Server (DNS) hijacking. DNS hijacking, also referred to as DNS redirection, is when DNS queries are incorrectly resolved in order to unexpectedly redirect the client to an attacker-controlled server. To enable this attack, the adversary must compromise the target client or router or intercept DNS communication by using other Man in the Middle (MITM) techniques.
.003 DNS Spoofing/Cache Poisoning The adversary attempts to perform Man in the Middle (MITM) attack using DNS spoofing. DNS spoofing, also known as DNS cache poisoning, involves altering cached IP addresses of a DNS server to attacker-controlled ones. Cache is a hardware or software component that stores data, so that future requests for that data can be served faster. In DNS servers cache is used to store previously translated names.
.003 DNS Spoofing/Cache Poisoning The adversary attempts to perform Man in the Middle (MITM) attack using DNS spoofing. DNS spoofing, also known as DNS cache poisoning, involves altering cached IP addresses of a DNS server to attacker-controlled ones. Cache is a hardware or software component that stores data, so that future requests for that data can be served faster. In DNS servers cache is used to store previously translated names.
.004 HTTPS Spoofing An adversary intercepted a secure communication and attempts to perform HTTPS spoofing for decrypting the traffic. In HTTPS spoofing, the adversary sends a rouge certificate to the victim’s browser once the initial connection request to a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites. The adversary is then able to access any data entered by the victim before it’s passed to the application.
.005 SSL Hijacking An adversary intercepted a secure communication and attempts to perform Session Hijacking, also known as SSL or TLS hijacking, to decrypt the traffic. Session hijacking is a method of taking over a web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user's session ID has been accessed, the adversary can masquerade as the user and perform anything the user is authorized to do on the network.

Attachments

ID
VTA0009
MITRE ID

Created: 26 November 2020

Last Modified: 26 November 2020