-
Notifications
You must be signed in to change notification settings - Fork 10
Collection Modules
Scott Sutherland edited this page Mar 21, 2022
·
23 revisions
Collection modules are used query data from target systems. They typically target a single data source. Most of the default modules that can parse file paths will capture a md5 hash of the file, the file owner, and PE security file details along with the data source relevant information.
All collection modules are automatically loaded from the windows\modules\collection folder and ran against established PowerShell Remoting systems. You can add your own there and they will be run automatically.
Below is a summary of the currently supported collection modules.
| Module Name |
Mitre ATT&CK ID | Module Description |
Collection Method |
|---|---|---|---|
| collect-tasks | T1053.002 | Collects Windows scheduled task information. | Get-ScheduledTask |
| collect-services | T1569.002 | Collects Windows service information. | Get-WmiObject -Class win32_service |
| collect-wmi-providers | T1047 | Collects WMI provider information. | Get-WmiObject -Class __Win32Provider |
| collect-wmi-subscriptions | T1546.003 | WMI Subscriptions | Collects WMI subscription information. |
| collect-startup-user-folders | T1547.001 | Collect information from user startup folders | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ C:\user[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| collect-startup-registry-run | T1547.001 | Collect information from registry run keys | HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ |
| collect-installed-software | T1505 | Installed Software | Get-Software |
| collect-named-pipes | T1570 | Collect information from named pipes | Get-ChildItem \.\pipe\ |
| collect-events-4732 | T1136.001 | Event 4732 | Get-WinEvent -FilterHashtable @{logname="security"; id="4732"} |
| collect-events-1102 | T1070.001 | Event 1102 | Get-WinEvent -FilterHashtable @{logname="security"; id="1102"} |
| collect-process | T1057 | Collects list of running processes. | Get-WMIObject Win32_Process |