-
Notifications
You must be signed in to change notification settings - Fork 10
Collection Modules
Scott Sutherland edited this page Mar 23, 2022
·
23 revisions
Collection modules are used query data from target systems. They typically target a single data source. Most of the default modules that can parse file paths will capture a md5 hash of the file, the file owner, and PE security file details along with the data source relevant information.
All collection modules are automatically loaded from the windows\modules\collection folder and ran against established PowerShell Remoting systems. You can add your own there and they will be run automatically.
By default, all collection modules will be run. To run a subset of the collection modules simply remove the modules you dont want to run.
Below is a summary of the currently supported collection modules.
| Module Name |
Mitre ATT&CK ID | Module Description |
Collection Method |
|---|---|---|---|
| collect-tasks | T1053.002 | Collect Windows scheduled task information. | Get-ScheduledTask |
| collect-services | T1569.002 | Collect Windows service information. | Get-WmiObject -Class win32_service |
| collect-wmi-providers | T1047 | Collect WMI provider information. | Get-WmiObject -Class __Win32Provider |
| collect-wmi-subscriptions | T1546.003 | Collect WMI subscription information. | Get-WmiObject -Namespace root/subscription |
| collect-startup-files-allusers | T1547.001 | Collect information from user startup folders. | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ C:\user[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| collect-startup-registry-run | T1547.001 | Collect information from registry run keys. | HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ |
| collect-installed-software | T1505 | Collect installed software list. | Get-Software |
| collect-named-pipes | T1570 | Collect information from named pipes. | Get-ChildItem \.\pipe\ |
| collect-events-4732 | T1136.001 | Event 4732: Member added to security group. | Get-WinEvent -FilterHashtable @{logname="security"; id="4732"} |
| collect-events-1102 | T1070.001 | Event 1102: Audit log cleared. | Get-WinEvent -FilterHashtable @{logname="security"; id="1102"} |
| collect-process | T1057 | Collect list of running processes. | Get-WMIObject Win32_Process |
| collect-connections | T1571 | Collect connection and associated process information. | Get-NetTCPConnection Get-WMIObject Win32_Process |