-
Notifications
You must be signed in to change notification settings - Fork 10
Collection Modules
Scott Sutherland edited this page Mar 21, 2022
·
23 revisions
Collection modules are used query data from target systems. They typically target a single data source. Below is a summary of the currently supported collection modules.
All collection modules are automatically loaded from the windows\modules\collection folder and ran against established PowerShell Remoting systems. You can add your own there and they will be run automatically.
Module Name |
Mitre ATT&CK ID | Module Description |
Collection Method |
---|---|---|---|
collect-tasks | T1053.002 | Collects Windows scheduled task information. | Get-ScheduledTask |
collect-services | T1569.002 | Collects Windows service information. | Get-WmiObject -Class win32_service |
collect-wmi-providers | T1047 | Collects WMI provider information. | Get-WmiObject -Class __Win32Provider |
collect-wmi-subscriptions | T1546.003 | WMI Subscriptions | Collects WMI subscription information. |
collect-startup-files-allusers | T1547.001 | Collect information from all users startup folders | $env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\StartUp\ |
collect-startup-registry-run | T1547.001 | Collect information from registry run keys | HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ |
collect-installed-software | T1505 | Installed Software | Get-Software |
collect-named-pipes | T1570 | Collect information from named pipes | Get-ChildItem \.\pipe\ |
collect-events-4732 | T1136.001 | Event 4732 | Collect information from 4732 events (member added to security-enabled local group) |
collect-events-1102 | T1070.001 | Event 1102 | Collect information from 1102 events (audit log cleared) |
collect-process | T1057 | Collects list of running processes. | Get-WMIObject Win32_Process |