Skip to content

Collection Modules

Scott Sutherland edited this page Mar 21, 2022 · 23 revisions

Collection Modules

Collection modules are used query data from target systems. They typically target a single data source. Below is a summary of the currently supported collection modules.

Adding New Collection Modules

All collection modules are automatically loaded from the windows\modules\collection folder and ran against established PowerShell Remoting systems. You can add your own there and they will be run automatically.

Current Modules

Module
Name
Mitre ATT&CK ID Module
Description
Collection
Method
collect-tasks T1053.002 Collects Windows scheduled task information. Get-ScheduledTask
collect-services T1569.002 Collects Windows service information. Get-WmiObject -Class win32_service
collect-wmi-providers T1047 Collects WMI provider information. Get-WmiObject -Class __Win32Provider
collect-wmi-subscriptions T1546.003 WMI Subscriptions Collects WMI subscription information.
collect-startup-files-allusers T1547.001 Collect information from all users startup folders $env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\StartUp\
collect-startup-registry-run T1547.001 Collect information from registry run keys HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
collect-installed-software T1505 Installed Software Get-Software
collect-named-pipes T1570 Collect information from named pipes Get-ChildItem \.\pipe\
collect-events-4732 T1136.001 Event 4732 Collect information from 4732 events (member added to security-enabled local group)
collect-events-1102 T1070.001 Event 1102 Collect information from 1102 events (audit log cleared)
collect-process T1057 Collects list of running processes. Get-WMIObject Win32_Process