Collection
Techniques
| ID | Name | Description |
|---|---|---|
| EST000145 | Audio Capture | A Cyber Embedded Technique in which an adversary leverages a platform’s peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later. On PIT systems the majority of the intraplatform and inter-platform communications rely on the interconnection system which enable communications. Adversaries will seek to collect intelligence from this sub-system. |
| EST000146 | Automated Collection | A Cyber Embedded Technique in which an adversary exploits a platforms ability to automate the collection of certain data to provide to maintenance or OEMs for troubleshooting purposes. Adversaries will seek to live of the land and utilize the features of platforms to enable their data collection goals. This may involve making use of the various sensors on an aircraft, or maintenance logs. |
| EST000147 | Data from Local File System | A Cyber Embedded Technique in which an adversary searches the file system on a compromised embedded system to identify and extract files of interest. This involves using system utilities or custom tools to enumerate directories, identify files based on name, type, or content, and then copy those files to a staging area for later exfiltration. Due to hardware and bandwidth limitations in many embedded systems, adversaries typically focus on collecting specific configuration files, logs, or other data that provide valuable insights into the system's operation or security posture. The adversary may use knowledge of the device's file system structure and naming conventions to efficiently locate the desired files. Previously named: Data from Local System |
| EST000148 | Point and Tag Identification | A Cyber Embedded Technique in which an adversary collects point and tag values to gain a more comprehensive understanding of the application's process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience. Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation. |
| EST000149 | Data from Removable Media | A Cyber Embedded Technique in which an adversary collects sensitive data from removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Adversaries may search connected removable media on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. Some adversaries may also use Automated Collection on removable media. |
| EST000150 | Data Staged | A Cyber Embedded Technique in which an adversary stages collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. |
| EST000151 | Collection Input Capture | A Cyber Embedded Technique in which an adversary captures user input for obtaining credentials for Valid Accounts and information Collection that include MCDU capture, keylogging and user input field interception. Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include MCDU capture, keylogging and user input field interception. |
| EST000152 | Screen Capture | A Cyber Embedded Technique in which an adversary screen captures the desktop to gather information over the course of an operation Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Adversaries will also attempt to gather intelligence through the capturing of common HUDs and platform screens. The information given to operators is real time or close to real time and typically shows the region’s threats. |
| EST000153 | Video Capture | A Cyber Embedded Technique in which an adversary leverages a platform’s built-in integrated cameras. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. |
| EST000154 | Access Stored Application Data | A Cyber Embedded Technique in which an adversary accesses and collects application data resident on the device. Adversaries often target popular applications such as Facebook, WeChat, and Gmail. This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory). |
| EST000155 | Capture Camera | A Cyber Embedded Technique in which an adversary utilizes the camera to capture information about the user, their surroundings, or other physical identifiers. Adversaries may use the physical camera devices on a mobile device to capture images or video. By default, in Android and iOS, an application must request permission to access a camera device which is granted by the user through a request prompt. In Android, applications must hold the android.permission.CAMERA permission to access the camera. In iOS, applications must include the NSCameraUsageDescription key in the Info.plist file and must request access to the camera at runtime. |
| EST000156 | Network Information Discovery | A Cyber Embedded Technique in which an adversary uses device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth. Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth. |
| EST000157 | Collect IP Network Traffic | A Cyber Embedded Technique in which an adversary captures IP-based network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same. An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection through exploiting a vulnerability in the device's VPN client functionality or by manipulating the device's proxy settings through exploiting a configuration flaw. For example, researchers have demonstrated the ability to redirect network traffic by installing a malicious iOS Configuration Profile through exploiting a loophole in the profile installation process. If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture. However, even encrypted traffic can reveal valuable information about the device's communication patterns and destinations. Previously named: Network Traffic Capture |
| EST000158 | Detect Operating Mode | A Cyber Embedded Technique in which an adversary gathers information about the current operating state of the platform. Understanding the environment both at the system / sub-system layer as well as the platform layer is pivotal to understanding the timing on payload execution. It is not beneficial for an adversary to be discovered until they desire to have an impact. |
| EST000159 | Detect Program State | A Cyber Embedded Technique in which an adversary gathers information about the current program state of the platform. Understanding the environment both at the sub-system/sub-sub-system layer. It is not beneficial for an adversary to be discovered until they desire to have an impact. |
| EST000160 | Program Upload | A Cyber Embedded Technique in which an adversary gathers information about the current operating state of the platform. Understanding the environment both at the system / sub-system layer as well as the platform layer is pivotal to understanding the timing on payload execution. It is not beneficial for an adversary to be discovered until they desire to have an impact. |
| EST000161 | Monitor Process State | A Cyber Embedded Technique in which an adversary gathers information about the current operating state of the platform. Understanding the environment both at the system / sub-system layer as well as the platform layer is pivotal to understanding the timing on payload execution. It is not beneficial for an adversary to be discovered until they desire to have an impact. |
| EST000162 | I/O Image | A Cyber Embedded Technique in which an adversary captures process image values related to the inputs and outputs of an embedded system. Within an embedded system input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O. |
| EST000163 | Location Identification | A Cyber Embedded Technique in which an adversary performs location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. An adversary attempt to attack and cause impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system. |
| EST000164 | Collect Serial Bus Information | A Cyber Embedded Technique in which an adversary captures data transmitted on internal serial buses (e.g., CAN, I2C, SPI) with the specific goal of gathering sensitive or unusual information, such as Position, Navigation, and Timing (PNT) data, flight information, or other operational parameters. This information may be used to understand the platform's operation, identify vulnerabilities, or plan further attacks. The adversary analyzes the serial bus traffic to identify and extract these specific data elements. This technique differs from EST000157 Collect IP Network Traffic in that it focuses on capturing data transmitted on internal serial buses within the embedded system, rather than capturing IP-based network traffic to and from the device. While "Collect IP Network Traffic" targets communications external to the device or between applications using IP protocols, "Collect Serial Bus Information" focuses on the low-level communication between hardware components within the device itself. The data formats, protocols, and access methods are fundamentally different between these two techniques. |
| EST000165 | Intercept Sensor Data Prior to Processing | A Cyber Embedded Technique in which an adversary intercepts raw sensor data before it is processed by the embedded system. This involves capturing the analog or digital signals directly from the sensor before they are converted, filtered, or otherwise processed. This technique can be applied to various sensor types, including Radio Frequency (RF) receivers, Electro-Optical (EO) sensors, sonar systems, magnetometers, and other data inputs. Adversaries may seek to capture this raw data to compare it against processed data, analyze the sensor's characteristics, or gain insights into the system's operational environment. This information can improve intelligence concerning sensor effectiveness, system sensitivity, and other critical parameters that may be crucial in real-time operations. Previously named: Capture RF from Source Before Processing |