The Mitre Att&ck Matrix has defined 17 techniques for the Collection Category.
Adversary-In-The-Middle is when a threat actor redirects traffic from a target to the threat actor so the threat actor can collect data that’s currently being transmitted before forwarding the data to the proper destination.
Archive Collected Data is when a threat actor compresses collected data before exfiltration.
Audio Capture is when a threat actor captures audio playing in the system. Alternatively, if the threat actor gains access to a microphone, they could then attempt to snoop in on conversations.
Automated Collection is when a threat actor utilizes a tool that automatically collects data. Command and Control (C2) services usually provide such functionality.
Browser Session Hijacking is when a threat actor captures browser sessions to make use of later.
Clipboard Data is when a threat actor collects all data in the clipboard currently loaded in memory.
Data from Cloud Storage is when a threat actor gathers data stored on cloud platforms either directly or by abusing the functions of a compromised application.
Data from Information Repositories is when a threat actor compromises a repository to collect any information the threat actor deems worthy. GitHub is one example of a Repository. Sharepoint is another example of a different type of repository. Not all information Repositories are about coding. It is just a place where information is stored and updated.
Data from Configuration Repository is when a threat actor compromises a repository containing configurations for multiple services to steal a copy for further study of the internal network.
Data from Local System is when a threat actor collects data from a compromised system/
Data from Network Shared Drive is when a threat actor collects data from a compromised Network Share.
Data from Removable Media is when a threat actor collects data from removable media inserted into a compromised system.
Data Staged is when the threat actor takes all data from a compromised system and stores the data in a temporary location before data exfiltration.
Email Collection is when a threat actor gathers emails from a compromised account.
Input Capture is when a threat actor collects user input using techniques like keylogging or packet sniffing and stores it for further analysis.
Screen Capture is when a threat actor takes a screenshot of what is currently displayed. Alternatively, a threat actor can access a camera connected to take pictures of what is in front of said camera.
Video Capture is when a threat actor makes a video recording of what is currently displayed. Alternatively, they can compromise alternative devices such as webcams to get a video of the general area.