Collection techniques
The collection/* package tree groups local data-acquisition primitives
for post-exploitation: keystrokes, clipboard contents, screen captures.
Each sub-package is self-contained and Windows-only — pick the data source
the operator needs and import the matching package.
flowchart LR
subgraph user [User session]
KB[Keyboard input]
CB[Clipboard]
FB[Framebuffer]
end
subgraph collection [collection/*]
K[keylog<br>WH_KEYBOARD_LL hook]
C[clipboard<br>OpenClipboard + seq poll]
S[screenshot<br>GDI BitBlt]
end
subgraph sink [Operator sink]
OUT[stdout / file / C2 channel]
end
KB --> K
CB --> C
FB --> S
K -. Ctrl+V .-> C
K --> OUT
C --> OUT
S --> OUT
Packages
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
collection/keylog | keylogging.md | noisy | low-level keyboard hook with per-event window/process attribution and Ctrl+V clipboard capture |
collection/clipboard | clipboard.md | quiet | one-shot ReadText plus Watch channel driven by GetClipboardSequenceNumber polling |
collection/screenshot | screenshot.md | quiet | GDI BitBlt → PNG; primary, arbitrary rectangle, or per-monitor capture |
Quick decision tree
| You want to… | Use |
|---|---|
| …record what the user types, with window context | keylog.Start |
| …also capture pasted credentials | keylog.Start — Ctrl+V auto-snapshots clipboard into the event |
…read clipboard once (e.g. after runas) | clipboard.ReadText |
| …stream clipboard changes for a session | clipboard.Watch |
| …grab the primary monitor as PNG | screenshot.Capture |
| …enumerate monitors first, then capture one | screenshot.DisplayCount → CaptureDisplay |
| …crop to a specific UI region (e.g. an open RDP window) | screenshot.CaptureRect |
MITRE ATT&CK
| T-ID | Name | Packages | D3FEND counter |
|---|---|---|---|
| T1056.001 | Input Capture: Keylogging | collection/keylog | D3-PA |
| T1115 | Clipboard Data | collection/clipboard, collection/keylog (paste capture) | D3-PA |
| T1113 | Screen Capture | collection/screenshot | D3-PA |
Cross-referenced techniques
Two adjacent collection workflows live under sibling areas. They are listed here as a navigation convenience; their canonical homes are the packages that own them.
| Area concern | Tech page | Owning package |
|---|---|---|
NTFS Alternate Data Streams (hide collected data in :stream suffixes) | alternate-data-streams.md | cleanup/ads |
LSASS minidump (in-process MINIDUMP assembly via NtReadVirtualMemory) | lsass-dump.md | credentials/lsassdump |
[!NOTE] Both pages will move to their owning areas in Phase 6 of the doc refactor (see docs/refactor-2026-doc/progress.md).
See also
- Operator path: post-exploitation collection
- Detection eng path: collection telemetry
c2/transport— exfiltrate captured data over the established channel.crypto— encrypt collected blobs before staging or transmission.cleanup— wipe collection artefacts after exfiltration.