Collection techniques
The collection/* package tree groups local data-acquisition primitives
for post-exploitation: keystrokes, clipboard contents, screen captures.
Each sub-package is self-contained and Windows-only — pick the data source
the operator needs and import the matching package.
flowchart LR
subgraph user [User session]
KB[Keyboard input]
CB[Clipboard]
FB[Framebuffer]
end
subgraph collection [collection/*]
K[keylog<br>WH_KEYBOARD_LL hook]
C[clipboard<br>OpenClipboard + seq poll]
S[screenshot<br>GDI BitBlt]
end
subgraph sink [Operator sink]
OUT[stdout / file / C2 channel]
end
KB --> K
CB --> C
FB --> S
K -. Ctrl+V .-> C
K --> OUT
C --> OUT
S --> OUT
Where to start (novice path):
clipboard— quietest collector. One-shotReadTextor pollingWatchchannel. Catches passwords pasted from password managers.screenshot— periodic visual capture. Useful for rich applications (banking, encrypted chat) where the actual data isn't accessible programmatically.keylog— last resort. Catches everything typed but the WH_KEYBOARD_LL hook is the textbook EDR signal. Use only when other paths don't suffice.
Packages
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
collection/keylog | keylogging.md | noisy | low-level keyboard hook with per-event window/process attribution and Ctrl+V clipboard capture |
collection/clipboard | clipboard.md | quiet | one-shot ReadText plus Watch channel driven by GetClipboardSequenceNumber polling |
collection/screenshot | screenshot.md | quiet | GDI BitBlt → PNG; primary, arbitrary rectangle, or per-monitor capture |
Quick decision tree
| You want to… | Use |
|---|---|
| …record what the user types, with window context | keylog.Start |
| …also capture pasted credentials | keylog.Start — Ctrl+V auto-snapshots clipboard into the event |
…read clipboard once (e.g. after runas) | clipboard.ReadText |
| …stream clipboard changes for a session | clipboard.Watch |
| …grab the primary monitor as PNG | screenshot.Capture |
| …enumerate monitors first, then capture one | screenshot.DisplayCount → CaptureDisplay |
| …crop to a specific UI region (e.g. an open RDP window) | screenshot.CaptureRect |
MITRE ATT&CK
| T-ID | Name | Packages | D3FEND counter |
|---|---|---|---|
| T1056.001 | Input Capture: Keylogging | collection/keylog | D3-PA |
| T1115 | Clipboard Data | collection/clipboard, collection/keylog (paste capture) | D3-PA |
| T1113 | Screen Capture | collection/screenshot | D3-PA |
Cross-referenced techniques
Two adjacent collection workflows live under sibling areas. They are listed here as a navigation convenience; their canonical homes are the packages that own them.
| Area concern | Tech page | Owning package |
|---|---|---|
NTFS Alternate Data Streams (hide collected data in :stream suffixes) | alternate-data-streams.md | cleanup/ads |
LSASS minidump (in-process MINIDUMP assembly via NtReadVirtualMemory) | lsass-dump.md | credentials/lsassdump |
[!NOTE] Both pages will move to their owning areas in Phase 6 of the doc refactor (see
.dev/refactor-2026/progress.md(internal:.dev/progress.md)).
See also
- Operator path: post-exploitation collection
- Detection eng path: collection telemetry
c2/transport— exfiltrate captured data over the established channel.crypto— encrypt collected blobs before staging or transmission.cleanup— wipe collection artefacts after exfiltration.