GCP bigquery.jobs.insert
Creates and submits a BigQuery job (query, load, export, or copy) that accesses or transforms data in BigQuery datasets.
Collection
Collection
Section titled “Collection”The adversary is trying to gather data of interest to their goal.
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
In cloud environments, adversaries collect data from storage services (S3, Blob Storage, GCS), databases, and snapshots. They may create copies of EBS volumes or database snapshots, query data warehouses, or access logging buckets that contain sensitive operational data.
View Collection on MITRE ATT&CK →Events Related to Collection
Section titled “Events Related to Collection”GCP cloudsql.instances.export
Exports data from a Cloud SQL instance to a Cloud Storage bucket.
Azure CopyBlob
Copies a blob within or between Azure Storage accounts or containers.
AWS CopyObject
Copies an object from one S3 location to another, within or across buckets, optionally modifying metadata or encryption.
AWS CreateDBSnapshot
Creates a manual point-in-time snapshot of an RDS database instance for backup or recovery purposes.
AWS CreateImage
Creates an Amazon Machine Image (AMI) from a running or stopped EC2 instance, capturing its disk state for reuse.
AWS CreateInstanceExportTask
Exports an EC2 instance as a virtual machine image to an S3 bucket in a format such as OVF or VMDK.
AWS CreateSnapshot
Creates a point-in-time snapshot of an EBS volume, stored durably for backup or volume duplication.
AWS DeleteBucketPolicy
Removes the resource-based policy from an S3 bucket, reverting to default access controls.
AWS GetObject
Retrieves (downloads) an object from an S3 bucket; logged in CloudTrail only when S3 data events are enabled.
Azure Microsoft.Compute/disks/beginGetAccess/action
Generates a time-limited SAS URL to access or download the data of an Azure managed disk.
Azure Microsoft.Compute/snapshots/beginGetAccess/action
Generates a time-limited SAS URL to access or download the data from an Azure VM disk snapshot.
Azure Microsoft.Sql/servers/databases/export/action
Exports an Azure SQL Database to a BACPAC file stored in Azure Blob Storage.
AWS ModifyDBSnapshotAttribute
Modifies the attributes of an RDS DB snapshot, such as sharing it with other AWS accounts.
AWS ModifyImageAttribute
Modifies attributes of an AMI, such as making it public or sharing it with specific AWS accounts.
AWS ModifySnapshotAttribute
Modifies the permissions of an EBS snapshot, such as making it public or sharing it with specific AWS accounts.
AWS SharedSnapshotCopyInitiated
Records the start of a copy operation for an EBS snapshot shared from another AWS account.
AWS SharedSnapshotVolumeCreated
Records the creation of an EBS volume from a snapshot shared by another AWS account.
AWS StartExportTask
Starts an export of an RDS snapshot to Amazon S3 in Apache Parquet format for use in analytics.
GCP storage.setIamPermissions
Sets the IAM policy on a Cloud Storage bucket or object, controlling which principals can access it.