MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.


Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.

Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes.

ID: DTA0002


DTE0003 - API Monitoring Monitor local APIs that might be used by adversary tools and activity.
DTE0004 - Application Diversity Present the adversary with a variety of installed applications and services.
DTE0005 - Backup and Recovery Make copies of key system software, configuration, and data to enable rapid system restoration.
DTE0010 - Decoy Account Create an account that is used for active defense purposes.
DTE0011 - Decoy Content Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.
DTE0012 - Decoy Credentials Create user credentials that are used for active defense purposes.
DTE0014 - Decoy Network Create a target network with a set of target systems, for the purpose of active defense.
DTE0017 - Decoy System Configure a computing system to serve as an attack target or experimental environment.
DTE0018 - Detonate Malware Execute malware under controlled conditions to analyze its functionality.
DTE0019 - Email Manipulation Modify the flow or contents of email.
DTE0021 - Hunting Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc.
DTE0025 - Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
DTE0027 - Network Monitoring Monitor network traffic in order to detect adversary activity.
DTE0028 - PCAP Collection Collect full network traffic for future research and analysis.
DTE0029 - Peripheral Management Manage peripheral devices used on systems within the network for active defense purposes.
DTE0031 - Protocol Decoder Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.
DTE0032 - Security Controls Alter security controls to make the system more or less vulnerable to attack.
DTE0034 - System Activity Monitoring Collect system activity logs which can reveal adversary activity.
DTE0036 - Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.